The data centers used to manage the country's ballistic missile defense systems have major security weaknesses that could leave the US vulnerable to missile attacks, according to a newly declassified report from the Department of Defense.
The report, released earlier this month by the DoD's Inspector General, lists a number of security problems, everything from unlocked doors to unpatched software vulnerabilities dating back decades. One vulnerability, for example, dated back to 1990, but still had not been mitigated.
"Officials... did not consistently implement security controls and processes to protect BMDS technical information," the report said. That could allow enemies of the US to learn how to get around the missile defense system, "leaving the United States vulnerable to deadly missile attacks."
Marty Puranik, CEO at Atlantic.Net, a Florida-based data center and cloud provider, called the report "scary and alarming."
"Most of these failures would get someone [in the private sector] fired, or cause them to lose a contract for far less important IT services," he said. "It’s shocking that something as important as this could be so insecure – down to even basic steps of security and compliance."
"If they were a bank, they would be shut down until they fixed it," Chris Rouland, founder and CEO at Phosphorus Cybersecurity, said. "This is a sorry state of affairs for our nation's missile defense system."
The security was so poor and out of date, it was possible the officials running the data centers wouldn’t even know they were being attacked, he said.
"They're obviously held to a lower standard than commercial organizations," Rouland said. "You see the CEOs of companies like Target and Equifax being terminated over compromises and cybersecurity issues that were less severe than these."
Missile defense systems sound like something the government would protect with the highest levels of security available, so that even the most dedicated attacker, backed by enemy governments or terrorist groups, couldn't penetrate them.
Instead, according to the audit, the security holes were big enough for anyone to walk through – sometimes literally.
In one case, a visitor entered a classified facility by pulling a door open – a door on which the lock sensors had been broken for four years. The visitor walked through the facility, without the guard at the front desk asking to see her badge. She also asked someone for directions and again was not asked to show her badge.
The auditors also found unlocked server racks and mismanaged server-rack keys.
Standard guidelines, including NIST SP 800-53 as well as the DoD's own Defense Information Systems Agency Network Infrastructure Security Technical Implementation Guide, require keeping network infrastructure devices in secure rooms, in locked cabinets, with tight controls over who has the keys.
A data center manager told auditors that he didn't think he had to secure the server racks and keys because access to the entire data center was controlled.
"Data center managers must understand that physical safeguards are just as, if not more important, than virtual ones," Dave Weinstein, VP of threat research at Claroty, said.
Before joining Claroty this year, Weinstein worked in the public sector, including a stint at the US Cyber Command. He said he was alarmed about the degree to which the missile defense networks were vulnerable, even to unsophisticated attacks.
"The DoD's missile defense systems are not secured nearly to a level commensurate with their risk and importance to America's national security," he said.
Even when all the outside doors are locked and visitors aren’t allowed to casually wander around, it’s still risky to give all data center employees or approved visitors unrestricted access to sensitive equipment.
"Leaving the server racks unlocked and failing to control access to the keys increases the risk that insiders could compromise or exfiltrate data," the report said.
According to security experts, the problems in the five facilities audited by the Inspector General were unusual and particularly problematic given what's at stake.
Zuly Gonzalez, co-founder and CEO at Light Point Security, said he was particularly troubled that the auditors said the CIOs overseeing these facilities had previously been warned about problems, didn't fix them, and didn't respond to the first draft of the security assessment report.
Several access control issues were highlighted in the report. Too many people had access to systems, and multi-factor authentication wasn't used when it should have been.
Over-provisioning of privileges is a big problem for enterprises in general, Balaji Parimi, founder and CEO at CloudKnox, a Sunnyvale, California-based security firm, said. But it should have been a particular priority for the Ballistic Missile Defense system, he said.
Oversight and security of removable media was also "extraordinarily lax," David Pearson, principal threat researcher at Awake Security, said.
According to the report, removable media wasn't always encrypted, even though encryption has been mandated for years. In one area, the auditors found that less than one percent of sensitive information labeled as "controlled unclassified" was encrypted when stored on removable media.
The problem wasn't that the data centers lacked the authentication or encryption tools. "The controls existed but were not implemented and used equally and regularly," Chris Morales, head of security analytics at Vectra Networks, said.
That happens when the security controls are tedious and cumbersome, he explained, and other data center managers should be aware of the potential problem.
Unmitigated vulnerabilities at the ballistic missile defense system data centers included vulnerabilities featured in US Cyber Command alerts, the report said. These alerts are generated when vulnerabilities may result in an immediate and potentially severe threat to DoD systems.
There vulnerabilities, according to the report, “if exploited by unauthorized users would likely result in privileged access to servers and information systems.”
The vulnerability that could have allowed access to networks and systems that maintain BMDS technical information was first identified in 2013 and had not been addressed as of April 2018, the report said.
Not only were the vulnerabilities left unmitigated,the officials involved didn't bother to include them in their plans of action – and could not explain to auditors why they left them out.
The risks begin to pile up, Mark Miller, director of enterprise security support at Venafi, said. "If you are not updating and patching your systems, you open yourself up to years of previously established attacks.”
Somebody Else's Problem
One reason for the security failings could be people involved thinking someone else was handling security or that precautions weren't needed because the networks were classified and air-gapped.
"I have seen this before in the military on classified networks," Gary Hayslip, CISO at Webroot, a Colorado-based cybersecurity company, said. "Management assumes that classified networks are already protected, so they don’t need funds – that culture drove me crazy, because I could not get them to see the risks."
Just because a system is isolated from the internet doesn't mean it's secure from attacks.
Airing Dirty Laundry?
Several security experts were shocked to see this report declassified, even with many of the specifics redacted.
"It is an eye-opening public display of security flaws within our government," Morey Haber, CTO at BeyondTrust, said. "I find it highly usual for this style of report to be made public.
"The report … targets government leadership for lax controls and serves as a warning for other departments to get their act together," he said.