Appendix III: Control Deficiencies and Vulnerabilities

Yasmin Afina

Former Research Fellow, Digital Society Initiative

Calum Inverarity

Senior Researcher, Open Data Institute

Dr Beyza Unal

Former Deputy Director, International Security Programme

This paper will identify, raise awareness of, and help reduce risks to NATO’s nuclear weapon systems arising from cybersecurity vulnerabilities. It aims to respond to the need for more public information on cyber risks in NATO’s nuclear mission, and to provide policy-driven research to shape and inform nuclear policy at member-state level.

Control deficiencies/vulnerabilities	Potential security implications
Multifactor authentication was not consistently used	Provides more opportunity for unauthorized access to internal networks (and the data/information they contain) – whether remotely or not. Eases the task of unauthorized third parties wishing to access internal networks: the lack of multifactor authentication means that they could potentially obtain access by only obtaining a personal identification information (e.g. password, which may be obtained by phishing or password spraying methods) without protection from additional layers of security (e.g. a physical token or card).
System passwords were not always strong	Eases the obtaining of passwords (e.g. through phishing methods), unauthorized access to data and the information system/network infrastructure, and data theft (and potential disclosure). A low standard of password complexity requirement may further exacerbate problems from the lack of consistency in multifactor authentication.
Contractors did not periodically conduct system risk assessments	Lack of awareness of potential existing vulnerabilities. Lack of awareness of the systems and network architecture’s survivability and resilience.
Network and system vulnerabilities were not consistently mitigated	Vulnerabilities may increasingly affect networks and potentially hardware (including new ones) the longer they remain. Absence of cybersecurity culture: fosters a passive, underestimating attitude towards cyber vulnerabilities.
No oversight of third-party service provider’s network protection activities	Existing vulnerabilities in third-party service provider’s network due to a lack of protection may be used as an entry point for malicious cyber operations. These vulnerabilities could also result in unintentional cyber disruptions due to negligence/failure of these third parties to adopt proper measures to protect the network and hardware.
Contractor allowed users to process and store unclassified controlled technical information on personal electronic devices	Potential data theft, disclosure and dissemination outside of internal/authorized networks/devices. Lack of oversight over data once stored on personal electronic devices. Personal electronic devices may not be subject to the same security standards as the contractor’s systems.
Removable media were not properly protected	Unauthorized access to computer systems and internal networks. Theft of data (including technical information/specifications of systems under the Missile Defense Agency). Intentional or unintentional dissemination of (concealed) malware in systems containing BMDS technical information, which could potentially result in the disabling and/or destruction of software and/or hardware (e.g. complete wipe-out of data, modification or destruction of a computer system’s or network’s architecture).
Systems did not automatically lock after inactivity or unsuccessful login attempts	Absence of automatic lock after inactivity may give unauthorized access to non-authorized third parties. Potential absence or inaccuracy of logs/monitoring of failed login attempts.
System access and user privileges were not consistently granted	Access to and theft of classified information, including technical information. Lack of clarity on the classification of information.
System activity reports were not properly maintained and reviewed	Inability to detect/monitor failed login attempts and possible data exfiltration attempts. Lack of traceability: may hinder investigations and solving of malfunctions/suspected malicious activities,

Control deficiencies/vulnerabilities

Potential security implications

Multifactor authentication was not consistently used

Provides more opportunity for unauthorized access to internal networks (and the data/information they contain) – whether remotely or not.
Eases the task of unauthorized third parties wishing to access internal networks: the lack of multifactor authentication means that they could potentially obtain access by only obtaining a personal identification information (e.g. password, which may be obtained by phishing or password spraying methods) without protection from additional layers of security (e.g. a physical token or card).

System passwords were not always strong

Eases the obtaining of passwords (e.g. through phishing methods), unauthorized access to data and the information system/network infrastructure, and data theft (and potential disclosure).
A low standard of password complexity requirement may further exacerbate problems from the lack of consistency in multifactor authentication.

Contractors did not periodically conduct system risk assessments

Lack of awareness of potential existing vulnerabilities.
Lack of awareness of the systems and network architecture’s survivability and resilience.

Network and system vulnerabilities were not consistently mitigated

Vulnerabilities may increasingly affect networks and potentially hardware (including new ones) the longer they remain.
Absence of cybersecurity culture: fosters a passive, underestimating attitude towards cyber vulnerabilities.

No oversight of third-party service provider’s network protection activities

Existing vulnerabilities in third-party service provider’s network due to a lack of protection may be used as an entry point for malicious cyber operations.
These vulnerabilities could also result in unintentional cyber disruptions due to negligence/failure of these third parties to adopt proper measures to protect the network and hardware.

Contractor allowed users to process and store unclassified controlled technical information on personal electronic devices

Potential data theft, disclosure and dissemination outside of internal/authorized networks/devices.
Lack of oversight over data once stored on personal electronic devices.
Personal electronic devices may not be subject to the same security standards as the contractor’s systems.

Removable media were not properly protected

Unauthorized access to computer systems and internal networks.
Theft of data (including technical information/specifications of systems under the Missile Defense Agency).
Intentional or unintentional dissemination of (concealed) malware in systems containing BMDS technical information, which could potentially result in the disabling and/or destruction of software and/or hardware (e.g. complete wipe-out of data, modification or destruction of a computer system’s or network’s architecture).

Systems did not automatically lock after inactivity or unsuccessful login attempts

Absence of automatic lock after inactivity may give unauthorized access to non-authorized third parties.
Potential absence or inaccuracy of logs/monitoring of failed login attempts.

System access and user privileges were not consistently granted

Access to and theft of classified information, including technical information.
Lack of clarity on the classification of information.

System activity reports were not properly maintained and reviewed

Inability to detect/monitor failed login attempts and possible data exfiltration attempts.
Lack of traceability: may hinder investigations and solving of malfunctions/suspected malicious activities,

238 Inspector General, U.S. Department of Defense (2018), Logical and Physical Access Controls at Missile Defense Agency Contractor Locations.

Topic themes

Defence and security

Economics and trade

Environment

Health

Institutions

Major powers

Politics and law

Society

Technology

Regions

Africa

Americas

Asia-Pacific

Europe

Middle East and North Africa

Russia and Eurasia

Publications

Become a member

About us

Ensuring Cyber Resilience in NATO’s Command, Control and Communication Systems

Yasmin Afina

Calum Inverarity

Dr Beyza Unal