Missing from the 2019 Missile Defense Review: Cybersecurity

The 2019 Missile Defense Review promises to create US “missile defense programs to counter the expanding missile threats posed by rogue states and revisionist powers to us, our allies, and partners, including ballistic and cruise missiles, and hypersonic vehicles.” It expands the role of current defense systems that defend against global threats, while pursuing unproven technology. But one important criterion for US missile defenses is entirely absent from the Missile Defense Review: cybersecurity.

The protection of critical computer systems, networks, and data can be achieved through both technical and social means. Good cybersecurity includes robust computer software and hardware, prudent engineering standards, and vigilant cyber hygiene—the procedures and practices required of network users to keep information and data on the network secure. Sometimes people assume that the security of a network is based entirely on the way it has been constructed; however, it is also important to consider how individuals interact with the network when assessing its security. Best practices usually include regularly installing system updates, using multi-factor authentication, enforcing compartmentalized [“need to know”] user permissions, establishing strong password rules and multi-authorization procedures, ensuring that firewalls are properly installed, updating both “white lists” and “black lists,” and not connecting unknown data storage devices—such as CDs and thumb drives—to a network.

These activities may sound mundane, but poor cyber hygiene has compromised many secure networks, including some classified US military networks, In 2008, the National Security Administration detected a rapidly-spreading computer virus on computers inside the Pentagon. William Lynn, who was the Deputy Defense Secretary at the time, wrote in Foreign Affairs that the virus was inserted “when an infected flash drive was inserted into a US military laptop at a base in the Middle East.” This lapse in cyber hygiene took the US Defense Department 14 months to fix.

After this incident, one would expect cybersecurity to be at the top of the list of concerns of the 2019 Missile Defense Review. But in fact, the review does not discuss how to address cyber vulnerabilities in existing missile defense systems, or how to prevent cyberattacks from occurring in these systems in the future.

By ignoring cybersecurity concerns, the Trump administration’s plans will contribute to the problems that currently plague US missile defense systems: Such systems are often overpromised, overbudget, and behind schedule. The history of missile defense systems accidents shows that these systems are often rushed into the field before errors in their software and hardware have been fixed. And subsequent poor cyber hygiene in US missile defense systems leaves them increasingly vulnerable to cyberattack. In other words, expanding US missile defense systems while ignoring cybersecurity will likely lead to increased—not decreased—security concerns.

Software problems in US missile defense. Even in the absence of cyberattacks, software problems exist within US missile defense systems. In 2003, the Patriot missile defense system, employed to defend against missiles during the Iraq War, was responsible for the death of three airmen in three separate friendly-fire incidents. The first incident involved a Patriot missile mistakenly targeting and destroying a British Tornado fighter plane. Its two crew members were killed instantly. In the second incident, a US F-16 fighter plane fired on a Patriot missile system after it erroneously targeted his aircraft. The third fatality occurred when a Patriot system shot down a US F/A-18 fighter plane, killing the pilot.

The summary of the ensuing official fact-finding report identified some of the problems that led to these incidents. Chief among them: the Patriot missile system had trouble distinguishing between friendly and enemy aircraft, a defect which had been previously observed in training exercises.

Documentation from operational tests of the Patriot missile system around the same time as the accident revealed a history of false identifications. Records from as late as 2001—a mere two years before the system was used in combat during the Second Persian Gulf War—described problems with target identification in the missile defense system. In 2002, the same researchers recommended more operational testing, even while noting the army’s immediate need for hundreds more missiles for the already-deployed Patriot systems.

Evidently these priorities—making the system available quickly, and building a system that is safe to operate—were in conflict for the Patriot missile defense system. As later accidents revealed, availability was prioritized over safety, and systems were sent into the field with significant software and hardware problems.

Current systems within missile defense, such as their command and control networks, continue to be deployed with significant known vulnerabilities, according to a 2018 Government Accounting Office (GAO) report. (Command and control networks link decision makers, sensors, and weapons systems; they enable the planning, management, and operations of various missile defense systems.)

