Pentagon Planners Gird For Cyber Assault

By Steve Goldstein

Philadelphia Inquirer
December 1, 1999

ARLINGTON, Va. - In a large windowless room of a nondescript office building a few miles from the Pentagon, the war of the future is being waged.

The field of battle is several dozen flat-screen computer monitors that show Department of Defense communications. Six screens display selected computer traffic, though one during a recent visit was tuned to the Weather Channel.

If fears of a concerted cyber attack on the U.S. military are realized - what Deputy Defense Secretary John Hamre has called an "electronic Pearl Harbor" - this room, the Global Network Operations and Security Center, is where the battle will be won.

Or lost.

Between 80 and 100 unauthorized "intrusions" of Pentagon computers are reported each day; about 10 require investigation. Most attacks come from "ankle biters" - hackers who just want to annoy - but some are aimed higher up, at the nerve system of the nation's defenses.

Alarmed by a dramatic increase in cyber attacks, the Pentagon is reorganizing its computer network defense. A September report by the watchdog General Accounting Office concluded there were "serious weaknesses" in the Department of Defense's information security.

Moreover, the rapidly approaching Y2K rollover has military officials wondering if they will be able to distinguish between a network intrusion and the millennium computer glitch.

Capt. Bob West, deputy commander of the Joint Task Force on Computer Network Defense, said there was real potential for a "crippling" attack at any time because of "substantial" vulnerability, especially in the network that handles non-secret communications - the NIPRNET (Non-classified Internet Protocol Router Network).

According to the Defense Information Systems Agency, the number of reported network intrusions has increased dramatically, to more than 18,500 this year compared with 5,844 in 1998. The Pentagon reported only 225 unauthorized network intrusions in all of 1994.

"The NIPRNET is really vulnerable; it has over two million hosts," West said in an interview.

Information that can be accessed and misused includes troop locations, orders for spare parts, transportation logistics, names of military spouses, even credit-card and telephone numbers.

"It's a sensitive but unclassified network," said Gen. Thomas B. Goslin Jr., director of operations for U.S. Space Command, which recently assumed control of computer network defense. "A lot of information could tell you about where we might be going" in an operation.

The Pentagon also maintains a classified network, the SIPRNET (Secret Internet Protocol Router Network), but officials are reluctant to shift a lot of currently unclassified information to secret cover.

"Once you put things on a secure network, you put some constraints on yourself," Goslin explained.

Goslin declined to answer whether the SIPRNET had been breached.

"There are people who have tried to get into that particular network; I don't want to talk about it," Goslin said.

The Pentagon is a tempting target, West said. "A hacker who says he's gotten into military systems [has] a badge he wears proudly," he said.

West and others attributed the surge in reported attacks to the rapid growth of the Internet, and advancing skills of computer users. And better detection systems have caught intrusions that probably would not have been reported before.

But the GAO report said that "serious weaknesses in information security continue to provide both hackers and hundreds of thousands of authorized users the opportunity to modify, steal, inappropriately disclose and destroy sensitive DOD data."

West acknowledged that information technology was a double-edged weapon.

"We're learning just like the rest of the world that the promise of the Internet is that it gives us so much capability, but also so much vulnerability in security," he said.

The Pentagon is trying to upgrade the software for intrusion detection systems, train military personnel as security experts, and reexamine the traffic allowed on nonclassified networks.

The millennium rollover will provide a test. Although DOD systems have been made Y2K-compliant, military officials worry that they are susceptible to an attack.

"It's certainly a golden opportunity," said West, cautioning that he had not seen intelligence warning of particular attacks.

Apart from concern that hackers consider New Year's a prime time for mischief, there is some worry that intruders have planted code disguised as Y2K protection but set to go off Jan. 1, like a time bomb.

"We have some indication that there will be more sophisticated-type people trying to gain access under the guise of a Y2K problem," Goslin said.

