Inspectors recently uncovered a disturbing trend at the United States Missile Defense Agency (MDA).
This particular branch of the Department of Defense has canceled its cyber vulnerability assessments for several years now and it just did it again.
A new report from the General Accounting Office (GAO) shows that the agency developing U.S. missile defenses continually schedules, and then cancels, vulnerability and pentesting of its missile systems.
GAO: Missile Defense Agency failed to do cybersecurity assessments
In the GAO report, there is a very telling table of cybersecurity assessments during Fiscal Year 2020. The table looks at operational cybersecurity assessments performed on systems that help protect the U.S.
The left column (below) describes the particular component of the U.S. missile defense system that was supposed to have a vulnerability and pentest assessment.
For example, the Aegis Ballistic Missile Defense system had five planned cybersecurity assessments last year (column 2). However, the MDA did none of them, so there is a '0' in the next column (column 3).
Go on down the line through things such as the Ground-based Midcourse Defense, to the Long Range Radar, and the Terminal High Altitude Defense, to discover a total of 13 planned cybersecurity assessments in 2020 without a single one being completed.
Is the U.S. Missile Defense System cyber secure? That's a good question that appears to be without an answer right now.
And this trend has been going on for years, according to the General Accounting Office report:
"Despite failing to meet annual operational cybersecurity
assessments since 2017, MDA canceled its planned fiscal year 2020
Why the MDA Agency is failing to do cyber assessments
The GAO report dives deeper into why the pentesting and cybersecurity vulnerability assessments are not being completed for so many components used by the Missile Defense Agency:
"According to MDA officials, the agency did not execute the cooperative vulnerability and adversarial assessments because MDA officials felt the information that would have been obtained from these tests was not needed, as all fiscal year 2020 Operational Capability Baseline decisions that relied on this information had already been completed."
Does this mean that detected vulnerabilities would have been ignored or disregarded because operational decisions had already been made?
Also, how did the MDA respond to this GAO report? In part, by saying it is going in a new direction when it comes to cybersecurity:
"In addition, during fiscal year 2020, the agency began restructuring its cybersecurity test planning efforts to align with its March 2019 four-phase cybersecurity test concept of operations. Moving forward, cyber tests will be planned and documented in the test baseline using the same process as flight and ground tests."
However, the GAO surmises in the report that this may be a sign of a larger cybersecurity problem at the MDA:
"The lack of testing during fiscal year 2020 coupled with persistent testing shortcomings over the last three years are representative of a broader MDA cybersecurity development issue. For instance, we reported in July 2020 that MDA conducted its largest combined cooperative cyber assessment in fiscal year 2019, as well as the first operational adversarial assessment, but failed to meet its fiscal year 2019 testing goals. We also reported that MDA failed to complete the cybersecurity testing for capabilities delivered in 2017 and 2018 and did not address deficiencies from prior year's shortfalls."
This all brings us back to our previous question: is the United States Missile Defense System cyber secure?
Without proper testing and assessments, it seems impossible to know.