The Department of Defense is terrible when it comes to cybersecurity. That’s the Pentagon’s Inspector General (IG) assessment, which dove deep into the U.S. military’s ability to keep its cyber shit locked. The results are not great. “As of September 30, 2018, there were 266 open recommendations related to cybersecurity, dating back to 2008,” the inspector general said in a new report.
The new report is a summary of the IG’s investigations into the Pentagon’s cybersecurity over the past year. He reviewed 20 unclassified reports and four classified reports that detailed cybersecurity issues and followed up to see if they had been resolved. Previously, the IG had recommended that the Pentagon take 159 different measures to improve security. It only took 19.
Cyber security issues affected all branches of the military and ranged from the most serious to the mundane. At a server site connected to US ballistic missile defense systems, inspectors “found an unlocked server rack despite a sign posted on the rack indicating that the server door must remain locked at all times.”
According to the IT security manager who was on staff at the time, “the network operations staff were fixing the issues with the server in the rack that we found unlocked and did not notify the [redacted] assistant in charge of security after the maintenance is completed on the server so that he can lock it down.
At the same site, officials also did not encrypt data transferred from computers via USB sticks and removable hard drives. “According to the security manager…[redacted] encrypted less than one percent of controlled unclassified information stored on removable media.
These bad security practices take place in buildings where US missile defense systems are located. These are the people who watch the skies and are responsible for protecting American cities in the event of a nuclear attack from a foreign country, and they can’t bother to encrypt data or lock down their server racks.
If military personnel are bad, then contractors are worse. Investigators searched the cybersecurity practices of seven contractors working for the U.S. Missile Defense Agency and found multiple vulnerabilities. “Of the seven entrepreneurs we analyzed, we found that [five] has not always or systematically used multifactor authentication to access unclassified networks containing [ballistic missile defense systems] technical information, ”the inspectors wrote.
The contractors also failed to perform their own risk assessments, encrypt USB drives and hard drives, and use strong passwords. “System administrators of [five contractors] has not configured networks and systems containing [ballistic missile defense systems] technical information to lock user sessions after 15 minutes of inactivity, ”investigators found. This means that anyone logging into a computer filled with classified missile defense data could leave it unattended for anyone to access. The computer would never go offline.
American weapons systems also remain easy to hack with basic tools. An October report from the Government Accountability Office pointed to flaws in the Pentagon’s weapon systems that made them particularly vulnerable to cyber attacks. An IG follow-up found that Air Force officials, in particular, “still don’t ensure that cybersecurity has been built into weapon systems during design.” Instead, the cybersecurity of weapons systems was addressed through a set of activities and products that were not fully integrated, creating overlaps and gaps in the cybersecurity of the program. The Air Force still hasn’t bothered to change its default passwords on several weapon systems using store-bought technology, and the Air Force doesn’t follow its own protocols. cybersecurity when designing and launching new weapon systems.
The Pentagon’s cybersecurity problems are serious enough to affect missile defense and sophisticated new weapons, but they also hurt regular soldiers. The IG pointed out that the military’s medical treatment facilities are cybersecurity nightmares, where lax security procedures make patient medical records easily accessible.
According to army regulations, passwords must be 15 characters long, contain an upper and lower case letter, a number and a symbol. At several medical facilities, investigators found administrators bent the rules to allow simpler passwords. “In each case, system administrators report that they did not set up passwords correctly because they considered existing network authentication controls to be sufficient to control access to individual systems,” the inspectors said.
Like weapon systems and ballistic missile defense contractors, military medical records were very easy to hack, poorly password-protected, and computer terminals were not programmed to automatically log out of personnel. users.
The issues between the different branches are remarkably similar, which investigators noted in the new report. Cybersecurity failures are a leadership issue, according to the Pentagon watchdog. No one at the top holds others to account.
“Most of the weaknesses identified in this year’s summary were related to governance,” the investigators explained. “Without good governance, the [Pentagon] cannot guarantee that it effectively identifies and manages cybersecurity risks, as it continues to face an increasing variety of cyber threats from adversaries, such as offensive operations in cyberspace used to disrupt, degrade or destroy targeted information systems.