Security flaws could cripple missile defense network

DOD IG report on GMD network

The network that stitches together radars, missile launch sites and command control centers for the Missile Defense Agency (MDA) ground-based defense system has such serious security flaws that the agency and its contractor, Boeing, may not be able to prevent misuse of the system, according to a Defense Department Inspector General’s report.

The report, released late last month, said MDA and Boeing allowed the use of group passwords on the unencrypted portion of MDA’s Ground-based Midcourse Defense (GMD) communications network.

The report said that neither MDA nor Boeing officials saw the need to install a system to conduct automated log audits on unencrypted communications and monitoring systems. Even though current DOD policies require such automated network monitoring, such a requirement “was not in the contract."

The network, which was also developed to conform to more than 20-year-old DOD security policies rather than more recent guidelines, lacks a comprehensive user account management process, the report said. Neither MDA nor Boeing conducted required Information Assurance (IA) training for users before they were granted access to the network, the report stated.

Because of this poor information security, the DOD IG report said, MDA and Boeing officials “may not be able to reduce the risk and magnitude of harm resulting from misuse or unauthorized access or modification of information [on the network] and ensure the continuity of the system in the event of an interruption.”

David Wright, a senior scientist with the Union of Concerned Scientists, said he was surprised by the network flaws outlined in the report. It “sounds like the kind of stuff routinely done with this kind of network,” he said. “It’s hard to imagine they would design one without it.”

Stephen Young, an MDA analyst at UCS, said the security flaws could affect operation of the entire GMDS project. “The network is absolutely essential to GMD…without it, the system can’t work.”

President Bush directed DOD in 2002 to develop GMD to counter missile threats from countries such as North Korea as well as terrorists, and Boeing on its Web site describes the project as “the first missile defense program deployed operationally to defend the homeland against ballistic missile attacks conducted by terrorists or rogue states”

GMD consists of missile interceptors based in underground silos at Fort Greely, Alaska and Vandenberg Air Force Base, Calif., and high-powered sea- and land-based radars to track incoming missiles, a Boeing fact sheet said.

Spokesmen for MDA, Boeing and Northrop Grumman, contractor for the unencrypted portion of GCN, all declined to answer questions from Federal Computer Week on the security flaws in the GMD network. Boeing and Northrop Grumman deferred to MDA, and an MDA spokesman said his agency would not answer any press questions until it responds to the IG report on March 24.

Harris Corp., a GCN subcontractor, described the network on its Web site as “the largest synchronous optical networking ring in the world that includes more than 20,000 miles of fiber crossing 30 states and will connect all GMD sites.”

MDA budget documents describe the GCN as a fiber-optic network interconnected with military satellites. These budget documents said the GCN connects the two missile silo sites with control and communications nodes at Fort Greely and Shriever Air Force Base and the Cheyenne Mountain Operations Center, both in Colorado, as well as radars in Alaska and a test bed in Huntsville, Ala.