[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] WPO 27.9.01: Key U.S. Computer Systems Called Vulnerable To Attack
September 27, 2001
Key U.S. Computer Systems Called Vulnerable To Attack
Defense, Faa Among Agencies Lacking Security, Experts Say
By Robert O'Harrow, Jr., Washington Post Staff Writer
As the Bush administration prepares to fight terrorism abroad, it faces a long-standing vulnerability at home: a persistent lack of security for computer systems at the Defense Department, the Federal Aviation Administration and other key government offices.
Despite repeated warnings about the threat foreign governments, terrorists and hackers pose, at least 24 federal agencies have failed to adopt effective security to protect their computers and networks from attacks over the Internet, according to government reports, computer experts and former intelligence officials.
Many agencies still do not use passwords properly, some cannot detect intruders, and government systems overall are so porous, specialists say, that hackers can use even an innocuous agency's network to breach other, more sensitive systems via the Internet.
Chinese hackers, angered by the death of a Chinese pilot in a collision with an American spy plane, were able to deface several government Web sites in April. In a case last year, a computer virus breached Defense Department security, damaging some computers and infecting some classified systems.
With the number and sophistication of computer attacks rising, "a clear risk exists that terrorists or hostile foreign states could launch computer-based attacks on systems supporting critical infrastructures to severely damage or disrupt national defense or vital public operations or steal sensitive data," the General Accounting Office concluded this spring.
Robert Dacey, director of information security issues at the GAO, told Congress in April that major agencies' systems "are riddled with weaknesses" that "place a broad array of federal operations and assets at risk of fraud, misuse and disruptions."
The National Security Agency, the supersecret electronic spy agency that also protects U.S. codes, has warned that foreign governments have already developed ways to attack U.S. computer systems.
Officials worry about attacks involving computer viruses that might disrupt communications, destroy sensitive information or disable such sensitive operations as the FAA flight control system or those that support Pentagon war efforts.
Bush administration officials said they recognize the exposure and plan to issue an executive order in the next few weeks to create an office of cyber-security in the National Security Council office in the White House to deal with it. Yesterday, an FBI official told a House subcommittee that the bureau and other agencies are working on the problem.
The problem extends beyond the government. Many businesses also have failed to make security a priority in recent years and have suffered the same sorts of disruptions. Security specialists warn that power grids, banking networks and other key private computer systems could be targeted.
Previous initiatives to defend government computers have foundered, in some cases because of budget troubles or bureaucratic squabbling.
The National Infrastructure Protection Center, set up at the FBI in 1998 to detect and help prevent cyber-threats, didn't have enough specialists to staff a 24-hour unit to monitor the Internet, in part because of FBI budget restraints, another GAO report found. And the CIA and National Security Agency left key posts at the center vacant for more than a year.
A Defense Department plan to protect its sprawling global computer systems, promised after audits found glaring security weaknesses, missed its own deadlines because the agency didn't hire enough managers to run the initiative, the GAO found.
"It leaves us all very vulnerable, and nobody has been paying attention," said Sallie McDonald, the assistant commissioner of the Office of Information Assurance and Critical Infrastructure Protection at the General Services Administration. "It's not just hackers that we have to be worried about. It's nation states."
A senior FBI official said that "while government systems have vulnerabilities which are being exploited, the agencies are working extremely hard to formulate and implement policies to reduce those risks."
The number of attacks has soared in recent years. Three years ago, the Federal Computer Incident Response Center counted 376 incidentsaffecting 2,732 federal systems and 86 military systems. Last year, the number of incidents reported was 586, involving 575,568 federal systems and 148 military system.
In July, for example, the "Code Red" computer worm infected thousands of government computers. The White House had to change its Web site address to avoid the worm and the Pentagon temporarily blocked access to some areas of its public Web site while it installed protective software.
A few months earlier, the Chinese hackers invaded government and business Web sites -- including those run by the Navy and the departments of Labor and Health and Human Services. Last year, an attack program called "ILOVEYOU" penetrated systems at the Defense Department, the CIA and at least a dozen other agencies, as well as an array of private companies such as AT&T and Ford.
The vast majority of incidents are never reported, however, in part because some agencies sometimes cannot detect when a hacker has gained access to their files, officials said.
Last year, Congress mandated better security procedures, including a requirement that agencies give the Office of Management and Budget reports detailing assessments of computer security, starting this fall.
Frank Cilluffo, a senior policy analyst at the Center for Strategic and International Studies,a policy think tank, said security will not improve until the government better coordinates and funds its efforts.
"There's been a whole lot of talk and not a lot of action. . . . There's no accountability," he said, adding that policymakers have never had to confront a security breach even close to the severity of the attacks on Sept. 11. "There's no one pulling all these pieces together."
He added: "This is an issue that hasn't been in the mainstream. Now it's something that decision-makers, policymakers and others have to act upon."
Among the 24 agencies cited by inspectors general and the GAO for serious security gaps are the departments of Justice, State and the Treasury and the Nuclear Regulatory Commission. Problems include:
? U.S. Army Corps of Engineers systems had "serious vulnerabilities" that would allow both hackers and numerous legitimate users "to improperly modify, inappropriately disclose and/or destroy sensitive and financial data," according to a GAO report in October. The weaknesses increase the vulnerability of other Defense Department networks and systems to which the Corps's network is linked, it added.
? The FAA has routinely failed to secure physical access to its computer systems in recent years, and in several cases it failed to conduct background checks on auditors who have access to sensitive information. "FAA's efforts to prevent unauthorized access to data are inadequate in all critical areas we reviewed -- personnel security, facility physical security, system access security," the GAO reported last September.
"Until FAA addresses the pervasive weaknesses in its computer security program, its critical information systems will remain at increased risk of intrusion and attack, and its aviation operations will remain at risk," Joel C. Willemssen of the GAO told the House Committee on Science.
? The Environmental Protection Agency continues to have "pervasive problems that essentially rendered EPA's agency-wide information security program ineffective," according to a July 2000 GAO report. About the same time, hackers used an EPA site as a chat room to conduct electronic conversations. Officials said the EPA has been making efforts to bolster security, but problems remain.
? Auditors examining seven Commerce Department systems broke through security using the Internet and were in a position to "read, copy, modify, and delete sensitive economic, financial, personnel, and confidential business data."
Among other problems, investigators said, was that network users could gain extraordinary access to certain department databases simply by logging on as a systems administrator. No password was necessary.
Mail an infowar -
- infopeace -
de mit "unsubscribe" im Text.