Pentagon slack may lead to cyber-attack, report says

The Defense Department often talks about the importance of information systems security, but rarely practices what it preaches, a report released Tuesday said.

The National Research Council's report, Realizing the Potential of C4I: Fundamental Challenges, reinforced suggestions that DoD is highly vulnerable to cyber-terrorist attacks. DoD sponsored the report to review Defense-wide programs for command, control, communications, computers and intelligence (C4I). C4I systems help military commanders locate and track enemy and friendly forces.

"DoD's words regarding the importance of information systems security have not been matched by comparable action" despite past reports demonstrating DoD's information security weaknesses, the National Research Council reported. "Troops in the field did not appear to take the protection of their C4I systems nearly as seriously as they do other aspects of defense," the report said.

Reviewers observed instances of insufficient security such as sticky notes with important systems data attached to computers. In other instances, computers holding sensitive information were found to be vulnerable to hostile applets from the World Wide Web. The report attributed slack computer security to a DoD organizational culture accustomed to mounting offensive attacks. Cyber-terrorist threats instead must be countered with defensive action.

DoD cannot do much to retaliate in peacetime against hacker attempts and therefore has adopted a passive defense position, the report said. Under current laws, civilian law enforcement is responsible for apprehending and prosecuting computer hackers. As a result, hackers pay no price for attempting to access sensitive DoD information until a system is successfully hacked.

The report also criticized DoD's attempts to build a common technology infrastructure that would allow forces to exchange data and operate together. Outdated procurement methods tailored to weapons systems prevent C4I systems from keeping pace with rapid technology developments, the report said.

To effectively change the culture of passive defense, DoD must improve its leaders' education, the report said. C4I systems users must receive training before being granted access to the systems. The report also recommended that DoD offer cash incentives and promotions to keep security specialists from being lured to the private sector. At the same time, security policy violators must face sanctions to send a message that computer security is a serious priority.