Missile defense network open to cyberattack

Lack of automated log audits and individual passwords could cripple network

DOD IG report on GMD Network Security Flaws

The network that links radar systems, missile sites and command centers for the Missile Defense Agency’s (MDA) ground-based defense system has serious flaws in the security technologies, policies and procedures needed to protect the integrity, availability and confidentiality of information on the network, according to a Defense Department inspector general report.

The report, released last month, states that MDA and Boeing, the prime contractor for the Ground-based Midcourse Defense (GMD) system and the GMD Communications Network (GCN) have allowed the use of group passwords on the unencrypted portion of the GCN rather than requiring individual passwords. Neither MDA nor Boeing officials saw the need to install a system to conduct automated log audits on the unencrypted communications network under development by Northrop Grumman because such a requirement “was not in the contract,” according to the report. However, current DOD policies require such automated network monitoring.

The network was developed to conform to DOD security policies that are more than 20 years old rather than recent guidelines and lacks a comprehensive process for managing user accounts, the report states. The DOD IG said unidentified contractor officials said it would have been too costly to adhere to more current and stringent DOD security rules for the network because it has been in development for five years.

MDA and Boeing also did not verify until July 2005 — a full year after the network became operational — that users had the requisite security clearances to access the network. In addition, the systems administrator responsible for GCN accounts was allowed to create his own account that granted him special access to the network, the report states.

The network also lacks a backup contingency plan because GMD officials believe built-in redundancy would mitigate most interruptions, the DOD IG said.

Due to those poor polices and procedures, the DOD IG report states that MDA and Boeing officials “may not be able to reduce the risk and magnitude of harm resulting from misuse or unauthorized access or modification of information [on the network] and ensure the continuity of the system in the event of an interruption.”

Philip Coyle, a senior adviser at the Center for Defense Information, said the poor security for the GCN shows a lack of discipline at MDA, which he said resulted from a top-level decision by DOD in 2002 to allow the agency to operate outside the strictures of the normal acquisition environment. Coyle was assistant secretary of Defense and director for operational test and evaluation from 1994 to 2001.

Because President Bush pushed development of GMD to defend the nation from missile attacks from Asia or the Middle East, Coyle said he found it difficult to understand why MDA would not take the steps required to defend the GMD network. Coyle said the costs of network security are trivial compared with the billions of dollars needed to develop the system.

It makes no sense, Coyle added, to base development of GCN security on 20-year-old security guidelines instead of current ones.

David Wright, a senior scientist with the Union of Concerned Scientists (UCS), said that he was surprised by network flaws outlined in the DOD IG report such as audit trails and individual passwords. “Sounds like the kind of stuff routinely done with this kind of network. It’s hard to imagine they would design one without it,” he said.

Stephen Young, an MDA analyst at UCS, said the security flaws could affect operation of the entire GMD project. “The network is absolutely essential to GMD.… Without it, the system can’t work,” he said.

Although hesitant to discuss the security of a network without fully understanding its architecture, Bruce Schneier, chief technology officer at Counterpane Internet Security, said an automated audit trail system was vital to detect threats from insiders and attacks by outside hackers.

Spokesmen for MDA, Boeing and Northrop Grumman declined to answer questions from Federal Computer Week. An MDA spokesman said his agency would not answer any press questions until it responds to the IG on March 24.

Boeing also did not respond to a request by FCW to provide an architectural description of the GCN. But Harris Corp., a GCN subcontractor, described the network on its Web site as “the largest synchronous optical networking ring in the world” and states that it “includes more than 20,000 miles of fiber crossing 30 states and will connect all GMD sites.”

MDA budget documents describe the GCN as a fiber-optic network interconnected with military satellites. Those budget documents state that the GCN connects the two missile silo sites to control and communications nodes at Fort Greeley and Schriever Air Force Base and the Cheyenne Mountain Operations Center, both in Colorado, as well as radar systems in Alaska and a test bed in Huntsville, Alabama.


**********

Software glitches could hamper radar defense

Software problems have plagued the high-tech “eyes” of the Ground-based Midcourse Defense system, according to a Government Accountability Office report released last week.

Auditors were referring to X-band radar installed at Beale Air Force Base, Calif., and Shemya Island in the Aleutian Islands chain.

Software deficiencies in the Beale radar could degrade its performance, but military officials said they consider the system ready to perform basic missile defense even if placed on alert before the software problems are resolved.

— Bob Brewin

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.

Featured

  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group