Cyberthreats dog old DOD systems, House panel hears
- By Dawn S. Onley
- Jul 25, 2003
The Defense Department's growing reliance on information networks for everything from conducting business to launching missiles makes cyberterror a big concern, congressional and DOD officials said this week.
'While programmers and software developers build more advanced systems to run more tasks, criminals become more creative in their methods to break into these systems,' said Rep. Jim Saxton (R-N.J.), chairman of the House Armed Services Subcommittee on Terrorism, Unconventional Threats and Capabilities. 'DOD systems have grown up in a fragmented way. None of the services has a single system.'
Robert Lentz, DOD's director of information assurance, said an information assurance directive issued last October, followed by additional instructions in March, have set up a framework for layered protection of DOD information systems and networks.
But much more needs to be done to guard against growing threats, Lentz said. 'The growing sophistication of attack makes speed of attack and response absolutely critical,' he said.
Robert F. Dacey, director of information security at the General Accounting Office, said DOD has made progress at securing its systems but lacks an effective information security management program.
Dacey presented to the subcommittee the findings of GAO's July 24 report (PDF)
on Defense security, 'Information Security: Further Efforts Needed to Implement Statutory Requirements in DOD.'
Although the department promotes integrated and comprehensive practices, he said, 'it does not have mechanisms in place for comprehensively measuring compliance with federal and Defense information security policies and ensuring that those policies are consistently practiced.'
The department's 3 million computers, 100,000 LANs and 100 long-distance networks are all part of the Global Information Grid. Last year, the department successfully blocked about 50,000 attempts to gain root-level access to systems, Lentz said.
One problem with security stems from antiquated IT equipment, he said, because information assurance goes hand in hand with modernized networks.
'When I go visit the combatant commanders and see them using very aged computer systems, it's troubling. You can't overlay IA on very aged technology,' Lentz said. For example, he said, a public-key infrastructure technology is not compatible with the Microsoft Windows 95 operating system.
'You need IT modernization to do that,' he said. 'You have to have modern IT at the application level.'