December 17, 2018 | International, C4ISR
The Army, Navy and Missile Defense Agency are failing to take basic cybersecurity steps to ensure that information on America's ballistic missile defense system won't fall into nefarious hands, according to a Defense Department Inspector General audit released Friday.
Investigators visited five sites that manage ballistic missile defense elements and technical information, but the names of the commands were redacted in the publicly released report.
“The Army, Navy and MDA did not protect networks and systems that process, store, and transmit (missile defense) technical information from unauthorized access and use,” the declassified report states.
Such inadequacies “may allow U.S. adversaries to circumvent (missile defense) capabilities, leaving the United States vulnerable to missile attacks,” the report states.
They found officials failed to employ safeguards familiar to most people online in 2018, the latest development to raise questions about the U.S. military's cybersecurity vulnerabilities.
Among the shortcomings: Administrators for classified networks had no intrusion detection and prevention systems in place to watch for cyberattacks, much less stop them, according to the report.
At one site, officials said they had requested to purchase those cyber safeguards in December 2017 but nine months later it still hadn't been approved.
“Without intrusion detection and prevention capabilities, (the site) cannot detect malicious attempts to access its networks and prevent cyberattacks designed to obtain unauthorized access and exfiltrate sensitive (missile defense) technical information,” the report states.
Officials also failed to patch system flaws after receiving vulnerability alerts, one of which had first been identified in 1990 and had still not been fixed by April.
Another vulnerability that could be exploited by an attacker was first identified in 2013 but also was never pathced, according to the report.
“Countless cyber incident reports show that the overwhelming majority of incidents are preventable by implementing basic cyber hygiene and data safeguards, which include regularly patching known vulnerabilities,” the IG report states. “(Missile defense) technical information that is critical to national security could be compromised through cyberattacks that are designed to exploit these weaknesses.”
Some facilities failed to force employees to use common access cards, or CAC, when accessing the classified system, a basic cybersecurity practice known as multi-factor identification.
Instead, officials were able to access the sensitive information using just a username and password, the report states.
Hackers use phishing and other tactics to exploit passwords and gain access to such systems.
New hires are supposed to be allowed network access without a card for only their first two weeks on the job. But IG investigators found users on the systems without CAC cards for up to seven years.
At one site, a domain administrator never configured the network to allow only CAC holder access.
“Allowing users to access networks using single factor authentication increases the potential that cyber attackers could exploit passwords and gain access to sensitive (missile defense) technical information,” the report states.
Investigators also found unlocked server racks at some locations, another key vulnerability to insider snoopers.
“The insider threat risk necessitates that organizations implement controls...to reduce the risk of malicious personnel manipulating a server's ability to function as intended and compromising sensitive and classified data,” the report states.
External storage devices held unencrypted data and some sites failed to track who was accessing data, and why. Other administrators told investigators that they lacked the ability to record or monitor data downloaded from the network onto these devices.
Unless these officials enforce the encryption of such removed data and monitor its downloading and transferring, “they will be at increased risk of not protecting sensitive and classified (missile defense) technical information from malicious users,” the report states.
Investigators also found that some supposedly secure sites were failing to even lock their doors. One location had a security door that hadn't worked for years.
“Although security officials were aware of the problem, they did not take appropriate actions to prevent unauthorized personnel from gaining unauthorized access to the facility,” the report states.
Other sites featured no security cameras to monitor personnel movement and security officers failed to conduct badge checks.
While the report makes recommendations to fix the documented problems, officials for the inspected agencies offered no comments on the non-classified draft report of the audit.
Friday's scathing IG audit marked the latest in a string of reports detailing shoddy cybersecurity throughout the armed forces and defense contractors.
During the same week, the Wall St. Journal reported that Chinese hackers are targeting military systems and those of defense contractors working on Navy projects.
Beijing-linked cyber raids have attempted to steal everything from missile plans to ship-maintenance data in a series of hacks over the past 18 months, the Journal reports.
As a result, Navy Secretary Richard Spencer has ordered a “comprehensive cybersecurity review” to assess if the Navy's cyber efforts “are optimally focused, organized, and resourced to prevent serious breaches,” spokesman Capt. Greg Hicks said.
The review will also look at authorities, accountability and if the efforts reflect and incorporate government and industry best practices, he said.
“Secretary Spencer's decision to direct a review reflects the serious to which the DoN prioritizes cybersecurity in this era of renewed great power competition,” Hicks said.
September 19, 2024 | International, C4ISR, Security
Chinese engineer indicted in U.S. for multi-year spear-phishing campaign targeting NASA, military, and universities.
