[ISN] Pentagon Negligence

From: mea culpa (jerichoat_private)
Date: Tue May 19 1998 - 14:49:03 PDT

  • Next message: mea culpa: "[ISN] I believe Microsoft has knowingly violated the export rules"

    By Ira Winkler
    On February 25,1998, the news broke that the Pentagon and the Department
    of Justice were investigating a series of hacker attacks. 
    These attacks, which the FBI believes where committed by two teenage boys
    from Cloverdale, California, compromised unclassified systems throughout
    the Department of Defense. In response, Deputy Secretary of Defense John
    Hamre said that the Pentagon should think of this as a "wake-up call."
    I'll say. How many wake up calls does the Pentagon need? Back in the
    mid-1980s, there was the Hannover hacker case in which a group of Germans,
    sponsored by the KGB, broke into DOD-related computers around the world.
    Then in the early 1990s, the Defense Information Systems Agency attacked
    Department of Defense computers around the world and found that they could
    break into 88 percent of randomly found Defense computers. Of the
    successful break-ins, only 3 percent resulted in the victims both
    detecting the break-in and responding to the potential threat properly.
    A recent Government Accounting Office report highlights this problem,
    finding a total of 250,000 attacks against military systems on the
    Internet, with 160,000 of those attacks being successful. There were also
    hundreds of other attacks against department systems throughout the years
    as well. 
    Downright negligent
    I am not one to say that victims are responsible for crimes committed
    against them, however in my opinion, the continued success of attacks--
    combined with the ignorance displayed by Hamre-- is negligence. After all,
    the US military is an obvious target, not just by teenaged hackers playing
    games, but by military and terrorist adversaries as well.
    Are we supposed to be comforted by the fact that, according to Hamre, the
    attacks were committed with "[m]odestly [s]ophisticated" methods? The
    thought that someone can train a person with minimal computer abilities to
    launch modestly sophisticated attacks against sensitive networks and
    systems terrifies me.
    Has Hamre, or anyone else in the department ever heard about the Russians,
    the Chinese, the Israelis, or even the drug cartels?  These are all groups
    who might love to get their hands on the information that those
    game-playing hackers were apparently accessing. I would also tend to
    believe that the intelligence agencies of these groups are capable of more
    than modestly sophisticated attacks.
    The attacks against the DOD are certainly embarrassing. More importantly,
    represent a threat to national security. The attacks themselves have been
    relatively unimportant.  The fact that they are successful says more about
    the DOD than the hackers.
    For Hamre to try to say that now the DOD might do something is a case of
    "too little, too late." The DOD has known about security problems in its
    computer systems for over a decade. It doesn't need more wake-up calls, it
    needs competent funding, training, and staffing of systems administrators
    to secure the systems it chooses to make available on the Internet.
    The simple cure for the department is to take all its systems off the
    Internet until it can secure them. Computers can be protected when they
    are properly administered. I know some of my friends in the Department of
    Defense know this.  Maybe they can tell their bosses, before the
    department ends up in the news again explaining why someone just playing a
    game can break into the department's systems.
    Of course, the real bad guys can't hack a computer. Right? 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:53:41 PDT