December 17, 2018 | International, C4ISR

Audit finds cyber vulnerabilities in US missile defense system

The Army, Navy and Missile Defense Agency are failing to take basic cybersecurity steps to ensure that information on America's ballistic missile defense system won't fall into nefarious hands, according to a Defense Department Inspector General audit released Friday.

Investigators visited five sites that manage ballistic missile defense elements and technical information, but the names of the commands were redacted in the publicly released report.

“The Army, Navy and MDA did not protect networks and systems that process, store, and transmit (missile defense) technical information from unauthorized access and use,” the declassified report states.

Such inadequacies “may allow U.S. adversaries to circumvent (missile defense) capabilities, leaving the United States vulnerable to missile attacks,” the report states.

They found officials failed to employ safeguards familiar to most people online in 2018, the latest development to raise questions about the U.S. military's cybersecurity vulnerabilities.

Among the shortcomings: Administrators for classified networks had no intrusion detection and prevention systems in place to watch for cyberattacks, much less stop them, according to the report.

At one site, officials said they had requested to purchase those cyber safeguards in December 2017 but nine months later it still hadn't been approved.

“Without intrusion detection and prevention capabilities, (the site) cannot detect malicious attempts to access its networks and prevent cyberattacks designed to obtain unauthorized access and exfiltrate sensitive (missile defense) technical information,” the report states.

Officials also failed to patch system flaws after receiving vulnerability alerts, one of which had first been identified in 1990 and had still not been fixed by April.

Another vulnerability that could be exploited by an attacker was first identified in 2013 but also was never pathced, according to the report.

“Countless cyber incident reports show that the overwhelming majority of incidents are preventable by implementing basic cyber hygiene and data safeguards, which include regularly patching known vulnerabilities,” the IG report states. “(Missile defense) technical information that is critical to national security could be compromised through cyberattacks that are designed to exploit these weaknesses.”

Some facilities failed to force employees to use common access cards, or CAC, when accessing the classified system, a basic cybersecurity practice known as multi-factor identification.

Instead, officials were able to access the sensitive information using just a username and password, the report states.

Hackers use phishing and other tactics to exploit passwords and gain access to such systems.

New hires are supposed to be allowed network access without a card for only their first two weeks on the job. But IG investigators found users on the systems without CAC cards for up to seven years.

At one site, a domain administrator never configured the network to allow only CAC holder access.

“Allowing users to access networks using single factor authentication increases the potential that cyber attackers could exploit passwords and gain access to sensitive (missile defense) technical information,” the report states.

Investigators also found unlocked server racks at some locations, another key vulnerability to insider snoopers.

“The insider threat risk necessitates that organizations implement controls...to reduce the risk of malicious personnel manipulating a server's ability to function as intended and compromising sensitive and classified data,” the report states.

External storage devices held unencrypted data and some sites failed to track who was accessing data, and why. Other administrators told investigators that they lacked the ability to record or monitor data downloaded from the network onto these devices.

Unless these officials enforce the encryption of such removed data and monitor its downloading and transferring, “they will be at increased risk of not protecting sensitive and classified (missile defense) technical information from malicious users,” the report states.

Investigators also found that some supposedly secure sites were failing to even lock their doors. One location had a security door that hadn't worked for years.

“Although security officials were aware of the problem, they did not take appropriate actions to prevent unauthorized personnel from gaining unauthorized access to the facility,” the report states.

Other sites featured no security cameras to monitor personnel movement and security officers failed to conduct badge checks.

While the report makes recommendations to fix the documented problems, officials for the inspected agencies offered no comments on the non-classified draft report of the audit.

Friday's scathing IG audit marked the latest in a string of reports detailing shoddy cybersecurity throughout the armed forces and defense contractors.

During the same week, the Wall St. Journal reported that Chinese hackers are targeting military systems and those of defense contractors working on Navy projects.

Beijing-linked cyber raids have attempted to steal everything from missile plans to ship-maintenance data in a series of hacks over the past 18 months, the Journal reports.

As a result, Navy Secretary Richard Spencer has ordered a “comprehensive cybersecurity review” to assess if the Navy's cyber efforts “are optimally focused, organized, and resourced to prevent serious breaches,” spokesman Capt. Greg Hicks said.

The review will also look at authorities, accountability and if the efforts reflect and incorporate government and industry best practices, he said.

“Secretary Spencer's decision to direct a review reflects the serious to which the DoN prioritizes cybersecurity in this era of renewed great power competition,” Hicks said.

https://www.navytimes.com/news/your-navy/2018/12/14/audit-finds-cyber-vulnerabilities-in-us-missile-defense-system

On the same subject

August 1, 2018 | International, Aerospace

India to spend $1 billion on advanced air defense system from US
By: Vivek Raghuvanshi NEW DELHI — India has quietly approved a plan to the National Advanced Surface-to-Air Missile System-II through a government-to government deal with United States. The moves comes before September 6 “2+2 dialogue” between defense and foreign ministers of India and United States here to bolster bilateral defense and strategic partnership. The apex defense procurement body, Defense Acquisition Council, headed by Defense Minister Nirmarla Sitaraman, has approved the buy of hte NASAMS-II, manufactured by Kongsberg and Raytheon, at more than $1 billion, a Ministry of Defense official confirmed. The new system will replace India's aging Russian Pechora air defense systems that protect strategic assets and locations, said an Indian air force official. If this program is approved by the U.S., the deal will be expedited through foreign military sales. India is expected to issue the letter of request by end of this year. IAF official noted that NASAMS-II will have to be modified to India specific requirements and will integrated with the service's integrated command & control system. https://www.defensenews.com/global/asia-pacific/2018/07/31/india-to-spend-1-billion-on-advanced-air-defense-system-from-us/
May 26, 2022 | International, Aerospace

