Defense told to improve computer security coordination

The Defense Department's ability to prevent, detect and respond to cyberattacks is getting better, but military officials still face numerous security challenges, the General Accounting Office concludes in a new report. Defense has set up numerous computer emergency response teams and communication methods for alerting systems administrators to security problems and solutions. Every day, Defense identifies thousands of intrusions into computer systems and other problems. In 1999, the Air Force, Army and Navy reported a total of 600 attacks. That number grew to 715 in 2000. "If successful, these attacks could result in the loss or corruption of critical data, damage to information systems, or disruption of military operations," said Robert Dacey, GAO's director for information security issues, in the report, "Information Security: Challenges to Improving DoD's Incident Response Capabilities" (GAO-01-341). While the report recognized Defense's strides in protecting its more than 2.5 million computer systems and 10,000 local area networks, it recommended greater departmentwide coordination and cooperation on information security. GAO said that Defense's attempts at resource planning for security "are not yet adequately coordinated." Plus, data produced by intrusion detection systems and firewalls are not shared departmentwide "so that potential intrusions can be better identified and tracked." GAO also said that Defense has come up short when it comes to systematically reviewing systems for security holes. Furthermore, Defense does not adequately monitor specific units' compliance with information security procedures and vulnerability alerts. Defense officials have reported that they are developing central databases to track cyber intrusions and security holes. They are also creating a set of common terms for reporting events, identifying security gaps and prioritizing systems for vulnerability reviews. GAO recommended that Defense speed its current activities and create a systematic process for vulnerability assessments. GAO also counseled Defense to pay attention to the result of such assessments "to ensure that recommended repairs have been made and have been applied to all similar systems throughout" the department.