December 17, 2018 | International, C4ISR
The Army, Navy and Missile Defense Agency are failing to take basic cybersecurity steps to ensure that information on America's ballistic missile defense system won't fall into nefarious hands, according to a Defense Department Inspector General audit released Friday.
Investigators visited five sites that manage ballistic missile defense elements and technical information, but the names of the commands were redacted in the publicly released report.
“The Army, Navy and MDA did not protect networks and systems that process, store, and transmit (missile defense) technical information from unauthorized access and use,” the declassified report states.
Such inadequacies “may allow U.S. adversaries to circumvent (missile defense) capabilities, leaving the United States vulnerable to missile attacks,” the report states.
They found officials failed to employ safeguards familiar to most people online in 2018, the latest development to raise questions about the U.S. military's cybersecurity vulnerabilities.
Among the shortcomings: Administrators for classified networks had no intrusion detection and prevention systems in place to watch for cyberattacks, much less stop them, according to the report.
At one site, officials said they had requested to purchase those cyber safeguards in December 2017 but nine months later it still hadn't been approved.
“Without intrusion detection and prevention capabilities, (the site) cannot detect malicious attempts to access its networks and prevent cyberattacks designed to obtain unauthorized access and exfiltrate sensitive (missile defense) technical information,” the report states.
Officials also failed to patch system flaws after receiving vulnerability alerts, one of which had first been identified in 1990 and had still not been fixed by April.
Another vulnerability that could be exploited by an attacker was first identified in 2013 but also was never pathced, according to the report.
“Countless cyber incident reports show that the overwhelming majority of incidents are preventable by implementing basic cyber hygiene and data safeguards, which include regularly patching known vulnerabilities,” the IG report states. “(Missile defense) technical information that is critical to national security could be compromised through cyberattacks that are designed to exploit these weaknesses.”
Some facilities failed to force employees to use common access cards, or CAC, when accessing the classified system, a basic cybersecurity practice known as multi-factor identification.
Instead, officials were able to access the sensitive information using just a username and password, the report states.
Hackers use phishing and other tactics to exploit passwords and gain access to such systems.
New hires are supposed to be allowed network access without a card for only their first two weeks on the job. But IG investigators found users on the systems without CAC cards for up to seven years.
At one site, a domain administrator never configured the network to allow only CAC holder access.
“Allowing users to access networks using single factor authentication increases the potential that cyber attackers could exploit passwords and gain access to sensitive (missile defense) technical information,” the report states.
Investigators also found unlocked server racks at some locations, another key vulnerability to insider snoopers.
“The insider threat risk necessitates that organizations implement controls...to reduce the risk of malicious personnel manipulating a server's ability to function as intended and compromising sensitive and classified data,” the report states.
External storage devices held unencrypted data and some sites failed to track who was accessing data, and why. Other administrators told investigators that they lacked the ability to record or monitor data downloaded from the network onto these devices.
Unless these officials enforce the encryption of such removed data and monitor its downloading and transferring, “they will be at increased risk of not protecting sensitive and classified (missile defense) technical information from malicious users,” the report states.
Investigators also found that some supposedly secure sites were failing to even lock their doors. One location had a security door that hadn't worked for years.
“Although security officials were aware of the problem, they did not take appropriate actions to prevent unauthorized personnel from gaining unauthorized access to the facility,” the report states.
Other sites featured no security cameras to monitor personnel movement and security officers failed to conduct badge checks.
While the report makes recommendations to fix the documented problems, officials for the inspected agencies offered no comments on the non-classified draft report of the audit.
Friday's scathing IG audit marked the latest in a string of reports detailing shoddy cybersecurity throughout the armed forces and defense contractors.
During the same week, the Wall St. Journal reported that Chinese hackers are targeting military systems and those of defense contractors working on Navy projects.
Beijing-linked cyber raids have attempted to steal everything from missile plans to ship-maintenance data in a series of hacks over the past 18 months, the Journal reports.
As a result, Navy Secretary Richard Spencer has ordered a “comprehensive cybersecurity review” to assess if the Navy's cyber efforts “are optimally focused, organized, and resourced to prevent serious breaches,” spokesman Capt. Greg Hicks said.
