FEATURES & COMMENTARY
Washington, D.C. — Dan Verton reports that the number of cyberattacks and intrusions into Pentagon computer networks this year is expected to top off at 24,000, an increase of 5 percent compared with last year, said the U.S. Department of Defense. However, the overwhelming majority of those intrusions are due to known vulnerabilities and poor security practices.
Ninety-nine percent of the successful attacks and intrusions can be attributed to known vulnerabilities and security gaps that have gone unfixed and poor security practices by defense agencies, said Navy Capt. Robert West, the deputy commander of the Pentagon’s Joint Task Force for Computer Network Defense.
Malicious hackers and other criminals penetrated Pentagon network security at least 14,059 times during the first seven months of this year, said West. That number will probably increase by at least 10,000 before the year ends, he said. Hackers stung the Pentagon at least 22,144 times last year and 5,844 times in 1998.
“These incidents will have served a constructive purpose if the Pentagon is willing and able to learn from them,” said Steven Aftergood, a defense and intelligence analyst at the Federation of American Scientists in Washington. “By exposing and highlighting vulnerabilities, the attacks can actually help to inoculate the system during times of crisis. But only if the appropriate lessons are learned now.”
But John Shissler, a member of the Senior Professional Staff at the Johns Hopkins University’s Applied Physics Laboratory and a former military intelligence officer, said the number of successful attacks raises questions about the Pentagon’s preparedness to withstand more skilled adversaries.
“We are currently operating in a relatively benign international environment yet we were hard pressed to deal with the detected hacks,” said Shissler. “In my opinion we have a raging case of technological hubris and are ready to be taken to the cleaners by a savvy adversary.”
In addition to weak security practices by Defense Department (DOD) network administrators, the increase in the number of attacks can be attributed to the greater availability of sophisticated hacker tools on the Internet, said West. “Someone with a very limited amount of computer skills can do a lot of damage,” he said.
The increase in the number and the sophistication of the attacks pose a significant threat to DOD plans to use computer networks as part of its overall strategy to fight future conflicts, a concept known throughout the Pentagon as “network-centric warfare.”
Despite claims by senior officials that DOD’s classified systems are immune from attack, there are several connections between the Pentagon’s top secret and secret networks and the unclassified network that connects to the global Internet that make them vulnerable, said West. However, sophisticated encryption devices designed by the National Security Agency protect the classified networks.
“All of our various layers of networks are connected,” said West. “Regardless of classification, there are connections and you are dependent on that infrastructure.”
However, legal restrictions have hampered the DOD’s ability to respond to attacks and track down hackers, West said. Due to legal and privacy restrictions, the department is prohibited from pursuing hackers beyond its networks. The agency can take defensive measures to stop a hacker, but to actively catch and prosecute a hacker, it must go through the FBI.
“We don’t go outside of our firewalls, but we’d like to,” said West.
One solution that the department is working on, said West, is a concept called “legal hot pursuit.” Pentagon criminal investigators are searching for a legal framework that would enable them to use one search warrant to track hackers back through the multitude of Web sites they often use as launching pads for their attacks, said West.
Today, these investigations require separate search warrants for every system used as part of a distributed denial-of-service attack.