Information Insecurity

very 20 minutes someone tries to penetrate a Defense Department computer network. But not all of the intruders are outsiders. Defense officials are increasingly concerned about trusted employees seeking restricted data. Just as troubling is that many intrusions could be prevented if workers followed basic security procedures. While computers have become central to agency operations across government, security has not.

A case in point: A few months ago, 27-year-old computer whiz Shawn Key hacked into a federal agency's computer network. (He spoke about the agency on the condition that it not be identified.) For national security purposes, the office Key broke into was supposed to have no more than a handful of carefully controlled modems through which employees could access the Internet. Instead, Key found more than 500 modems on the system-a mother lode for any hacker intent on wreaking havoc. Just days before the modems were discovered, network administrators had issued an order expressly forbidding the use of extraneous modems.

Fortunately for the agency, Key is what he calls an "ethical hacker," working to protect organizations against intrusions by "nonethical hackers": disgruntled employees, precocious teen-agers trying to embarrass institutions by posting electronic graffiti, and terrorists intent on damaging national security. As a systems engineer at the computer security firm J.G. Van Dyke and Associates in Bethesda, Md., Key's job is to probe client computer systems for security breaches. And there are plenty of breaches at federal agencies.

In recent months, Key says, he has repeatedly hacked into federal computer systems where the network administrator's password was blank, essentially giving him-and any other hacker-a key to the network and all the data managed there. With such access, a hacker could shut down the system, install or delete software, read, modify or delete data, and cover his tracks, avoiding detection altogether. As for the 500 excess modems Key recently encountered, agency employees were probably plugging laptop computers with built-in modems into phone jacks at their desks to connect to the Internet, he says, not realizing they were compromising security.

The vulnerability of federal agencies to computer attacks is growing, says Michael Vatis, director of the FBI's National Infrastructure Protection Center, one of several new government organizations established in the last year to shore up computer security in both the public and private sectors. NIPC's mission is to detect, deter, assess, warn of, respond to, and investigate intrusions and illegal acts that target or involve critical infrastructures. As such, it is the government's central coordinating authority for responding to cyber threats.

"Unfortunately, this is definitely a growth industry," Vatis says. "Every year the number of people using the Internet increases massively. That means there are more illegal intrusions and I think a lot of the more serious threats out there are beginning to see the utility of cyber weapons-whether we're talking about organized crime groups, terrorists, foreign intelligence services or foreign militaries. The problem is just going to grow more and more."

Protecting information on computer networks in the federal government is a vast and complex undertaking, because agencies have become dependent on computers for almost all of their day-to-day business operations. Networks have grown so fast in recent years that very few administrators fully understand the systems they are supposed to manage. Rapidly changing technology and employee turnover make it virtually impossible to keep agency personnel appropriately trained to deal with intrusions on their networks. At the same time, the government's growing reliance on data networks increases its vulnerability to hackers by exposing agencies to more points of entry, many beyond managers' control.

Insider Threat

Such vulnerability is keenly felt at Defense and intelligence agencies. "We have found that almost anyone with a computer and modem can use specialized malicious software and tools and attempt to disrupt our network operations and make it difficult for us to effectively carry out our missions," says Air Force Maj. Gen. John H. Campbell, commander of the Pentagon's Joint Task Force for Computer Network Defense, an interim office established in January to coordinate DoD responses to cyber threats. "It isn't just our classified data and systems that require security, it is also our unclassified but sensitive data, such as payroll and acquisition information."

"Traditional geographical boundaries do not exist in cyberspace and the size of the area of operations is unbounded," says Campbell. "Since so many of our computer systems are interconnected, threats to one seemingly isolated computer system can potentially become a threat to multiple computer systems."

Deputy Defense Secretary John Hamre told members of the House Armed Services Committee's research and development panel at a closed hearing Feb. 23 that it is not a question of whether there will be an electronic equivalent of the sneak attack on Pearl Harbor but when such an attack will occur. In an interview with Defense News, panel chairman Rep. Curt Weldon said Hamre told the panel that Defense computer systems were then under a significant, organized attack. Hamre told Government Executive he could not discuss the attack, citing an ongoing investigation with the FBI. In the unclassified version of Hamre's statement to the committee, he wrote, "I am very concerned about our ability to defend the information systems that make actual offensive operations possible."