The review will also look at authorities, accountability and if the efforts reflect and incorporate government and industry best practices, he said.
“Secretary Spencer's decision to direct a review reflects the serious to which the DoN prioritizes cybersecurity in this era of renewed great power competition,” Hicks said.
May 13, 2024 | International, Land
Configured with an expeditionary footprint, the Aerosonde Mk. 4.8 HQ is designed to reduce burden on the soldier, while offering best-in-class size, weight and power (SWAP) to execute day and...
January 20, 2021 | International, Aerospace, Naval, Land, C4ISR, Security
DEFENSE LOGISTICS AGENCY US Foods Inc., Port Orange, Florida, has been awarded a maximum $390,000,000 fixed-price with economic-price-adjustment, indefinite-quantity contract for full-line food distribution. This was a competitive acquisition with two responses received. This is a five-year contract with no option periods. Locations of performance are Florida, Cuba and Bahamas, with a Jan. 18, 2026, ordering period end date. Using military services are Marine Corps, Air Force, Navy and Army. Type of appropriation is fiscal 2021 through 2026 defense working capital funds. The contracting agency is the Defense Logistics Agency Troop Support, Philadelphia, Pennsylvania (SPE300-21-D-3312). Federal Prison Industries Inc.,** Washington, D.C., has been awarded a maximum $24,708,000 modification (P00011) exercising the first one-year option period of a one-year base contract (SPE1C1-20-D-F056) with four one-year option periods for various types of trousers. This is a firm-fixed-price, indefinite-delivery/indefinite-quantity contract. Locations of performance are Texas, Alabama, Mississippi and Washington, D.C., with a Jan. 20, 2022, ordering period end date. Using military services are Army and Air Force. Type of appropriation is fiscal 2021 through 2022 defense working capital funds. The contracting activity is the Defense Logistics Agency Troop Support, Philadelphia, Pennsylvania. NAVY General Dynamics Electric Boat, Groton, Connecticut, is awarded a $41,554,227 cost-plus-fixed-fee contract for engineering and technical design effort to support research and development concept formulation for current and future submarine platforms. This contract includes options which, if exercised, would bring the cumulative value of this contract to $305,521,179. Work will be performed in Groton, Connecticut (96.1%); Bremerton, Washington (1.7%); Kings Bay, Georgia (1.7%); and Newport, Rhode Island (0.5%), and is expected to be completed by September 2021. If all options are exercised, work will continue through September 2025. Fiscal 2021 research, development, test and engineering (Navy) funds in the amount of $250,000 (80%); and 2020 research, development, test and engineering (Navy) funds in the amount of $63,000 (20%), will be obligated at time of award, of which funding in the amount of $63,000 will expire at the end of the current fiscal year. This contract was not competitively procured and is a sole-source award pursuant to 10 U.S. Code 2304(c)(3) – Industrial Mobilization. The Naval Sea Systems Command, Washington, D.C., is the contracting activity. Sundance-EA Associates II,* Pocatello, Idaho, is awarded a maximum-value $30,000,000 firm-fixed-price, indefinite-delivery/indefinite-quantity contract for environmental compliance services at Joint Region Marianas, Guam. The work to be performed is for a full range of environmental support activities for naval installation environmental compliance programs to ensure the supported components, tenant commands and facilities and contractor operations demonstrate and maintain compliance with all applicable federal, U.S. territory, and local statutes, and with Department of Defense and Navy policies, permits, instructions and guidance. Environmental compliance programs include clean air, safe drinking water, clean water, hazardous waste, pollution prevention, solid waste management, pesticide compliance, emergency planning and community right-to-know act, ozone-depleting substances management, storage tank management, environmental quality assessment, environmental sampling and analysis and overall environmental compliance oversight. Future task orders will be primarily funded by operation and maintenance (Navy) funds. Work will be performed in the Joint Region Marianas area of responsibility and is expected to be completed by January 2026. Work under the initial task order will be performed in Guam and is expected to be completed by January 2022. Fiscal 2021 operation and maintenance (Navy) funding in the amount of $1,447,016 will be obligated under the initial task order at time of award and will expire at the end of the current fiscal year. This contract was