Apparently, many users/employees who have access to the BMDS' network in three of the five locations haven't even switched on multi-factor. Instead, they continue to use only their access cards and passwords for entry. And that's probably not secure enough, since, you know, the system was designed to launch ballistic missiles in order to intercept enemy nuclear rockets and defend US territories.
The auditors also found that three of the five missile locations didn't apply patches for vulnerabilities discovered years and years ago, even as far back as 1990. In addition, at least one team didn't protect their computers with an anti-virus or any other security product that can block intruders. Now, the BMDS computers and servers with access to the missiles might not even be connected to the internet. In that case, the lack of anti-virus wouldn't be such a huge deal... so long as nobody physically tampers with them.
Problem is, at least two locations' server racks weren't routinely locked and secured, allowing pretty much anyone to waltz in. "Failing to keep server racks locked increases the risk that unauthorized individuals could access or tamper with servers that support network operations," the report reads. Some officials didn't encrypt the networks' removable hard drives' and other media, as well, which they were supposed to do. It doesn't help that some of the BMDS locations had poor security planning, leaving gaps in their surveillance cameras' coverage.
This is far from the first time government investigators found the military lacking in terms of cybersecurity. Back in October, a Government Accountability Office report also revealed that nearly all of Pentagon's weapons systems are vulnerable to cyberattack.