Defense Department Computers Vulnerable to Attack

[William Knowles <wk () C4I ORG>]

http://www.washingtonpost.com/wp-dyn/articles/A43417-2000Dec8.html

By Walter Pincus
Washington Post Staff Writer
Friday, December 8, 2000

The Defense Department suffered more than 22,000 electronic attacks on
its computer systems in 1999 and about 14,000 in the first seven
months of this year, the Pentagon's chief information officer said.

The vast majority of those attacks were either harmless or caused only
petty harassment, but in a few cases, hackers believed to be working
for foreign countries have broken into unclassified computer systems
and downloaded large amounts of information, said Arthur Money, the
assistant secretary of defense for command, control, communications
and intelligence.

Pentagon officials said that, to the best of their knowledge, the
Department of Defense's classified computer systems have not been
breached.

The DoD was able to make an accurate count of the number of attacks
for the first time last year, because at the end of 1998 it installed
devices to monitor attempts by hackers to penetrate its computers.

In 1999, the Pentagon detected 22,144 attempts to probe, scan, hack
into, infect with viruses or disable its computers. About 3 percent
(or more than 600) of those incidents caused temporary shutdowns or
other damage. About 1 percent (or roughly 200) were intrusions by
hackers who managed to break into unclassified computer systems.

So far this year, officials said, the number of attacks is up
approximately 10 percent, and the percentage that have caused damage
or resulted in intrusions is about the same.

In an interview, Money predicted that the number of attacks is only
"going to increase" in the future.

"A majority of the attacks [that cause damage] come through
vulnerabilities in existing software, most of it from commercial
companies" such as Microsoft, Netscape and Lotus, he said.

Although the Pentagon is "putting more and more effort into testing"
off-the-shelf software and is working with major software companies in
the design stages, Money added, "there is hardly any way to prevent"
vulnerabilities from creeping into the millions of lines of commercial
computer code written not only in the United States, but also in
India, Ireland, Israel and other countries.

"On a lot of these [programs], we don't know where the code is
written," he said.

Many of the vulnerabilities are unintentional, but some appear to be
"trapdoors" deliberately left by software writers to allow intrusions,
and others are "backdoors" that were designed to help systems
administrators but have been "discovered by kids and hackers and used
to harass the systems," a Pentagon official said, speaking on
condition of anonymity.

As a result, the official added, "we are not buying such off-the-shelf
products in our most sensitive systems."

The Pentagon's cyber security problem is enormous. The Defense
Department has roughly 10,000 computer systems and 1.5 million
individual computers. About 2,000 of the systems are
"mission-critical," meaning that they "must work for [the DoD] to
successfully execute its myriad missions," Money told a House Armed
Services subcommittee in March.

"We are probed on a daily basis by those who are trying, or planning,
to disrupt our nation's military capabilities," he said, adding that
the Pentagon has discovered "a few nation state operatives doing major
downloadings of unclassified materials."

In August, Congress put an additional $163 million for computer
security into the fiscal 2001 defense appropriations bill. But the
House-Senate conferees' report on the bill warned that the new funds
"will be of limited value if the software used by the department has
been designed with intentional weaknesses to permit future
unauthorized access."

The conference report directed the Pentagon "to carefully consider the
origin of all software used in developing or upgrading information
technology or national security systems."

The "seminal event" that awakened the Pentagon to its computer
security problems occurred in February 1998, Money said, when some
California youths, under the direction of an Israeli, took advantage
of a "well-known vulnerability in Sun software" to break into the
Solaris operating system used by several Pentagon agencies.

Those attacks, which came as preparations were underway for a possible
military operation against Iraq, "were widespread, systematic and
showed a pattern that indicated they might be the preparation for a
coordinated attack on the defense information infrastructure," then
Deputy Defense Secretary John J. Hamre told Congress in 1999.

Military computer administrators had been warned about the weakness
that the California hackers exploited, but many had failed to heed the
warning and patch their systems, Money said.



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".