This paper will identify, raise awareness of, and help reduce risks to NATO’s nuclear weapon systems arising from cybersecurity vulnerabilities. It aims to respond to the need for more public information on cyber risks in NATO’s nuclear mission, and to provide policy-driven research to shape and inform nuclear policy at member-state level.
Appendix III: Control Deficiencies and Vulnerabilities
In March 2018 the US Department of Defense Inspector General released a report on logical and physical access controls at Missile Defense Agency contractor locations,238 based on a performance audit conducted in March–December 2017. The publicly available report sets out some of the audit’s findings, but does not disclose the name and location of the seven contractor facilities assessed. The report identifies a set of control deficiencies and vulnerabilities that may have security implications with the potential to affect the security and credibility of the US’s ballistic missile defence systems on which NATO may rely upon both for defence and deterrence purposes.239 Below is the summary of control deficiencies identified in the published report and their subsequent potential security implications based on the report’s analysis:
Control deficiencies/vulnerabilities |
Potential security implications |
---|---|
Multifactor authentication was not consistently used |
|
System passwords were not always strong |
|
Contractors did not periodically conduct system risk assessments |
|
Network and system vulnerabilities were not consistently mitigated |
|
No oversight of third-party service provider’s network protection activities |
|
Contractor allowed users to process and store unclassified controlled technical information on personal electronic devices |
|
Removable media were not properly protected |
|
Systems did not automatically lock after inactivity or unsuccessful login attempts |
|
System access and user privileges were not consistently granted |
|
System activity reports were not properly maintained and reviewed |
|