frontline: hackers: the risks: computer attacks at department of defense pose increasing risks

U.S. General Accounting Office, May 1996
GAO/AIMD-96-84 Defense Information Security, 1996


		This study, conducted by the U.S. General Accounting Office in 1996, concluded that the computer systems of the Department of Defense were at increasing risk of attack. The following excerpt describes some of the attacks that were detected, including the infiltration of Rome Laboratory, the Air Force's premier command and control research facility.

Attacks on Defense computer systems are a serious and growing threat. The exact number of attacks cannot be readily determined because only a small portion are actually detected and reported. However, Defense Information Systems Agency (DISA) data implies that Defense may have experienced as many as 250,000 attacks last year. DISA information also shows that attacks are successful 65 percent of the time, and that the number of attacks is doubling each year, as internet use increases along with the sophistication of "hackers"[1] and their tools. At a minimum, these attacks are a multimillion dollar nuisance to Defense. At worst, they are a serious threat to national security. Attackers have seized control of entire Defense systems, many of which support critical functions, such as weapons systems research and development, logistics, and finance. Attackers have also stolen, modified, and destroyed data and software. In a well-publicized attack on Rome Laboratory, the Air Force's premier command and control research facility, two hackers took control of laboratory support systems, established links to foreign internet sites, and stole tactical and artificial intelligence research data. The potential for catastrophic damage is great. Organized foreign nationals or terrorists could use "information warfare" techniques to disrupt military operations by harming command and control systems, the public switch network, and other systems or networks Defense relies on. Defense is taking action to address this growing problem, but faces significant challenges in controlling unauthorized access to its computer systems. Currently, Defense is attempting to react to successful attacks as it learns of them, but it has no uniform policy for assessing risks, protecting its systems, responding to incidents, or assessing damage. . . .

According to Defense officials, attacks on Department computer systems have been costly and considerably damaging. Attackers have stolen, modified, and destroyed both data and software. They have installed unwanted files and "back doors" which circumvent normal system protection and allow attackers unauthorized access in the future. They have shut down entire systems and networks, thereby denying service to users who depend on automated systems to help meet critical missions. Numerous Defense functions have been adversely affected, including weapons and supercomputer research, logistics, finance, procurement, personnel management, military health, and payroll. Following are examples of attacks to date. The first attack we highlight, on Rome Laboratory, New York, was well-documented by Defense and of particular concern to committees requesting this report because the attack shows how a small group of hackers can easily and quickly take control of Defense networks.

Rome Laboratory, New York, is Air Force's premier command and control research facility. The facility's research projects include artificial intelligence systems, radar guidance systems, and target detection and tracking systems. The laboratory works cooperatively with academic institutions, commercial research facilities, and Defense contractors in conducting its research and relies heavily on the internet in doing so. During March and April 1994, more than 150 internet intrusions were made on the Laboratory by a British hacker and an unidentified hacker. The attackers used trojan horses 1 [2]and sniffers to access and control Rome's operational network. . . . They also took measures to prevent a complete trace of their attack. Instead of accessing Rome Laboratory computers directly, they weaved their way through various phone switches in South America, through commercial sites on the east and west coast, and then to the Rome Laboratory.

The attackers were able to seize control of Rome's support systems for several days and establish links to foreign internet sites. During this time, they copied and downloaded critical information such as air tasking order[3] systems data. By masquerading as a trusted user at Rome Laboratory, they were also able to successfully attack systems at other government facilities, including the National Aeronautics and Space Administration's (NASA) Goddard Space Flight Center, Wright-Patterson Air Force Base, some Defense contractors, and other private sector organizations. . . . Because the Air Force did not know it was attacked for at least 3 days, vast damage to Rome Laboratory systems and the information in those systems could potentially have occurred. As stated in the Air Force report on the incident, "We have only the intruders to thank for the fact that no lasting damage occurred. Had they decided, as a skilled attacker most certainly will, to bring down the network immediately after the initial intrusion, we would have been powerless to stop them."

However, the Air Force really does not know whether or not any lasting damage occurred. Furthermore, because one of the attackers was never caught, investigators do not know what was done with the copied data. The Air Force Information Warfare Center (AFIWC) estimated that the attacks cost the government over $500,000 at the Rome Laboratory alone. Their estimate included the time spent taking systems off the networks, verifying systems integrity, installing security patches, and restoring service, and costs incurred by the Air Force's Office of Special Investigations and Information Warfare Center. It also included estimates for time and money lost due to the Laboratory's research staff not being able to use their computer systems. However, the Air Force did not include the cost of the damage at other facilities attacked from the Rome Laboratory or the value of the research data that was compromised, copied, and downloaded by the attacker. For example, Rome Laboratory officials said that over 3 years of research and $4 million were invested in the air tasking order research project compromised by the attackers, and that it would have cost that much to replace it if they had been unable to recover from damage caused by the attackers. Similarly, Rome laboratory officials told us that all of their research data is valuable but that they do not know how to estimate this value.

