Information Security:

Computer Attacks at Department of Defense Pose Increasing Risks

AIMD-96-84: Published: May 22, 1996. Publicly Released: May 22, 1996.

Additional Materials:

Contact:

Robert F. Dacey
(202) 512-3317
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a congressional request, GAO reviewed the extent to which Department of Defense (DOD) computer systems are attacked, focusing on the: (1) potential for further damage to DOD computer systems; and (2) challenges DOD faces in securing sensitive information on its computer systems.

GAO found that: (1) DOD relies on a complex information infrastructure to design weapons, identify and track enemy targets, pay soldiers, mobilize reservists, and manage supplies; (2) use of the Internet to enhance communication and information sharing has increased DOD exposure to attack, since the Internet provides unauthorized users a means to access DOD systems; (3) while the DOD information available on the Internet is unclassified, it is sensitive and must be restricted; (4) only about 1 in 500 attacks is detected and reported, but the Defense Information Systems Agency (DISA) estimates that DOD is attacked about 250,000 times per year; (5) attackers have stolen, modified, and destroyed data and software, disabled protection systems to allow future unauthorized access, and shut down entire systems and networks to preclude authorized use; (6) security breaches pose a serious risk to national security because terrorists or U.S. adversaries could disrupt the national information infrastructure; (7) security breaches cost DOD hundreds of millions of dollars annually; and (8) DOD needs to increase the resources devoted to computer security, update the policies that govern computer security, and increase security training for system and network administrators.

Recommendations for Executive Action

  1. Status: Closed - Not Implemented

    Comments: DOD concurred fully with the recommendation and initially acknowledged the limited capability of its incident response efforts. Since the report, DOD has established the Joint Task Force - Computer Network Defense, which intends to ensure that departmentwide incident response capability is sufficient. On May 3, 1999, and in response to this recommendation, DOD completed an evaluation of its defensive information operations, organizations, and activities--including incident response capabilities. The evaluation helped DOD identify opportunities for improving computer network defensive operations but did not ensure that incident response capabilities were sufficient to handle projected threats. In March 2001, GAO reported that DOD faced a number of challenges to improving incident response capabilities (GAO-01-341) and recommended several ways for DOD to better protect systems and networks from cyber threats and attacks. DOD concurred with information presented in the report and agreed to implement the recommendations as soon as practicable. According to a senior DOD official, this action will ensure that DOD has been fully responsive to GAO's 1996 audit recommendation.

    Recommendation: To better focus management attention on DOD's increasing computer security threat and to ensure that a higher priority and sufficient resources are devoted to addressing this problem, the Secretary of Defense should strengthen the DOD's computer security program by evaluating the incident response capabilities within DISA, the military services, and DOD agencies to ensure that they are sufficient to handle the projected threat.

    Agency Affected: Department of Defense

  2. Status: Closed - Implemented

    Comments: DOD concurred fully with the recommendation. The military services initiated programs to employ more intrusion detection software in their systems. DOD implemented its Joint Intrusion Detection System, which consolidated several ongoing technical initiatives designed to prevent and eradicate viruses, as well as detect and provide real-time responses to intrusions. Further, JCS Instruction 6510.01B requires the use of departmentwide network monitoring, automated alerting mechanisms, post attack analysis and other technologies to strengthen DOD's computer security.

    Recommendation: To better focus management attention on DOD's increasing computer security threat and to ensure that a higher priority and sufficient resources are devoted to addressing this problem, the Secretary of Defense should strengthen the DOD computer security program by continually developing and cost-effectively using departmentwide network monitoring and protection technologies.

    Agency Affected: Department of Defense

  3. Status: Closed - Not Implemented

    Comments: DOD concurred fully with the recommendation. It agreed to direct that all military installations review and ensure that they have personnel assigned to information systems security officer, network manager, and system administrator responsibilities. DOD also agreed to expeditiously determine the extent of shortfalls and determine the efforts and resources required to improve the training and availability of these responsible personnel. This departmentwide assessment showed that many DOD information security staff are leaving for more lucrative jobs in the private sector. Also, no career track for information security staff exists, which has hampered efforts to recruit and retain quality personnel.