Hamre noted that, "We are increasingly concerned about those who have legitimate access to our networks-the trusted insider. . . . I cannot emphasize strongly enough the seriousness of the insider threat to our information systems and, through those systems, to the department's operations." One security expert who works with both federal and private sector organizations says that on average, as many as 70 percent of intrusions come from inside an organization. Building and sustaining a secure information infrastructure is a challenge across the federal government.

Last September, the General Accounting Office reported significant information security weaknesses in each of the 24 largest federal agencies. Inadequately restricted access to sensitive data and other weaknesses "place critical government operations, such as national defense, tax collection, law enforcement and benefit payments, as well as the assets associated with these operations, at great risk of fraud, disruption and inappropriate disclosures. In addition, many intrusions or other potentially malicious acts could be occurring but going undetected because agencies have not implemented effective controls to identify suspicious activity on their networks and computer systems."

GAO auditors demonstrated such weaknesses last year after the Senate Governmental Affairs Committee asked them to assess whether the State Department's unclassified information systems were susceptible to unauthorized access. The answer, GAO found, was an overwhelming yes. Auditors penetrated State's computer systems through internal network security controls, Internet gateways and public information servers.

By simply walking into unsecured facilities, auditors were able to download files that contained password lists. In one unlocked area, auditors accessed a local area network server where they obtained administrator-level access, known as "superuser" access, giving them total control of the system's operations and security functions. After gaining such access on several different operating platforms, including UNIX and Windows NT, auditors viewed international financial information, travel arrangements, detailed network diagrams, employees' e-mail and other sensitive data.

Social Engineering

"Our penetration tests were largely successful," said Gene Dodaro, assistant comptroller general in GAO's accounting and information management division, during testimony before the Senate committee last May. State's computer systems were vulnerable to just about anybody determined to take advantage of them. "Without any passwords or specific knowledge of State's systems, we successfully gained access to State's networks through dial-in connections to modems," he said. "Having obtained this access, we could have modified, stolen, downloaded or deleted important data; shut down services; and monitored network traffic, such as e-mail and data files."

"Unauthorized deletion or alteration of data could enable known criminals, terrorists and other dangerous individuals to enter the United States. Personnel information concerning approximately 35,000 State employees could be useful to foreign governments wishing to build personality profiles on selected employees. Manipulation of financial data could result in overpayments or underpayments to vendors, banks and individuals, and inaccurate information being provided to agency managers and the Congress. Furthermore, the overseas activities of other federal agencies may be jeopardized to the extent they are supported by State systems," Dodaro said.

In some cases, auditors were able to obtain key information, such as passwords, just by talking to employees, a technique computer specialists refer to as "social engineering." According to Key, employees in many organizations don't follow, or aren't aware of, basic security policies, such as how to establish effective passwords. In other organizations, security policies are nonexistent.

Computer security weaknesses are by no means limited to the State and Defense departments. "This country is wide open to attack electronically," Hamre told leading private-sector chief information officers at the Fortune 500 CIO Forum in Aspen, Colo., last summer.

"We're vulnerable because of the enormous productivity improvements that we've sought through information technology in the last 20 years," Hamre said. "Increasingly, American business, in order to save money and to shed itself of the cost of proprietary networks, is moving these systems onto an Internet-based communications network. So we're finding increasingly, America's businesses and utilities are controlling the infrastructure through a technology that was never designed with security in mind."

Over the last decade, the Defense Department has followed suit, shifting what were formerly government-controlled communications systems to commercial systems. Defense officials estimate more than 95 percent of military communications today take place over commercial networks. The liability posed by such dependence became clear when the Pentagon conducted an exercise known as "Eligible Receiver" in 1997. Using off-the-shelf technology and software downloaded from hacker Web sites, a team of about 20 employees from the National Security Agency hacked into unclassified Pentagon computer systems. The surprise exercise, designed to expose weaknesses in computer security, succeeded beyond the planners' wildest expectations. Among other things, the exercise showed how hackers might disrupt troop deployments.

"It was startling," Hamre said. "We didn't really let them take down the power system in the country, but we made them prove that they knew how to do it."

The 'Big Banana'

Between 1999 and 2002, the Defense Department plans to spend $3.6 billion to address computer security issues. With 2 million computers, 100,000 local area networks and more than 100 long-distance networks, securing information is a formidable challenge for the agency.

