UN audit finds weakness in peacekeepers' IT

Network traffic and data in the United Nations peacekeeping logistics system were not secure in 2008, according to an internal report.

The report, by the UN Office of Internal Oversight Services (OIOS), criticised security in the Galileo Inventory Management System, an in-house automated application that manages $2bn (£1.4bn) worth of UN-owned equipment per year. Typically, such peacekeeping equipment includes arms, medical, and aid supplies.

The report, entitled Audit of the Galileo System at the United Nations Logisitics Base in Brindisi, Italyfound network protocols were "not secure", data-integrity controls were not validated, and there was no officer responsible for information security at the base.

Last year the Galileo application was used, at the UN headquarters in New York and the UN Logistics Base in Italy (UNLB), to co-ordinate logistics for 16 peacekeeping missions and six special political missions.

The report, dated July 2008, found that traffic flowing over the network was in clear text rather than being encrypted, and that the protocol used was http, which the OIOS described as "insecure" due to the potential interception of wireless communications signals.

"The confidentiality and integrity of the data transmitted over the network can be easily breached," the report's authors said. "In particular, user identification and passwords entered in by users whilst logging on to the application can be easily intercepted by any individual with moderate computer expertise and can be used to access the application without authorisation."

A recommendation that the protocol should be switched to https (hyper-text-transfer-protocol over secure socket layer) was rejected by UNLB in July 2008 on the grounds that the "austere" locations peace-keeping missions find themselves in need low-bandwidth, high latency satellite links. Https "may seriously affect performance" of these links, said the UN Department of Field Support.

There were also no procedures in place monitoring whether communications had been hacked, said the report. The integrity, accuracy and reliability of Galileo communications were called into doubt, as these were not checked, exposing "sensitive data to the risks of inaccuracy, incompleteness, misuse and unauthorised access", the report's authors wrote.

According to the report, the lack of an officer in charge of IT security at UNLB meant no-one was overseeing IT security risk management there, with no-one monitoring IT security threat updates or advisories.

"Security breaches or vulnerabilities may not be routinely investigated and remedial action promptly taken," the report stated.

In addition, the disaster-recovery facilities at UNLB were located on the same campus as the Galileo hosting facilities, meaning that "a disaster affecting the UNLB campus will also affect the continuity location", while there was no written business continuity plan.

The UNLB accepted in July 2008 that a person needed to be put in charge of IT security at the base, that data integrity and audit logs should be checked, that the Galileo disaster-recovery site should not be on the same campus as the hosting facility, and that a business continuity plan should be put in place.

The UN and OIOS had not responded to a request for comment at the time of writing.

The report was first posted on the US UN mission site. It was then posted on whistleblower site Wikileaks on Monday.