For the Pentagon, computer network defense is an effort that now involves hundreds of people and billions of dollars annually, West said.

The Joint Task Force, originally established in December 1998, has been put under the authority of U.S. Space Command at Peterson Air Force Base in Colorado. The command also will oversee the computer network defense components operated by the Army, Air Force, Navy and the Marines, including their CERTS - computer emergency response teams.

In wartime, the task force will be dispatched to set up top-secret computer networks for field commanders. Next October, U.S. Space Command will begin developing ways to attack the enemy's computer-dependent weapons and systems.

Some of this "non-kinetic" warfare occurred during the bombing campaign against Serb forces in Kosovo.

The emphasis now, however, is defense. Gen. Robert Shea, Marine computer defense commander, described the effort as a "long, long march."

"Before we get to the end of the march," he added, "there's going to be some ambushes."

The first ambush was self-inflicted. A 1997 war-game exercise known as Eligible Receiver showed that sophisticated hackers (in this case from the National Security Agency) could cause power outages and 911 emergency phone system overloads in a number of cities. They also reportedly gained "supervisory-level" access to dozens of military networks, disrupting e-mail and phone traffic.

A real attack occurred from January through March, described by officials as a "sustained, well-resourced intrusion." The matter is under investigation by the FBI, amid reports that Russia might have been involved. No one is commenting, even off the record.

Attacking a DOD Web site is the usual modus for the "ankle-biters." But West said officials did not regard defacing a Web site as a big deal because there was no "operational impact."

It's when the hackers get into the so-called (dot).mil environment that real trouble can occur. These attacks most often happen when the United States is engaged somewhere militarily. NATO's air campaign in Kosovo brought a rash of computer intrusions.

An intrusion-detection system produced jointly by the government and commercial ventures has proved useful only for monitoring intrusions after hackers have broken in - not for alerting officials to suspicious entries as they happen.

"They let you know after the barn door has been opened," Shea said.

In fact, many attacks may at first look innocent. For example: A staff person is going through some files, which seems fine until someone discovers that the staffer is actually on leave. The task force members look for anything on the network that is not normal, or is occurring outside a regular cycle of traffic.

"More often than not we see something that looks funny and it's not such a big deal," said West. "The real sophisticated ones don't want to be seen."

When an intrusion is successfully traced, it typically is handed off to the FBI's national infrastructure protection agency.

"The military is not going to show up on someone's doorstep," said Maj. Michael Birmingham, a spokesman for U.S. Space Command.

A computer hacker who attacked the White House Web site this year pleaded guilty to a felony in November, and was sentenced to 15 months in federal prison and a $36,000 fine.

But attribution is mostly a needle-haystack exercise. West said foreign-based hackers often entered systems through Canadian or American university sites, making it difficult to trace the origin of the attack. And mostly, the hackers don't have a set destination.

"They don't go where they want to go," West said. "They go where they can."

The Pentagon is now building redundant communications networks, so that hackers can't see how the military is responding to an attack. And they are trying to increase the recognition speed of intrusions. Military officials do not want to have to immediately retreat and regroup when cyberwar breaks out.

"Today we are primarily reactive," West said. "We monitor the network. We use intelligence reports. We want to become more proactive and be able to predict when malicious activity might occur."

[ENDS]

-- John Whitley (jwhitley@inforamp.net), December 02, 1999

Answers

Hey! I saw this on Star Trek. Computerized wars....Well, all I can say is, Captain Klinton will be in deep doo doo now, because I don't know where the local disintegration chamber is.

-- lostnotlooking (axemansrv1@aol.com), December 02, 1999.

Is this really just a red herring to make us look the other way while they snatch some more of our rights? (Liz, you CYNIC!!)

-- Liz Pavek (lizpavek@hotmail.com), December 02, 1999.

Pentagon Planners Gird For Cyber Assault my son is watching front door glad to know someone watching back door

-- Louis Lesky (tom4107842@aol.com), April 14, 2004.