Army resets its sights on security
Recent breaches raise info assurance concerns
- By Dawn S. Onley
- Sep 10, 2004
This summer, a virus penetrated two top-secret systems at the Army Space and Missile Defense Command. And within the past few months, systems at Fort Campbell, Ky., were also hacked. In both instances, the breaches exposed national security data.
In the wake of the attacks, the Army decided to use its recent 2004 Directorates of Information Management conference in Fort Lauderdale, Fla., to drum home the need for better information security.No protection
Lt. Gen. Larry J. Dodgen, commander of the Space and Missile Defense Command based in Arlington, Va., said users and network administrators are not doing their jobs.
In the case of the Space and Missile Defense Command virus attacks, the systems had no antivirus protection software. He said the security breach highlighted the need for all military personnel to show 'diligence, diligence, diligence.'
'The threat is growing, it's proliferating,' Dodgen said. 'It's real. It's constant. We are threatened every day, thousands and thousands of times.'
John Cummings, spokesman for the command, said the infected computers were located in Colorado Springs, Colo. He declined to say exactly when the computers were infected.
The computers were new and that's why no one had loaded antivirus software, Cummings said. He added that the Army's Computer Emergency Response Team is investigating the incident to limit future vulnerabilities. An Army official acknowledged the Fort Campbell intrusion but could provide no details. No one at the fort could be reached for comment.
Linton Wells, acting assistant secretary of Defense for networks and information integration, stressed that network security continues to be one of the biggest issues facing DOD because IT security affects all military users'from the administrative staff to warfighters.
'The most stupid thing we could think of is to make ourselves dependent on a ubiquitous, global network that is not secure,' Wells said.
Wells said enterprise security was one of four areas tested during a recent systems demonstration called Quantum Leap. DOD tested a system based on an identity management capability using a public-key infrastructure.
DOD spends $2.2 billion a year on information assurance. Wells noted that the recent unveiling of an IA architecture to support the Global Information Grid shows that the department is moving in the right direction.
Meanwhile, the Army is developing a standards-based Java Applet interface to the Common Access Card as part of the Defense Department's 2004 Rapid Acquisition Incentive-Net Centricity pilot program.
The Java Applet for Common Access Card (J-CAC) program will provide secure, encrypted communications and digital signature capabilities for any DOD application that uses a Web browser and a smart card, said Robert Hairfield, the Army's deputy product manager for secure electronic transactions and devices.Strong authentication
The J-CAC architecture will be modular and extensible, and the program would integrate CAC and Defense's PKI, Hairfield said. The Army will finish the pilot by the middle of next year.
'Applications need to integrate CAC and PKI for strong identity and authentication services,' Hairfield said.
Lt. Gen. Steven Boutelle, the Army's CIO, also signed a memorandum urging Army users to add the extra layer of authentication security provided by CAC to most transactions by next month. Currently, 90 percent of the Army's personnel have received the cards, but the service expects use is sometimes limited.
Hairfield said the Army has not mandated that every e-mail be digitally encrypted and signed, and the service has neither the bandwidth nor need for such a policy. But eventually users without the cards will find they can no longer access DOD and Army networks, he said.