Back to news

December 17, 2018 | International, C4ISR

Audit finds cyber vulnerabilities in US missile defense system

By:

The Army, Navy and Missile Defense Agency are failing to take basic cybersecurity steps to ensure that information on America's ballistic missile defense system won't fall into nefarious hands, according to a Defense Department Inspector General audit released Friday.

Investigators visited five sites that manage ballistic missile defense elements and technical information, but the names of the commands were redacted in the publicly released report.

“The Army, Navy and MDA did not protect networks and systems that process, store, and transmit (missile defense) technical information from unauthorized access and use,” the declassified report states.

Such inadequacies “may allow U.S. adversaries to circumvent (missile defense) capabilities, leaving the United States vulnerable to missile attacks,” the report states.

They found officials failed to employ safeguards familiar to most people online in 2018, the latest development to raise questions about the U.S. military's cybersecurity vulnerabilities.

Among the shortcomings: Administrators for classified networks had no intrusion detection and prevention systems in place to watch for cyberattacks, much less stop them, according to the report.

At one site, officials said they had requested to purchase those cyber safeguards in December 2017 but nine months later it still hadn't been approved.

“Without intrusion detection and prevention capabilities, (the site) cannot detect malicious attempts to access its networks and prevent cyberattacks designed to obtain unauthorized access and exfiltrate sensitive (missile defense) technical information,” the report states.

Officials also failed to patch system flaws after receiving vulnerability alerts, one of which had first been identified in 1990 and had still not been fixed by April.

Another vulnerability that could be exploited by an attacker was first identified in 2013 but also was never pathced, according to the report.

“Countless cyber incident reports show that the overwhelming majority of incidents are preventable by implementing basic cyber hygiene and data safeguards, which include regularly patching known vulnerabilities,” the IG report states. “(Missile defense) technical information that is critical to national security could be compromised through cyberattacks that are designed to exploit these weaknesses.”

Some facilities failed to force employees to use common access cards, or CAC, when accessing the classified system, a basic cybersecurity practice known as multi-factor identification.

Instead, officials were able to access the sensitive information using just a username and password, the report states.

Hackers use phishing and other tactics to exploit passwords and gain access to such systems.

New hires are supposed to be allowed network access without a card for only their first two weeks on the job. But IG investigators found users on the systems without CAC cards for up to seven years.

At one site, a domain administrator never configured the network to allow only CAC holder access.

“Allowing users to access networks using single factor authentication increases the potential that cyber attackers could exploit passwords and gain access to sensitive (missile defense) technical information,” the report states.

Investigators also found unlocked server racks at some locations, another key vulnerability to insider snoopers.

“The insider threat risk necessitates that organizations implement controls...to reduce the risk of malicious personnel manipulating a server's ability to function as intended and compromising sensitive and classified data,” the report states.

External storage devices held unencrypted data and some sites failed to track who was accessing data, and why. Other administrators told investigators that they lacked the ability to record or monitor data downloaded from the network onto these devices.

Unless these officials enforce the encryption of such removed data and monitor its downloading and transferring, “they will be at increased risk of not protecting sensitive and classified (missile defense) technical information from malicious users,” the report states.

Investigators also found that some supposedly secure sites were failing to even lock their doors. One location had a security door that hadn't worked for years.

“Although security officials were aware of the problem, they did not take appropriate actions to prevent unauthorized personnel from gaining unauthorized access to the facility,” the report states.

Other sites featured no security cameras to monitor personnel movement and security officers failed to conduct badge checks.

While the report makes recommendations to fix the documented problems, officials for the inspected agencies offered no comments on the non-classified draft report of the audit.

Friday's scathing IG audit marked the latest in a string of reports detailing shoddy cybersecurity throughout the armed forces and defense contractors.

During the same week, the Wall St. Journal reported that Chinese hackers are targeting military systems and those of defense contractors working on Navy projects.

