Are Military Computers Safe?

WASHINGTON -- The U.S. Department of Defense relies too much on commercial software and doesn't even know who's writing it, and that's only one of its significant cybersecurity problems, witnesses told a U.S. House of Representatives subcommittee Thursday.

The military's use of off-the-shelf applications has improved its computing efforts and saved money over the last 20 years, but such software has its downside, said professor Eugene Spafford, director of the Center for Education and Research in Information Assurance and Security at Purdue University.

"Most of those products are not written to be used in an environment where there is a significant threat," Spafford told the House Armed Services Committee's Subcommittee on Terrorism, Unconventional Threats, and Capabilities. "We have...attacks being committed by hackers, by anarchists, by criminals, probably by foreign intelligence services. The [commercial] products have not been designed to be reliable or robust under those kinds of circumstances."

As the subcommittee tried to assess cybersecurity programs at the DOD, Spafford and Robert Dacey, director of the Information Technology Team at the General Accounting Office, both questioned the military's cybersecurity efforts.

Standards or Susceptible?

Besides relying on too much commercial software, the DOD uses the same programs across too many systems, Spafford added, without naming any packages. Common software suffered about 2000 vulnerabilities last year, he added.

"When a new attack is found that has affected any one of these products, it seeps through the entire network," he said. "Operators of systems may be in the position of applying three to five security critical patches per week for every system under their control. That really is unacceptable for us to be in a state of high readiness."

But Scott Charney, Microsoft's chief security strategist, said homogeneous software systems also have advantages. It's easier to train administrators on one program than many, he said, and agencies can patch holes faster if they have just one product to patch.

"Reasonable minds are debating whether a homogeneous environment or a heterogeneous environment is better for decreasing risk," Charney said. "The advantage of a homogeneous environment, or more of a mono-culture, is it's much easier to manage."

The GAO's Dacey highlighted cybersecurity weaknesses reported in DOD reports for 2002. He says the DOD is concerned about the time it takes to plug holes, to train all its workers, and to distribute computer security policies quickly. Other DOD concerns include insufficient testing of cybersecurity policies, and the desire to promote use of authentication certificates. The DOD at least acknowledges those problems, Dacey added.

Robert Lentz, the DOD's director of information assurance, said the agency is making "significant progress" toward protecting its networks. It is complying with cybersecurity policies required by the Federal Information Security Management Act of 2002, and has a cybersecurity road map to help defend systems and networks, encourage research, and protect information.

Last year, the DOD successfully defended against 50,000 attempts to gain root-level access on its computers, Lentz said.

Whose Code?

While Lentz defended the DOD's cybersecurity efforts, Spafford questioned the DOD's use of commercial software produced outside the United States.

"An increasing amount of this software is being written by individuals we would not allow into the environments where it's operating," Spafford said. "The reason for that is, they're not U.S. citizens...they don't have any kind of background checks."

Outsourcing software development is good for the world economy and good for U.S. vendors trying to compete on price, but using such software for systems containing national security information may be questionable, Spafford said.

"It introduces a tremendous vulnerability to our systems," he said. "The software is being developed, sometimes tens of millions of lines, by individuals whose motivations and agendas may not be fully known."

The question is not where software was developed, Microsoft's Charney suggested. Instead, licensees should ask if the finished program underwent good quality-assurance tests.

"One of the things you have to have is very rigorous processes in place to examine the code," he said. "If you are getting components from overseas and actually reviewing the quality of the component and testing the component, you will know what's in your code."

What-If Scenarios

Representative Roscoe Bartlett, a Maryland Republican, asked witnesses what would happen to the U.S. military if all computer systems were knocked out. A nuclear bomb set off in the upper atmosphere could take out most communication satellites, and Bartlett questioned whether the DOD has a backup plan for such a scenario.

"Are we just through if our computer systems don't work?" he asked.

Such a scenario seems unlikely, Spafford answered. "Taking out all the computers would be a very difficult thing to do," he said.

Representatives Marty Meehan, a Massachusetts Democrat, and Joe Wilson, a South Carolina Republican, both asked whether cyberterrorism training camps exist.

Lentz offered to give representatives a classified briefing, and Spafford suggested that tools are easily available to instruct anyone how to be a cyberterrorist.

"There are bulletin boards and discussion lists where techniques are taught, where tools are available, so that anyone, even a juvenile, spending a minimum amount of time online, is able to learn some very sophisticated attack methodologies," Spafford said.