    Recommendation: To better focus management attention on DOD's increasing computer security threat and to ensure that a higher priority and sufficient resources are devoted to addressing this problem, the Secretary of Defense should strengthen the DOD computer security program by requiring information system security officers at all installations and setting specific standards for ensuring that these as well as system and network managers are given sufficient time and training to perform their duties appropriately.

    Agency Affected: Department of Defense

  4. Status: Closed - Implemented

    Comments: DOD agreed fully with the recommendation and cited some efforts under way at the time of GAO's review, including budgeting funds in fiscal years 1997 through 2001 for information security education and awareness. The Assistant Secretary of Defense for Command, Control, Communications and Intelligence agreed to direct a thorough departmentwide assessment of its overall efforts to make users more aware and trained in matters involving information security risks in general, risks of being connected to the Internet, and individual responsibility and accountability for securing systems. Since then, JCS Instruction 6510.01B has been approved which requires the use of training and greater awareness for all Defense personnel. In addition, the DIAP and JTF - CND indicate that better training and increased awareness are key to improving departmentwide computer security and will be accomplished.

    Recommendation: To better focus management attention on DOD's increasing computer security threat and to ensure that a higher priority and sufficient resources are devoted to addressing this problem, the Secretary of Defense should strengthen the DOD computer security program by requiring the military services and DOD agencies to use training and other mechanisms to increase awareness and accountability among installation commanders and all personnel as to the security risks of computer systems connected to the Internet and their responsibility for securing their systems.

    Agency Affected: Department of Defense

  5. Status: Closed - Implemented

    Comments: DOD concurred fully with the recommendation, noting that implementation of information systems security was not uniformly and comprehensively addressed departmentwide. DOD cited some actions that were already under way during GAO's review, including the military services' establishment of incident response organizations and use of intrusion detection software. Since GAO's review, DOD has established the Defense-wide Information Assurance Program (DIAP) and the Joint Task Force Computer Network Defense (JTF - CND) in recognition of the findings in the report and the need for strengthening computer security across the department. In addition, DOD has issued Chairman of the Joint Chiefs of Staff Instruction (JCS) 6510.01B, Defensive Information Operations Implementation, dated 22 August 1997, requires security incident reporting, risk assessments, correction of vulnerabilities, and damage assessments.

    Recommendation: To better focus management attention on DOD's increasing computer security threat and to ensure that a higher priority and sufficient resources are devoted to addressing this problem, the Secretary of Defense should strengthen the DOD computer security program by developing departmentwide policies for preventing, detecting, and responding to attacks on DOD information systems, including mandating that: (1) all security incidents be reported within DOD; (2) risk assessments be performed routinely to determine vulnerability to attacks and intrusions; (3) vulnerabilities and deficiencies be expeditiously corrected as they are identified; and (4) damage from intrusions be expeditiously assessed to ensure the integrity of data and systems compromised.

    Agency Affected: Department of Defense

  6. Status: Closed - Implemented

    Comments: DOD concurred fully and has updated its information security policy and directives to make selected information security practices mandatory and improve accountability among all department users. Most importantly, JCS Instruction 6510.01B assigns and fully discloses the computer security responsibilities of all DOD, as well as NSA, officials. Specific responsibilities are delineated for the Director for Intelligence, DIA; J-3; J-6; Commander in Chief, U.S. Space Command; Director, NSA; CINCs; military services; and defense agencies.

    Recommendation: The Secretary of Defense should assign clear responsibility and accountability within the Office of the Secretary of Defense, the military services, and DOD agencies for ensuring successful implementation of this computer security program.

    Agency Affected: Department of Defense

 

Explore the full database of GAO's Open Recommendations »

Nov 18, 2014

Nov 17, 2014

Sep 18, 2014

Sep 16, 2014

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Looking for more? Browse all our products here