EMSA sniffer drone monitoring sulphur and nitrogen emissions from ships operating in the Channel
The European Maritime Safety Agency (EMSA) is a European Union agency charged with reducing the risk of maritime accidents, marine pollution from ships and the loss of human lives at sea by helping to enforce the pertinent EU legislation. It is headquartered in Lisbon.
August 16, 2019 | International, Land

Slippery slope: MDA boss fights transfer of missile defense system to Army
By: Jen Judson HUNTSVILLE, Ala. — The new U.S. Missile Defense Agency director is opposed to the transfer of the Terminal High Altitude Area Defense System, or THAAD, to the Army — something Senate authorizers want to do this year in the fiscal 2020 authorization bill. Talk of transferring THAAD to the Army has been ongoing for roughly a decade. The Army officially operates the system, but the MDA conducts its development and continued modernization. Both MDA and Army leadership have said if Congress were to authorize a transfer, they would not oppose the move as long as the necessary funding is made available and not taken from other portfolios within the service. But there's still a fear that programs transferred to the services is where they go to die, either in their entirety or at least the chance of continued system modernization. For instance, there could be a plan down the road to extend the range of the THAAD interceptor. Historically, at times, when programs are transferred, funding meant to further improve systems has been cannibalized for more pressing, immediate needs within the armed services. “Why would we hand that off to the Army or Air Force, that sort of transfer to a service where it won't be prioritized? They have many other priorities,” MDA Director Vice Adm. Jon Hill told Defense News in an exclusive interview at the Space and Missile Defense Symposium in Huntsville, Alabama. “I don't like organizational experiments on programs that are delivering more fighting capability,” he added. The challenge Before Congress, the military or the MDA consider transferring such a capability, a better definition for “transfer of services” must be ironed out, Hill said. He considers defining this one of his top challenges. “It gets suspicious when we don't have a fully defined term because all it really results in is fracturing of a program during a time where it's most critical to have those programs stable and taking care of the war fighter,” Hill said. “There's been a lot of discussion about the THAAD and the SM-3 [missile] transfer to the services. What does that mean?” The definition of transfer “ranges everything from a full-up transfer of the system over to the service, which assumes that the system is static and how it's designed today is how it's going to be designed forever,” Hill said. If it means transferring operations and sustainment responsibility, and then “put that in the done pile. The Army invests heavily in the operations and sustainment of that. I don't know what more we would want out of them,” he said. The argument MDA is examining whether it is doing enough to support the Army's successful operation and sustainment of the system, he noted, such as whether the service has the right logistics line in place and the right training. A THAAD transfer could also be disruptive to production at a time when THAAD interceptors are in high demand and orders continue to grow. Even if the transfer of THAAD meant the service would responsible for interceptor procurement, the MDA would have to break contracts for the Army to take over, which could result in delayed production, according to Hill. “We know right now, in today's operational environment, we need more,” Hill said. “So that makes no sense to me.” And for Hill, a THAAD transfer is a slippery slope. If the Army took complete control of the batteries, “then there's this discussion, ‘Well, let's include the TPY/2 radar and let's walk it a little bit further and let's take the homeland defense radars that are deployed globally that have a totally different mission.” The resistance to transfer THAAD in its entirety is not a sign of a resistance to transfer where it makes sense, Hill noted. “I often hear that we don't know how to transfer. Well look at the Aegis ships today. Navy procures those ships with ballistic missile defense capability. The Navy has come in and said: ‘Hey, we're going to build a multimission radar to include BMD capability in a SPY-6 [radar],' ” Hill said. “Man, what's wrong with that? That's fantastic.” MDA has also fully transferred the Patriot air and missile defense system to the Army. “Where Patriot is different, is it's a multimission system,” Hill said. “They have air defense as part of the maneuver force. It's sort of like cruise missile defense on a ship. We don't need to take over the Navy's cruise missile defense. ... Patriot is sort of the same thing.” THAAD is part of a wider integrated missile defense system, he added. “THAAD has to stay in MDA ... for the interoperability and integration into the other domains from across the services," Riki Ellison, chairman and founder of the Missile Defense Advocacy Alliance, told Defense News. "THAAD is not an Army-centric weapon system. It should never be deployed as a standoff, alone weapon system.” The Joint Urgent Operational Need out of the Korean theater that calls for the integration of THAAD and Patriot is a prime example, Ellison noted. “MDA is the only one that has cross-domain [Command and Control, Battle Management and Communications] development and operational development as proven with the [Ground-Based Midcourse Defense] System," he said. Rebeccah Heinrichs, a senior fellow at the Hudson Institute, said: “I'm afraid the Army won't fund THAAD if it's their responsibility. We need to free up more money in MDA so it can focus on research and development, so we have a dilemma. Something has to give.” Short of the defense secretary directing the services to fund and support systems like THAAD, Heinrichs said, “they're probably just going to have to stay in MDA. That means we need a much bigger top line in MDA ... to fund the new technologies needed for advanced threats, especially.” The agency is currently advising the Pentagon and Congress on the right plan for where THAAD should live. “That's something that we have to work internally," Hill noted, "and so we need to get our act together on both sides.” https://www.defensenews.com/digital-show-dailies/smd/2019/08/14/mda-director-opposes-transfer-of-terminal-missile-defense-system-to-army/

All news