Government Sites Guard Against Intruders

Hacker attacks are embarrassing, but agencies fear real damage.

Giada Zampano, Medill News Service

• Email
• RSS
• 0 Comments

Hackers attacked 130,000 government sites on 1.1 million hosts last year, according to the National Institute of Standards and Technology.

"They are public, they are visible, they represent large institutions, and they guarantee a certain amount of coverage in the media, so they're easy targets," says Timothy Grance, manager of the System and Networks Security Group for NIST. "But this doesn't mean that government Web sites are less technically secure than other sites."

The battle between federal officials and computer intruders has intensified in recent months. Hackers have attacked Web sites maintained by the FBI, the Senate, the Interior Department, and the White House.

The latest target was the Army's main Web site, which Sunday night was vandalized for nearly nine hours before Pentagon workers noticed and repaired it. The Web pirates announced the attack was intended "to settle rumors" about the demise of the hackers' group. The same group claimed responsibility for the May attack on the White House Web site.

Embarrassing, Not Fatal

The most recent series of attacks have generally focused on defacing the sites in order to crash servers. They've mostly caused only embarrassment and temporary shutdowns in the agencies' Web site services.

But the hackers' intrusions also raise broader information security concerns across the federal government.

A panel of experts testified before the Technology Subcommittee of the House Science Committee last week about the necessity of an adequate policy to prevent information security attacks.

"People, both in the private and public sector, have to think about security as a prior requirement for their system," says Keith Rhodes, a director in the information management division of the General Accounting Office who participated in the hearing. "Agencies tend to look at security from a system perspective but not an organization-wide perspective, and tend to treat information security as a technical function rather than a management function."

The Department of Defense is an example of a huge governmental branch where computer-security expertise is still uneven, Rhodes says.

"They're at the same time the best and the worst in computer security," Rhodes says. "They have some of the best experts and tools in the business, but they don't implement security uniformly."

Separate Servers for Safety

In the past year the Department of Defense has, in fact, tried to improve computer training for both information security personnel and regular employees.

"We realized that too frequently the network manager is an already busy administration person," says Susan Hansen, a DOD representative. "We need more specifically trained security personnel and an awareness training for all our employees, and we're acting in that direction."

The department is expanding its computer emergency response teams and establishing a continuous "vulnerability analysis and assessment program," Deputy Defense Secretary John Hamre told two congressional committees in February.

Primarily, vulnerable departments should isolate their Web server from their internal network, security agency experts urge. They also suggest organizations begin to include explicit security requirements when selecting server and host technologies.

"We're in an era of 'point-and-click' attacks, where a big number of attack tools are freely available to anyone on the Web," Grance says. "Some of the authors of the attacks are not sophisticated hackers, they're just computer-literate people."

A 1998 NIST analysis of 237 attacks found that almost 30 percent could launch from a Windows program and 20 percent were able to penetrate network elements like routers, printers, and firewalls.

"The attack environment is moving very fast, while the government agencies are reacting slowly," says Rhodes. "And while intruding tools are getting automated and easier to use, a lot of the new software being sent out is getting weaker and easier to bust."

• Email
• Print
• RSS