Beijing-linked cyber raids have attempted to steal everything from missile plans to ship-maintenance data in a series of hacks over the past 18 months, the Journal reports.

As a result, Navy Secretary Richard Spencer has ordered a “comprehensive cybersecurity review” to assess if the Navy's cyber efforts “are optimally focused, organized, and resourced to prevent serious breaches,” spokesman Capt. Greg Hicks said.

The review will also look at authorities, accountability and if the efforts reflect and incorporate government and industry best practices, he said.

“Secretary Spencer's decision to direct a review reflects the serious to which the DoN prioritizes cybersecurity in this era of renewed great power competition,” Hicks said.

https://www.navytimes.com/news/your-navy/2018/12/14/audit-finds-cyber-vulnerabilities-in-us-missile-defense-system

On the same subject

  • US may field new fighter by FY 2029

    March 8, 2021 | International, Aerospace

    US may field new fighter by FY 2029

    The United States may field a new fighter aircraft type by fiscal year (FY) 2029, according to a related contract notification posted on 4 March. An artist's impression of an NGAD concept. According to a DoD contract notification, the US mil...

  • Leidos completes acquisition of L3Harris Technologies’ Security Detection and Automation Businesses creating a comprehensive, global security and detection portfolio

    May 6, 2020 | International, C4ISR

    Leidos completes acquisition of L3Harris Technologies’ Security Detection and Automation Businesses creating a comprehensive, global security and detection portfolio