According to the report, many of the computers used to coordinate missile defense operations use Windows XP, an outdated and vulnerable operating system for which Microsoft no longer releases updates. (It was originally launched in 2001, an eternity in the world of computing, where six months is considered an entire generation.) Computers running outdated operating systems have provided easy targets for hackers. For example, the WannaCry ransomware attack in May 2017 specifically targeted computers running unpatched Microsoft operating systems. The United Kingdom’s National Health Service was among the hardest hit; a report published contemporaneously criticized the organization’s continued reliance on Windows XP.

While the US Missile Defense Agency (the organization responsible for overseeing all of the US’ missile defense system) says that no cyberattacks have been detected as of 2017, vulnerabilities in the operating system have been exploited by the opposing team in internal cybersecurity exercises. The agency acknowledges that if “known deficiencies are exploited, mission capabilities like [missile defense] planning, radar control, track reporting, and situational awareness may be significantly degraded.”

The same GAO report says that these cyber vulnerabilities will be fixed in the next planned upgrade of the command and control infrastructure, which is scheduled to occur in all global command centers by sometime in 2019. The GAO notes, however, that the updated version faces technical challenges and cost increases which could lead to delays in scheduled deliveries. Fixing the cybersecurity issues before this planned upgrade has been deemed “cost prohibitive,” although the Missile Defense Agency had not specified the exact amount to the GAO at the time of the report.

In the 2019 Missile Defense Review, software is mentioned only once, and then merely as a way to add new capabilities to existing missile defense systems, such as countering hypersonic missiles.

Poor cyber hygiene in US missile defense. But bad as they are, the problems with faulty software and poor hardware in missile defense technology pale in comparison with the larger systemic problems within the missile defense development program. A report by the Defense Department’s Inspector General, released in late 2018, found that many of the facilities that support US missile defense systems lacked basic cyber hygiene practices, proper security controls, and rudimentary data safeguards. These “exploitable weaknesses” could allow “US adversaries to circumvent [ballistic missile defense system] capabilities, leaving the United States vulnerable to deadly missile attacks.”

The heavily redacted report described many of the unacceptable security practices at facilities that handle ballistic missile defense system data. Vulnerabilities that required immediate patches were left unaddressed for years, even after multiple warnings by cybersecurity teams. Two-factor authentication was not enforced, which could have led to unauthorized access to technical information about missile defense systems stored on classified networks. Unencrypted technical data was transmitted on missile defense system networks and stored on removable media storage devices. Finally, missile defense networks were not monitored for intruders or suspicious behavior—which should have been a part of standard operating procedures. Technology that monitors user behavior can help defend against threats from both outside (such as cyberattacks) and inside (such as the leaking of classified information by employees).

Six principles. All of these problems can harm the security of missile defense systems. Computer science experts know this, and so to create a secure computing system, they recommend following six principles: availability, reliability, safety, integrity, confidentiality, and maintainability.

Unfortunately, it appears that missile defense systems still struggle to achieve these principles. According to the authors of the 2018 redacted Inspector General’s report, the unacceptable cybersecurity controls outlined above may have “disclose[d] critical details that compromise the integrity, confidentiality, and availability of [missile defense system] technical information.” As the accidents mentioned earlier demonstrate, critical safety concerns have occurred as a result of faulty software. The fact that these errors were left in place in deployed systems without being addressed calls into question the trustworthiness of the entire enterprise. Remarkably, the 2019 Missile Defense Review does not address any of these issues.

Complaints about the cost and feasibility of US ballistic missile defense systems have been around for decades. Currently fielded systems, such as the ground-based midcourse system, have been described as “expensive and unreliable.” But rather than fixing them and learning from mistakes in the already deployed systems, the United States government has been focused on proposing entirely new systems, such as space-based missile interceptors.

The tendency of missile defense systems to run behind schedule and over budget also has an impact upon their cybersecurity. These factors have led to missile defense systems being fielded before their mission-critical cyber vulnerabilities were fixed. The pressures created by these tendencies can also limit the time and money used to patch debilitating cyber vulnerabilities in systems that are currently in use.

Ignoring cybersecurity in both missile defense technology and the 2019 Missile Defense Review is a grave mistake. By not addressing existing concerns, it is hard to see how such defenses can provide dependable security for the United States. Instead of delivering on its promises, the 2019 Missile Defense Review is more likely to increase vulnerabilities within US missile defense systems. Faulty cybersecurity is yet another reason why dependable missile defense systems struggle to become a reality.