Information Security: Computer Attacks at Department of Defense Pose Increasing Risks, Statement of Jack L. Brock, Jr., Director Defense Information and Financial Management Systems Accounting and Information Management Division, Testimony Before the Permanent Subcommittee on Investigations, Committee on Governmental Affairs, U.S. Senate [open pdf - 124KB]
Computer attacks at the Defense Department (DoD) pose increasing risks of access to highly sensitive information. Recent data suggest that DoD may have experienced as many as 250,000 attacks last year. These attacks are often successful, and the number of attacks is doubling each year as Internet use increases and hackers become more sophisticated. At a minimum, these attacks are a multimillion dollar nuisance to the Pentagon. At worst, they pose a serious threat to national security. Attackers have seized control of entire DoD systems, some of which control critical functions, such as weapons system research and development, logistics, and finance. Attackers have also stolen, modified, and destroyed data and software. The potential for catastrophic damage is great. The DoD is taking steps to address this growing problem but faces major challenges in controlling unauthorized access to its computer systems. Moreover, the DoD is now trying to react to successful attacks as it learns of them, but it has no uniform policy for assessing risks, protecting its systems, responding to incidents, or assessing damage. Training of users and system and network administrators is haphazard and constrained by limited resources. Technical solutions, such as firewalls, smart cards, and network monitoring systems, should help, but their success depends on whether DoD implements them in tandem with better policy and personnel measures.