Summary

Unknown and unauthorized persons are increasingly attacking and gaining access to highly sensitive information in the Defense Department's (DOD) computer systems. Although the exact number of attacks cannot be precisely determined, recent data suggest that DOD may have experienced as many as 250,000 attacks last year. These attacks are often successful, and the number of attacks is doubling each year as Internet use increases and hackers become more sophisticated. At a minimum, these attacks are a multimillion dollar nuisance to the Pentagon. At worst, they pose a serious threat to national security. Attackers have seized control of entire DOD systems, some of which control critical functions, such as weapons system research and development, logistics, and finance. Attackers have also stolen, modified, and destroyed data and software. The potential for catastrophic damage is great. DOD is taking steps to address this growing problem but faces major challenges in controlling unauthorized access to its computer systems. DOD is now trying to react to successful attacks as it learns of them, but it has no uniform policy for assessing risks, protecting its systems, responding to incidents, or assessing damage. Training of users and system and network administrators is haphazard and constrained by limited resources. Technical solutions, such as firewalls, smart cards, and network monitoring systems, should help, but their success depends on whether DOD implements them in tandem with better policy and personnel measures. GAO summarized this report in testimony before Congress; see: Information Security: Computer Attacks at Department of Defense Pose Increasing Risks, by Jack L. Brock, Jr., Director of Defense Information and Financial Management Systems, before the Permanent Subcommittee on Investigations, Senate Committee on Governmental Affairs. GAO/T-AIMD-96-92, May 22 (seven pages).

GAO found that: (1) DOD relies on a complex information infrastructure to design weapons, identify and track enemy targets, pay soldiers, mobilize reservists, and manage supplies; (2) use of the Internet to enhance communication and information sharing has increased DOD exposure to attack, since the Internet provides unauthorized users a means to access DOD systems; (3) while the DOD information available on the Internet is unclassified, it is sensitive and must be restricted; (4) only about 1 in 500 attacks is detected and reported, but the Defense Information Systems Agency (DISA) estimates that DOD is attacked about 250,000 times per year; (5) attackers have stolen, modified, and destroyed data and software, disabled protection systems to allow future unauthorized access, and shut down entire systems and networks to preclude authorized use; (6) security breaches pose a serious risk to national security because terrorists or U.S. adversaries could disrupt the national information infrastructure; (7) security breaches cost DOD hundreds of millions of dollars annually; and (8) DOD needs to increase the resources devoted to computer security, update the policies that govern computer security, and increase security training for system and network administrators.