[ISN] Security flaws could cripple missile defense network

From: InfoSec News (isn@private)
Date: Fri Mar 17 2006 - 00:35:26 PST


http://www.fcw.com/article92640-03-16-06-Web

By Bob Brewin
Mar. 16, 2006 

The network that stitches together radars, missile launch sites and
command control centers for the Missile Defense Agency (MDA)  
ground-based defense system has such serious security flaws that the
agency and its contractor, Boeing, may not be able to prevent misuse
of the system, according to a Defense Department Inspector General's
report.

The report [1], released late last month, said MDA and Boeing allowed
the use of group passwords on the unencrypted portion of MDA's
Ground-based Midcourse Defense (GMD) communications network.

The report said that neither MDA nor Boeing officials saw the need to
install a system to conduct automated log audits on unencrypted
communications and monitoring systems. Even though current DOD
policies require such automated network monitoring, such a requirement
"was not in the contract."

The network, which was also developed to conform to more than
20-year-old DOD security policies rather than more recent guidelines,
lacks a comprehensive user account management process, the report
said. Neither MDA nor Boeing conducted required Information Assurance
(IA) training for users before they were granted access to the
network, the report stated.

Because of this poor information security, the DOD IG report said, MDA
and Boeing officials "may not be able to reduce the risk and magnitude
of harm resulting from misuse or unauthorized access or modification
of information [on the network] and ensure the continuity of the
system in the event of an interruption."

David Wright, a senior scientist with the Union of Concerned
Scientists, said he was surprised by the network flaws outlined in the
report. It "sounds like the kind of stuff routinely done with this
kind of network," he said. "It's hard to imagine they would design one
without it."

Stephen Young, an MDA analyst at UCS, said the security flaws could
affect operation of the entire GMDS project. "The network is
absolutely essential to GMD…without it, the system can't work."

President Bush directed DOD in 2002 to develop GMD to counter missile
threats from countries such as North Korea as well as terrorists, and
Boeing on its Web site describes the project as "the first missile
defense program deployed operationally to defend the homeland against
ballistic missile attacks conducted by terrorists or rogue states"

GMD consists of missile interceptors based in underground silos at
Fort Greely, Alaska and Vandenberg Air Force Base, Calif., and
high-powered sea- and land-based radars to track incoming missiles, a
Boeing fact sheet said.

Spokesmen for MDA, Boeing and Northrop Grumman, contractor for the
unencrypted portion of GCN, all declined to answer questions from
Federal Computer Week on the security flaws in the GMD network. Boeing
and Northrop Grumman deferred to MDA, and an MDA spokesman said his
agency would not answer any press questions until it responds to the
IG report on March 24.

Harris Corp., a GCN subcontractor, described the network on its Web
site as "the largest synchronous optical networking ring in the world
that includes more than 20,000 miles of fiber crossing 30 states and
will connect all GMD sites."

MDA budget documents describe the GCN as a fiber-optic network
interconnected with military satellites. These budget documents said
the GCN connects the two missile silo sites with control and
communications nodes at Fort Greely and Shriever Air Force Base and
the Cheyenne Mountain Operations Center, both in Colorado, as well as
radars in Alaska and a test bed in Huntsville, Ala.

[1] http://www.dodig.mil/audit/reports/FY06/06-053.pdf



_________________________________
InfoSec News v2.0 - Coming Soon! 
http://www.infosecnews.org 



This archive was generated by hypermail 2.1.3 : Fri Mar 17 2006 - 01:03:07 PST