The Department of Defense is terrible at cybersecurity. That’s the assessment of the Pentagon's Inspector General (IG), who did a deep dive into the American military’s ability to keep its cyber shit on lockdown. The results aren’t great. “As of September 30, 2018, there were 266 open cybersecurity‑related recommendations, dating as far back as 2008,” the Inspector General said in a new report.
The new report is a summary of the IG’s investigations into Pentagon cybersecurity over the previous year. It looked at 20 unclassified and four classified reports that detailed problems with cybersecurity and followed up to see if they’d been addressed. Previously, the IG had recommended the Pentagon take 159 different steps to improve security. It only took 19 of them.
Cybersecurity issues affected all branches of the military and ranged from the serious to the mundane. At a server site connected to America’s ballistic missile defense systems, inspectors “found an unlocked server rack despite a posted sign on the rack stating that the server door must remain locked at all times.”
According to the IT security officer on staff at the time, “network operations staff were troubleshooting issues with the server in the rack we found unlocked and failed to notify the [redacted] assistant security manager once they completed maintenance on the server so he could lock it.”
At the same site, officials also weren’t encrypting data transferred from computers via USB sticks and removable hard drives. “According to the security manager…[redacted] encrypted less than one percent of Controlled Unclassified Information stored on removable media.”
These bad security practices are taking place at the buildings running America’s missile defense systems. These are the people watching the skies and responsible for protecting US cities in the event of a nuclear attack from a foreign country, and they can’t be bothered to encrypt data or lock up their server racks.
If the military personnel is bad, then contractors are worse. Investigators dug into the cybersecurity practices of seven contractors working for the US Missile Defense Agency and found multiple vulnerabilities. “Of the seven contractors we analyzed, we found that [five] did not always or consistently use multifactor authentication to access unclassified networks that contained [ballistic missile defense systems] technical information,” the inspectors wrote.
The contractors also failed to run their own risk assessments, encrypt USB drives and hard drives, and use strong passwords. “System administrators for [five contractors] did not configure networks and systems containing [ballistic missile defense systems] technical information to lock user sessions after 15 minutes of inactivity,” investigators found. Meaning anyone logging into a computer full of classified missile defense data could leave it unattended for anyone else to access. The computer would never log itself out.
America’s weapons systems also remain easy to hack with basic tools. An October report from the Government Accountability Office pointed out flaws in the Pentagon’s weapons systems that made them particularly vulnerable to cyberattacks. An IG follow up found that Air Force officials in particular still don’t “ensure that cybersecurity was integrated into weapon systems during design. Instead, weapon systems’ cybersecurity was addressed through a set of activities and products that were not fully integrated, creating overlaps and gaps in the program cybersecurity.” The Air Force still hasn’t bothered to change its default passwords on multiple weapon systems using store bought technology and the Air Force isn’t following its own cybersecurity protocols when designing and launching new weapons systems.
The Pentagon’s cybersecurity problems are bad enough to affect missile defense and fancy new weapons, but they’re also hurting regular soldiers. The IG pointed out that Army medical treatment facilities are cybersecurity nightmares, where lax security procedures make patient medical records easily accessible.
According to Army regulations, passwords must be 15 characters long, contain an upper and lowercase letter, a number, and a symbol. At multiple medical facilities, investigators found that administrators bent the rules to allow for simpler passwords. “In each instance, the system administrators state that they did not properly configure passwords because they considered existing network authentication controls sufficient to control access to individual systems,” inspectors said.
Like the weapon systems and ballistic missile defense contractors, Army health records were very easy to hack, poorly password protected, and computer terminals weren’t programmed to auto logout users.
The problems between the various branches are remarkably similar, something that investigators noted in the new report. According to the Pentagon’s watchdog, cybersecurity failures are a leadership problem. No one at the top is holding everyone else accountable.
“The largest number of weaknesses identified in this year’s summary were related to governance,” the investigators explained. “Without proper governance, the [Pentagon] cannot ensure that it effectively identifies and manages cybersecurity risk as it continues to face a growing variety of cyber threats from adversaries, such as offensive cyberspace operations used to disrupt, degrade, or destroy targeted information systems.”