    (Reston, Va.) May 4, 2020–Leidos (NYSE:LDOS), a FORTUNE® 500 science and technology leader, today announced that it has completed the acquisition of L3Harris Technologies' (“L3Harris”) Security Detection and Automation businesses, for approximately $1 billion in cash. The transaction was previously announced on Feb. 4, 2020. The acquired businesses provide airport and critical infrastructure screening products, automated tray return systems and other industrial automation products. They will operate within the Leidos Civil Group, led by Jim Moos, Civil Group president. Combined with Leidos' existing cargo and baggage screening product lines, Leidos now goes to market with a global security detection and automation footprint of more than 24,000 systems deployed in more than 120 countries. Leidos will continue to serve global customers in the aviation, transportation, government and critical infrastructure markets. “In line with our mission of making the world safer, healthier and more efficient, this security detection and automation acquisition furthers our important work in the secure movement of people and commerce globally,” said Leidos Chairman and CEO Roger Krone. “We are excited to support critical infrastructure wherever it is needed, and to help transform the global security marketplace.” “This deal expands our scope and scale in securing ports and borders, enhancing passenger movement in airports of the future, and fortifying infrastructure for national security and public venues,” said Moos. “We are pleased to welcome more than 1,200 L3Harris employees around the world to the Leidos team, who share our deep commitment of providing our customers with a fully-integrated security technology ecosystem.” Compelling Strategic and Operational Benefits Expands Product Portfolio in High-Growth, Global Security Market: The closing of this acquisition creates a comprehensive and cohesive security detection platform by adding technologies including checkpoint CT scanners, people scanners, explosives trace detectors, checked baggage screeners, and automated tray return systems (ATRS) to Leidos' security detection portfolio. The combined solutions enhance the company's offerings in an evolving global security product market, which allows diversification beyond the federal budget and positions the company for long-term growth. Increased International Presence Diversifies Revenue: This business expands customer penetration across aviation, ports, borders, and critical infrastructure internationally and increases Leidos' international security products revenue more than six-fold. The deal brings Leidos products into 75 additional countries. Growth and Innovation Accelerated by Scale: The integration of these new businesses into a comprehensive portfolio enables Leidos to leverage its core technical strengths, in-depth biometrics capabilities, and global sales channels to rapidly develop and deliver new solutions. Technology investments across the combined portfolio will help accelerate innovation to address emerging and evolving threats and improve service efficiency for customers. Transaction Details The transaction is expected to be immediately accretive to Leidos' revenue growth, EBITDA margins, and non-GAAP diluted earnings per share upon closing. Cash consideration of approximately $1.0 billion plus related transaction costs was funded through a combination of excess cash on hand and a two-year term loan. Advisors Leidos retained Credit Suisse Securities (USA) LLC as financial advisor, and Fried, Frank, Harris, Shriver, & Jacobson LLP and DLA Piper as legal advisors in connection with the transaction. About Leidos Leidos is a Fortune 500® information technology, engineering, and science solutions and services leader working to solve the world's toughest challenges in the defense, intelligence, homeland security, civil, and health markets. The company's 37,000 employees support vital missions for government and commercial customers. Headquartered in Reston, Va., Leidos reported annual revenues of approximately $11.09 billion for the fiscal year ended January 3, 2020. For more information, visit leidos.com. Cautionary Statement Regarding Forward-Looking Statements The forward-looking statements contained in this release involve risks and uncertainties that may affect Leidos' operations, markets, products, services, prices and other factors as discussed in filings with the Securities and Exchange Commission (the “SEC”). Without limiting the foregoing, forward-looking statements often use words such as “believe,” “anticipate,” “plan,” “expect,” “estimate,” “intend,” “seek,” “project,” “target,” “goal,” “may,” “will,” “would,” “could,” “should,” “can,” “continue” and other words of similar meaning in connection with a discussion of the transaction or future operating or financial performance or events. These risks and uncertainties include, but are not limited to, economic, competitive, legal, governmental and technological factors. Accordingly, there is no assurance that the expectations of Leidos will be realized. This release also contains statements about the acquisition of the security detection and automation businesses of L3Harris that are based on assumptions currently believed to be valid but involve significant risks and uncertainties, many of which are beyond Leidos' control, which could cause Leidos' actual results to differ materially from these forward-looking statements with respect to the transaction, including, anticipated tax treatment, ability to retain key personnel, the dependency of the transaction on market conditions and the impact of a change in market conditions on the value to be received in the transaction, unforeseen liabilities, future capital expenditures, uncertainty as to the expected financial condition and economic performance of the company following the closing, including future revenues, expenses, earnings, indebtedness, losses, prospects, business strategies for the management, expansion and growth of the company following the closing, Leidos' ability to integrate the businesses successfully and to achieve anticipated synergies, the risk that disruptions from the transaction will harm Leidos' business and the impact of the COVID-19 outbreak. While the list of factors presented here is considered representative, no such list should be considered to be a complete statement of all potential risks and uncertainties. Unlisted factors may present significant additional obstacles to the realization of forward-looking statements. Consequences of material differences in results as compared with those anticipated in the forward-looking statements could include, among other things, business disruption, operational problems, financial loss, legal liability to third parties and similar risks, any of which could have a material adverse effect on Leidos' consolidated financial condition, results of operations or liquidity. For a discussion identifying additional important factors that could cause actual results to vary materially from those anticipated in the forward-looking statements, see Leidos' filings with the SEC, including “Management's Discussion and Analysis of Financial Condition and Results of Operations” and “Risk Factors” in Leidos' annual report on Form 10-K for the year ended January 3, 2020, and in its quarterly reports on Form 10-Q which are available at http://www.Leidos.com and at the SEC's web site at http://www.sec.gov. The forward-looking statements contained in this release are made only as of the date of this release and are based on the information available to Leidos as of the date of this release. Readers are cautioned not to put undue reliance on forward-looking statements. Leidos assumes no obligation to provide revisions or updates to any forward-looking statements should circumstances change, except as otherwise required by securities and other applicable laws. View source version on Leidos : https://www.leidos.com/insights/leidos-completes-acquisition-l3harris-technologies-security-detection-and-automation

  • Pratt to start receiving F-35 engine upgrade contracts in early 2024

    November 28, 2023 | International, Land

    Pratt to start receiving F-35 engine upgrade contracts in early 2024

    Pratt & Whitney also expects to finish its preliminary design for the Engine Core Upgrade in December, and face the government's review in January.

All news