Systems vulnerabilities plague DOD
Systems vulnerabilities plague DOD
GAO report pinpoints chinks in department's information security armor
By Christopher j. Dorobek
Despite years of warnings, the Defense Department still faces significant information security weaknesses and vulnerabilities in nearly every area, a new report from the General Accounting Office has concluded.
'Serious weaknesses in DOD information security continue to provide both hackers and hundreds of thousands of authorized users the opportunity to modify, steal, inappropriately disclose and destroy sensitive DOD data,' the GAO report says.
The Defense Information Systems Agency has made some progress since GAO's 1996 review, but even DISA needs to do more, according to the report, DOD Information Security: Serious Weaknesses Continue to Place Defense Operations at Risk.
The weaknesses impair DOD's ability to control physical and electronic access to its systems and data; to ensure that software running on its systems is authorized and functioning as intended; to limit employees' ability to perform incompatible functions; and to resume operations in the event of a disaster, according to the report issued late last month.
'DOD has made limited progress in correcting the general control weaknesses we reported in 1996. As a result, these weaknesses persist across every area,' the report said.
DOD spokeswoman Susan Hansen said the report shows the department has work to do. 'We have a huge enterprise here,' she said, and the department has grown up developing independent, autonomous systems where security was not a top priority.
That is changing, she said.
Congress' watchdog organization agreed. The department has 2.1 million computers, more than 10,000 LANs and more than 100 long-distance networks, and its tens of thousands of automated information systems run on a variety of platforms, the report said.
DOD is trying to centralize the security process. DISA, for instance, has developed standard technical implementation guides for configuring software. The agency has also established a security readiness review process that lets it test Defense compliance with security standards and track weaknesses in systems running at the department's megacenters, GAO said.
|GAO gives DOD security pointers|
- DISA needs to expand the process it uses to assess security readiness. It should include timely and independent verification of corrective actions reported by Defense megacenters and other organizations.
- The CIO needs to make sure that the Defense-wide Information Assurance Program has a clearly defined plan for coordinating its work with that of the Joint Task Force on Computer Network Defense and other security efforts.
DOD has also issued plans for the Defense-wide Information Assurance Program, which seeks to consolidate security control protection efforts. DIAP will provide the framework for a comprehensive information security program, DOD officials said.
The department also created the Joint Task Force on Computer Network Defense to spearhead protection efforts.
But these efforts did not eliminate significant weaknesses, GAO said. Auditors found problems with access controls, application development, change controls and system software controls.Wait and see
It is too soon to tell how effective some of the initiatives will be, GAO said.
'It is too early to assess when, whether or how effectively the provisions of the DIAP management and implementation plans will be implemented and coordinated with other related efforts or whether DIAP will ultimately succeed in ensuring adequate information security throughout DOD,' the report said.
As with many organizations, the security issue is closely tied to work force issues, said Alan Paller, director of research at the SANS Institute of Bethesda, Md. Deputy Defense secretary John J. Hamre is preaching the word of IT security, but it is hard to win converts, Paller said.
In February, Hamre told the House Armed Services Subcommittee on Procurement and R&D that security is among his top priorities.
'I am not at all concerned about our ability to develop and employ the information technologies needed to achieve [DOD's] offensive goals. But I am very concerned about our ability to defend the information systems that make actual offensive operations possible,' he said.