Poor cybersecurity leaves U.S. open to missile attacks, Pentagon watchdog says

Breaking News Emails

Get breaking news alerts and special reports. The news and stories that matter, delivered weekday mornings.

By Alex Johnson

Cybersecurity lapses as basic as neglecting to encrypt classified flash drives and failing to put physical locks on critical computer servers leave the United States vulnerable to deadly missile attacks, the Defense Department’s internal watchdog says in a new report.

The report, dated Dec. 10 but not made public until Friday, sums up eight months of investigation of the nation’s ballistic missile defense system by the Pentagon’s Office of Inspector General, or IG.

The audit examined five of the 104 Defense Department facilities that manage ballistic missile defense systems and technical information.

The facilities aren’t identified in the heavily redacted 44-page report. But the report makes numerous specific references to programs involving the Army, the Navy and the Missile Defense Agency.

“The Army, Navy and MDA did not protect networks and systems that process, store and transmit [ballistic missile defense] technical information from unauthorized access and use,” the declassified report concludes.

The shortcomings could lead to the disclosure of “critical details that compromise the integrity, confidentiality and availability of [ballistic missile defense] technical information,” it says. Twice, it warns that such disclosure “could allow U.S. adversaries to circumvent [ballistic missile defense] capabilities, leaving the United States vulnerable to deadly missile attacks.”

The audit found failures in at least three of the seven security factors under review at all five facilities.

Perhaps most troubling, the audit found that network administrators at three of the five facilities didn’t stay on top of known vulnerabilities on classified networks, even those that were flagged as immediately and potentially severe by U.S. Cyber Command.

One vulnerability flagged as critical as long ago as 1990 still hadn’t been addressed by the time the IG’s office reviewed it in April, according to the audit. The potential consequences of exploiting that vulnerability are redacted in the report.

Some of the facilities fell short in implementing extremely basic cybersecurity measures, like installing security cameras to monitor who goes in and out of facilities that maintain ballistic missile defense information, or making sure that access to computer servers distributing classified information was restricted only to people who had an approved reason and clearance to work with them, according to the audit.

In some cases, there weren’t even locks on the doors to the rooms housing the servers, it found. In others, the server rooms may have been locked — but the keys to the locks were kept in unlocked filing cabinets. The data center manager at one of the facilities told investigators that he didn’t know server racks and keys were supposed to be secured, the report said.

Investigators also found that employees and contractors were allowed to take classified data with them on removable media like thumb drives without proper authorization. That’s how Edward Snowden, then a contractor for the National Security Agency, is believed to have stolen thousands of extraordinarily sensitive government secrets in 2013.


We're not around right now. But you can send us an email and we'll get back to you, asap.


Log in with your credentials

Forgot your details?