Arthur Money, the DoD's CIO and the Pentagon's point man for computer security, says on an average day there are about 60 unauthorized intrusions into Pentagon computer networks. Of those, about 60 a week are serious enough to be considered attacks. In his testimony, Hamre said the Defense Department detects "80 to 100 events daily. Of these, approximately 10 will require detailed investigation." Whatever the exact figure, it represents only what the Defense Department is able to detect, which may be only a fraction of actual intrusions, security officials say, because a good hacker can mask his comings and goings.

"Almost every intrusion is first viewed as a law enforcement issue," says Money. "If it's a blatant national security problem and it's recognized as that-recognizing when that's the case is the problem-we have the authority to do what we need to do." As such, the Pentagon works closely with the FBI in investigating intrusions.

One significant attack was detected in early February 1998, just eight months after the Eligible Receiver exercise, when officials at the Air Force's Information Warfare Center in San Antonio, Texas, spotted a pattern of unauthorized entries into several different Defense networks around the country. For days, the hackers led military and FBI security experts on a computer crime chase around the world. The attack, which coincided with the deployment of troops and equipment to the Persian Gulf for a possible strike against Iraq, was believed by some at the time to be an act of cyber warfare on the part of Iraq, especially after investigators traced intrusions to computer servers in the Middle East. When the hackers turned out to be two teens in California and one in Israel, national security personnel were relieved-but only somewhat.

"Doesn't it scare you that we're finding kids who can do this stuff?" asked Vatis when he testified about the attack before the Senate Judiciary Committee's panel on technology, terrorism and government information last June. "Doesn't it scare you to think that we may not know what people with more sophisticated skills and resources are doing? The cases that we are seeing are enough of an indication of our vulnerabilities to make us realize that this is in fact a very serious problem."

A majority of hackers just want to test their skills, Vatis said. "They see the Defense Department as the big banana, the final exam, the ultimate challenge." As a result, the FBI spends a lot of time working with Defense and intelligence agency officials.

Since Eligible Receiver and the teen attack last February, the Defense Department has beefed up security significantly, Money says. "All the services now have deployed intrusion detection devices, so we're much more aware when intrusions happen. We were pretty wide open a year ago. We have much better tools, so we have more scouts out, if you will, and consequently we're finding more intrusions."

Growing Threat

It is impossible to gauge the true number of intrusions into federal networks. There is no central repository for such information. In the private sector, information indicating security weaknesses is closely guarded. Nonetheless, there are indications that hacking is a growing problem. An annual survey of public and private security specialists conducted by the FBI and the Computer Security Institute, a professional organization of computer security specialists based in San Francisco has shown dramatic increases in security breaches. Sixty-four percent of respondents in 1998 reported intrusions in the previous 12 months, a 16 percent increase over 1997 survey results.

Law enforcement investigations have also increased. When the National Infrastructure Protection Center was formed in February 1998, the FBI had about 500 pending computer intrusion investigations. Today, there are more than 650 such cases. There is also an increase in the number of intrusions reported, says Vatis. "It could be that more are happening, it could be that more are being noticed, or it could be that more are being reported. It's likely all of those."

There is no single action agencies can take to protect their networks, says Lt. Gen. William Campbell, the Army's director for command, control, communications and computers. "It's a defense in depth. You need a series of things, ranging from the mundane, such as having proper passwords, to sophisticated intrusion detection devices."

There are three basic levels of managing security, he says, and all need to be continually updated as technology changes. The first is establishing security policies and procedures-and enforcing them. The second is implementing effective training programs for the lowest-level users through systems administrators. Finally, agencies must continue to refine their network architectures and incorporate protection technologies.

While the Pentagon is investing more resources in network security, hackers are also getting more sophisticated, says Vice Adm. Robert Natter, director of space, information warfare, command and control for the Navy. But he argues that the military must not shy away from commercial technology because of the security threat. Instead, he says, DoD should continue to invest heavily in countermeasures. "I compare this technology, where it is today, with the biplane. If we had walked away from that technology because it crashed a lot, we wouldn't be flying jetliners today. It's very fragile, it's very susceptible to problems, to nefarious attempts to get into it, but we need to face up to that, invest in combating it and move forward."