There also may have been some national security risks associated with the Rome incident. Air Force officials told us that at least one of the hackers may have been working for a foreign country interested in obtaining military research data or information on areas in which the Air Force was conducting advanced research. In addition, Air Force Information Warfare Center officials told us that the hackers may have intended to install malicious code in software which could be activated years later, possibly jeopardizing a weapons system's ability to perform safely and as intended,and even threatening the lives of the soldiers or pilots operating the system.

The U.S. Naval Academy's computer systems were penetrated by unknown attackers in December 1994. The intrusions originated from Great Britain, Finland, Canada, the University of Kansas, and the University of Alabama. During the attack, 24 servers were accessed and sniffer programs were installed on 8 of these. A main router was compromised, and a system's name and address were changed, making the system inaccessible to authorized users. In addition, one system back-up file and files from four other systems were deleted. Six other systems were corrupted, two encrypted password files were compromised, and over 12,000 passwords were changed. The Navy did not determine how much the attack cost and Navy investigators were unable to identify the attacker(s). At a minimum, however, the attack caused considerable disruptions to the Academy's ability to process and store sensitive information.

Between April 1990 and May 1991, hackers from the Netherlands penetrated computer systems at 34 Defense sites. The hackers browsed directories and modified systems to obtain full privileges allowing them future access. They read email, in some cases searching the messages for key words such as nuclear, weapons, missile, Desert Shield, and Desert Storm. In several instances, the hackers copied and stored military data on systems at major U.S. universities. After the attacks, the hackers modified systems logs to avoid detection and to remove traces of their activities. We testified on these attacks before the Subcommittee on Government Information and Regulation, Senate Committee on Governmental Affairs, on November 20, 1991.
In 1995 and 1996, an attacker from Argentina used the internet to access a U.S. university system, and from there broke into computer networks at the Naval Research Laboratory, other Defense installations, NASA, and Los Alamos National Laboratory. The systems at these sites contained sensitive research information, such as aircraft design, radar technology, and satellite engineering, that is ultimately used in weapons and command and control systems. The Navy could not determine what information was compromised and did not attempt to determine the cost of the incident.
Unknown person(s) accessed two unclassified computer systems at the Army Missile Research Laboratory, White Sands Missile Range and installed a sniffer program. The intruder was detected entering the systems a second and third time, but the sniffer program was removed before the intruder could be identified. The missile range's computer systems contain sensitive data, including test results on the accuracy and reliability of sophisticated weaponry. As with the case above, the Army could not determine what data was compromised. However, such data could prove very valuable to foreign adversaries.

While these are specific examples, Defense officials say they reflect the thousands of attacks experienced every year. Although no one has attempted to determine the total cost of responding to these attacks, Defense officials agreed the cost of these incidents is significant and probably totals tens or even hundreds of millions of dollars per year. Such costs should include (1) detecting and reacting to attacks, repairing systems, and checking to ensure the integrity of information, (2) lost productivity due to computer shutdowns, (3) tracking, catching, and prosecuting attackers, and (4) the cost and value of information compromised.

Read the entire report here in PDF format. The GAO also conducted a follow-up study in 1999, which concluded that the "DOD has made limited progress in correcting the general control weaknesses we reported in 1996. As a result, these weaknesses persist across every area of general controls." - "Serious Weaknesses Continue to Place Defense Operations at Risk," U.S. General Accounting Office, August 1999. GAO/AIMD-99-107

[1] The term hackers has a relatively long history. Hackers were at one time persons who explored the inner workings of computer systems to expand their capabilities, as opposed to those who simply used computer systems. Today the term generally refers to unauthorized individuals who attempt to penetrate information systems; browse, steal, or modify data; deny access or service to others; or cause damage or harm in some other way.

[2] A trojan horse is an independent program that when called by an authorized user performs a useful function, but also performs unauthorized functions, often usurping the privileges of the user.

[3] Air tasking orders are the messages commanders use during wartime to communicate air battle tactics, intelligence, and targeting information to pilots and other weapons systems operators.

home · who are hackers? · risks of the internet · who's responsible · how to be vigilant · interviews
discussion · video excerpts · synopsis · press · tapes · credits
FRONTLINE · wgbh · pbs online