December 14, 2018 | International, Land, C4ISR
Ashley Roque, Washington, DC - Jane's Defence Weekly Once again the US army is looking for new active protection systems (APSs) to equip on its family of M2 Bradley infantry fighting vehicles. Whether this is a positive or negative for IMI Systems' Iron Fist remains unclear. On 11 December, the service issued a draft request for proposal in the form of a "market survey" for APSs with a technology readiness level (TRL) 6. "This APS shall have been proven and characterised on the Bradley Family of Vehicles [FOV]," the service wrote in a short notice. "This will be accomplished through the procurement of a B-Kit, consisting of the system and countermeasures." Industry has until 18 December to respond. Recently, the service has been evaluating three APSs: Rafael's Trophy on the Abrams main battle tank (MBT), IMI Systems' Iron Fist on the M2 Bradley, and Artis' Iron Curtain on the Stryker infantry combat vehicle. In June Leonardo DRS (Rafael's US-based partner) was awarded USD193 million to integrate the capability on Abrams MBTs. Artis' Iron Curtain system, however, was cut due to a lack of maturity. IMI Systems' Iron Fist is now uncertain, and the company and an army spokeswoman did not immediately respond to Jane's request for information. Colonel Glenn Dean, project manager for Stryker Brigade Combat Team and APS acquisition, told reporters in August that IMI's Iron Fist technology was still participating in Phase I live-fire and automotive characterisation testing due to an eight-month delay caused by funding gaps, inclement weather, and integration challenges. At the time, he noted that the findings would be turned over to the Army Requirements Oversight Council in the first quarter of fiscal year 2019 for a decision on how to proceed. He also explained that the M2 Bradley is a "very difficult platform to install on". https://www.janes.com/article/85180/us-army-seeking-aps-technology-for-bradley-vehicles
September 20, 2019 | International, Naval
September 18, 2019 - BAE Systems has received $170.7 million in contracts from the U.S. Navy to perform simultaneous maintenance and repair on two Arleigh Burke-class (DDG 51) guided-missile destroyers in its San Diego shipyard. Under the awarded contracts, the shipyard will tandem dry-dock the USS Stethem (DDG 63) and USS Decatur (DDG 73) in October. The synchronized two-ship docking will be a first for the company's newest dry-dock in San Diego. The contracts include options that, if exercised, would bring the cumulative value to $185 million. “The ability to simultaneously dock two DDGs is a special capability that BAE Systems brings to our Navy customer and comes at a critical time when additional throughput is necessary to meet surface combatant demands and modernization requirements,” said David M. Thomas Jr., vice president and general manager of BAE Systems San Diego Ship Repair. “Beyond the remarkable nature of this tandem docking, it will be business as usual for our shipyard team and partners given our significant experience working with the Arleigh Burke class.” Positioned end to end, the USS Stethem and USS Decatur will be lifted together inside BAE Systems' “Pride of California” dry-dock. Installed in 2017, the Pride of California is 950 feet long, 160 feet wide and has a lifting capacity of 55,000 tons – making it the largest floating dry-dock in San Diego. The destroyers each displace about 9,000 tons and are expected to be re-floated in April 2020. The USS Stethem is the 13th ship of the Arleigh Burke class, which is the Navy's largest class of surface warfare combatants. Named for Master Chief Constructionman Robert Stethem, the 505-foot-long ship was commissioned in October 1995. BAE Systems will perform hull, mechanical and engineering repairs aboard the ship. Once back in the water, the Stethem's Extended Docking Selected Restricted Availability (EDSRA) is expected to be completed in October 2020. The USS Decatur is the 23rd ship of the Arleigh Burke class. Named for the early 19th Century Naval hero Stephen Decatur Jr., the ship was commissioned in August 1998. BAE Systems will perform much of the same upgrade work aboard the 505-foot-long Decatur as it will perform on-board the Stethem. After undocking, the Decatur's EDSRA work is expected to continue into October 2020. BAE Systems' San Diego shipyard currently employs about 1,300 people and hundreds of temporary workers and subcontractors nearby the San Diego-Coronado Bridge. BAE Systems is a leading provider of ship repair, maintenance, modernization, conversion, and overhaul services for the Navy, other government agencies, and select commercial customers. The company operates four full-service shipyards in California, Florida, Hawaii, and Virginia, and offers a highly skilled, experienced workforce, six dry docks, two railways, and significant pier space and ship support services. https://www.baesystems.com/en/article/bae-systems-san-diego-shipyard-to-tandem-dry-dock-two-destroyers