[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] Defense Department lacks data on cyberterror threat
July 24, 2003
Defense Department lacks data on cyberterror threat
By William New, National Journal's Technology Daily
More research is needed on how to protect the Defense Department's
communications systems from cyberterrorism, the department's top
information security official said on Thursday.
"One gap that needs to be filled immediately is the need to do more
research in this area," Robert Lentz, director of information assurance
at Defense, told the House Armed Services Terrorism, Unconventional
Threats and Capabilities Subcommittee. Lentz added that the defense
community has held an "aggressive series of working groups" on cyber
security in the past year.
But the General Accounting Office highlighted persistent weaknesses
across the federal government. "Our most recent analyses of audit and
evaluation reports for the 24 major departments and agencies continued
to highlight significant information security weaknesses that place a
broad array of federal operations and assets at risk of fraud, misuse
and disruption," said Robert Dacey, director of the GAO information
Dacey said GAO found that Defense still lacks mechanisms to assess its
compliance with information security standards.
"Without a Defense-wide information assurance policy and implemented
practices, the Defense Department's networks may be vulnerable to anyone
who has a computer, the knowledge and the willpower to launch cyber
attacks," said Subcommittee Chairman Jim Saxton, R-N.J. And subcommittee
ranking Democrat Martin Meehan of Massachusetts added, "Many [Defense]
systems remain redundant, outdated and inefficient."
Members of the subcommittee raised questions about whether the proposed
cut of $2 billion from the information technology component of the House
Defense authorization bill would impact the department's ability to
protect communications systems.
Eugene Spafford, a Purdue University professor and information assurance
expert, cited the risks inherent in Defense using so much commercial
technology. He said that any adversary could buy such technology and
that it may not be sufficiently robust to withstand attacks. Spafford
also said the high number of patches required to keep commercial
software ahead of attackers is "unacceptable for us to be in a high
state of [military] readiness."
Panelists debated how to address the potential problem that increasing
numbers of software developers do not have security clearance or are
foreign. Scott Charney, chief security strategist at Microsoft, said the
level of risk depends on the development process, not who is doing the
work. There must be quality assurance around the software code, he said.
Dacey said GAO is studying the issue.
Lentz said his office has daily contact with the Homeland Security
Department entities that have longstanding close relations with Defense,
such as the National Communications System and the National
Infrastructure Protection Center (NIPC). Defense now is placing
officials within the NIPC, he said.
Lentz said Defense and Homeland Security are discussing ways to
coordinate cybersecurity research and development.
Subcommittee members asked about terrorist camps that teach computer
hacking, but Lentz said he would have to answer privately. Spafford said
bulletin boards and discussion lists teach cyberterrorism techniques to
anyone. "We have perhaps a virtual worldwide training camp," he said.
Mail an infowar -
- infopeace -
de mit "unsubscribe" im Text.