competitively procured via the beta.SAM.gov website, with six proposals received. The Naval Facilities Engineering Systems Command, Marianas, Guam, is the contracting activity (N40192-21-D-1820). Northrop Grumman Systems Corp., Melbourne, Florida, is awarded a $29,776,196 firm-fixed-price, cost-plus-fixed-fee order (N00019-21-F-0064) against previously issued basic ordering agreement N00019-20-G-0005. This order procures five aerial refueling retrofit kits and installation on the E-2D Advanced Hawkeye. Work will be performed in Ronkonkoma, New York (44.53%); Baltimore, Maryland (16.62%); Irvine, California (6.48%); Hauppauge, New York (5.85%); Columbia, Maryland (4.75%); Dorset, England (3.17%); East Aurora, New York (2.64%); North Hollywood, California (2.02%); and various locations within the continental U.S. (13.94%), and is expected to be completed in May 2022. Fiscal 2021 aircraft procurement (Navy) funds in the amount of $29,776,196 will be obligated at time of award, none of which will expire at the end of the current fiscal year. The Naval Air Systems Command, Patuxent River, Maryland, is the contracting activity. AIR FORCE Range Generation Next LLC, Sterling, Virginia, has been awarded a $14,600,345 cost-plus-fixed-fee modification (P000327) to contract FA8806-15-C-0001 for a telemetry end-to-end processing system. This modification supports an increase in launch and test range requirements. Work will primarily be performed at Eastern Range, Patrick Air Force Base, Florida; Cape Canaveral Air Station, Florida; and Kennedy Space Center, Florida, and is expected to be completed May 11, 2023. Fiscal 2020 Air Force space procurement funds in the full amount are being obligated at the time of award. Space and Missile Systems Center, Peterson AFB, Colorado, is the contracting activity. ARMY Transportation Management Services Inc., Sandy Spring, Maryland, was awarded a $13,874,720 firm-fixed-price contract to provide transportation services throughout the National Capital Region from Jan.16, 2021, through Jan. 31, 2021. Bids were solicited via the internet with eight received. Work will be performed in Washington, D.C., with an estimated completion date of Jan. 31, 2021. Fiscal 2021 operation and maintenance (National Guard) funds in the amount of $13,874,720 were obligated at the time of the award. U.S. Army National Guard Bureau, Operational Contracting Division, Arlington, Virginia, is the contracting activity (W912R1-21-F-0002). *Small business **Mandatory source https://www.defense.gov/Newsroom/Contracts/Contract/Article/2476202/source/GovDelivery/
July 15, 2019 | International, Other Defence
BY DAVID VERGUN Information technology is the backbone of today's modern battlefield and even more important in a constantly evolving security climate. That's why digital modernization is more important than ever. To usher in digital modernization, the DOD chief information officer has launched its first Digital Modernization Strategy, underpinned by four modernization pillars: cloud; artificial intelligence; command, control and communications, known as C3; and cybersecurity. First, DOD Chief Information Officer Dana Deasy said, an enterprise cloud will be created that will enable information sharing across the entire military and most importantly, to the warfighters on the tactical edge. Also, the enterprise cloud will deliver the next generation of applications that the warfighters will need to succeed. Second, for the enterprise cloud to effectively and efficiently enable information sharing on a vast scale, it will be powered by artificial intelligence and machine learning. To develop and deliver AI to the enterprise cloud, DOD needed to create the Joint Artificial Intelligence Center, known as the JAIC, Deasy said. The JAIC "will be used by all the services, which will be the way in which we start to create new AI solutions at scale – that can be used across the department," he added. Third, is the ability to communicate to the warfighter with C3, Deasy said, which is "how do we ensure that we can get the end results from our cloud, from our AI solutions out to the tactical edge, out to the warfighter." Fourth, to prevent the department's technology from being compromised, it must be protected by defensive and offensive cyber capability, he said, noting that the Defense Department must be resilient when dealing with inevitable attacks from adversaries. "The Digital Modernization Strategy is all about the warfighter," Deasy said. "In everything we're building we're always challenging ourselves and asking: Are we doing this in the most thoughtful way that's going to enable the warfighter to be successful?" https://www.defense.gov/explore/story/Article/1903843/digital-modernization-to-benefit-warfighters-dod-cio-says/