By Ira Winkler On February 25,1998, the news broke that the Pentagon and the Department of Justice were investigating a series of hacker attacks. These attacks, which the FBI believes where committed by two teenage boys from Cloverdale, California, compromised unclassified systems throughout the Department of Defense. In response, Deputy Secretary of Defense John Hamre said that the Pentagon should think of this as a "wake-up call." I'll say. How many wake up calls does the Pentagon need? Back in the mid-1980s, there was the Hannover hacker case in which a group of Germans, sponsored by the KGB, broke into DOD-related computers around the world. Then in the early 1990s, the Defense Information Systems Agency attacked Department of Defense computers around the world and found that they could break into 88 percent of randomly found Defense computers. Of the successful break-ins, only 3 percent resulted in the victims both detecting the break-in and responding to the potential threat properly. A recent Government Accounting Office report highlights this problem, finding a total of 250,000 attacks against military systems on the Internet, with 160,000 of those attacks being successful. There were also hundreds of other attacks against department systems throughout the years as well. Downright negligent I am not one to say that victims are responsible for crimes committed against them, however in my opinion, the continued success of attacks-- combined with the ignorance displayed by Hamre-- is negligence. After all, the US military is an obvious target, not just by teenaged hackers playing games, but by military and terrorist adversaries as well. Are we supposed to be comforted by the fact that, according to Hamre, the attacks were committed with "[m]odestly [s]ophisticated" methods? The thought that someone can train a person with minimal computer abilities to launch modestly sophisticated attacks against sensitive networks and systems terrifies me. Has Hamre, or anyone else in the department ever heard about the Russians, the Chinese, the Israelis, or even the drug cartels? These are all groups who might love to get their hands on the information that those game-playing hackers were apparently accessing. I would also tend to believe that the intelligence agencies of these groups are capable of more than modestly sophisticated attacks. The attacks against the DOD are certainly embarrassing. More importantly, they represent a threat to national security. The attacks themselves have been relatively unimportant. The fact that they are successful says more about the DOD than the hackers. For Hamre to try to say that now the DOD might do something is a case of "too little, too late." The DOD has known about security problems in its computer systems for over a decade. It doesn't need more wake-up calls, it needs competent funding, training, and staffing of systems administrators to secure the systems it chooses to make available on the Internet. The simple cure for the department is to take all its systems off the Internet until it can secure them. Computers can be protected when they are properly administered. I know some of my friends in the Department of Defense know this. Maybe they can tell their bosses, before the department ends up in the news again explaining why someone just playing a game can break into the department's systems. Of course, the real bad guys can't hack a computer. Right? http://www.zdnet.com/zdtv/cda/index/0,2073,2000223-2103620,00.html -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:53:41 PDT