The U.S. Department of Defense Inspector General (DOD IG) released a rather terrifying report on Friday. It outlined some major cybersecurity flaws in U.S. ballistic missile systems. An article from ZDNet explained that the DOD IG found “no data encryption, no antivirus programs, no multifactor authentication mechanisms, and 28-year-old unpatched vulnerabilities,” amongst other issues.
DOD IG inspectors found that IT administrators at three of the five locations they visited had failed to apply security patches, leaving computers and adjacent network systems vulnerable to remote or local attacks. Investigators found that systems were not patched for vulnerabilities discovered and fixed in 2016, 2013, and even going as far as back as 1990. The DOD IG report is heavily redacted in this particular section, suggesting that MDA administrators are still patching these flaws.
Check It Out: Cybersecurity for U.S. Ballistic Missile Systems is Worryingly Bad
ZDNet:
“The lack of a multifactor authentication means that employees are vulnerable to phishing attacks that could collect their passwords and allow attackers remote or on-premise access to BMDS systems without further security challenges… ”
This added to ‘no data encryption, no antivirus programs, no multifactor authentication mechanisms, 28 year old unpatched vulnerabilities’, to which we add, ‘No intrusion detection system’ and ‘woeful physical security controls’ for a ballistic missile defence system of the world’s most powerful military.
What could possibly go wrong?