[TRANSCRIPT]
DoD News Briefing
Thursday, April 23, 1998 - 2:25 p.m. (EDT)
Mr. Kenneth H. Bacon, ASD (PA)
------------------------------------------------------------------
[Snip..]
Q: Masters of Download. The nature of the material, software they
reportedly downloaded, and how much currency that software would
actually have on the market in terms of selling it to terrorists.
A: Anybody can go into the Internet and find their site and get
this stuff. I've done it, you can do it as well. Let me just give
you a general description of what they did and what they didn't do.
Because what they did differs significantly from what has been
described that they did.
First of all, there was no compromise of classified or critical
systems as a result of what happened. This happened last fall.
It's not something that just happened. It happened last fall,
and we were aware of the attempts to penetrate the system last
fall when it did happen.
Second, the materials they downloaded do not, and I stress,
do not, control Department of Defense systems such as the global
positioning system, nor did the intrusion have any adverse affect
on the readiness of our forces, the capability to command our
forces or to carry out our operations.
Having said all that, we take this and other intrusions seriously.
It is being investigated by the proper authorities, and we have,
since last fall, made some changes in this system to make it more
difficult to conduct the type of intrusions that this group,
Masters of Downloading, did.
Q: A spokesman for the National Infrastructure Protection Center
in testimony before Congress in March quoted a DISA statistic that
they estimate as many as 250,000 possible attempts to enter DoD
type computers in 1995. Has that number increased, and has there
been a change in the pattern of hacking attempts where it's become
maybe more concentrated?
A: That figure, 250,000, came, as I recall, from a General
Accounting report, a GAO report that came out I think in May
of 1996. Basically 250,000 is an arithmetic estimate and it's
based on a certain assessment that DISA makes of its own
computers. It's a...
Charlie, do you have some good information you want to play on
these computer penetration attempts? [Laughter] I wondered if
maybe you had tape recorded that hearing and we could actually...
It's like going on the Internet where you can push a button and
hear a video report, see a video report or hear an audio report
of what's going on.
Q: Let the record reflect that I accept that quietly. [Laughter]
A: At any rate, it was an estimate, and in 1995 DISA itself
received reports of approximately 500 actual incidents. These
could be viruses, they could be what they call malicious code.
Some people might think of all computer codes as malicious,
but these are maybe distorted codes or rewritten codes, various
intrusions or other probes.
Since they believe that only 0.2 percent of efforts to intrude
are reported, they extrapolated that there could have been as
many as 250,000 attempts based on the fact that there were 500
actual reports. Their statistical surveys have found that only
a very small percentage of actual attempted intrusions are
reported, and therefore, they multiplied it out to get the
250,000.
Q: When you say reported, do you mean detected or...
A: They said reported, but I suppose it could mean detected,
as well.
Q: The number of those detections or reported intrusions,
are they increasing sharply since '95? Do you have
statistics which...
A: I do, actually. Write these down. In 1992 there were 53
attacks. These are based on the information that the Defense
Information Systems Agency maintains on officially reported
attacks; 1992, 53 attacks; 1992, 115 attacks; 1994, 255 attacks;
1995, 559 attacks; 1996, more than 725 attacks; and in 1997,
there was a decline to 575 attacks.
Q: Can you say whether the French are behind any of these
attacks? [Laughter]
A: Mais non. [Laughter]
Q: ...aren't able to get into classified systems (inaudible),
a danger or a risk. How secure are your telecommunications systems,
the classified information? Are these hackers, could they be a
threat to that type of system?
A: First, we believe that the classified systems, the Secret,
classified systems are much harder to break into, obviously,
than the non-classified systems. Many of our non-classified
systems use commercial telephone lines, etc. We think that the
classified systems are secure. It's the non-classified systems
where we've had the biggest problems, and this is a matter of
growing concern to the Defense Department, and it's one that
we're spending more and more time on.
The Deputy Secretary of Defense, John Hamre, has issued a series
of policy directives in the last couple of months, ordering ways
to improve the security of our computer systems. We're spending
approximately 3.6 billion dollars on computer security over the
next five years. We're appointing individual officials by name
to each computer network to be in charge of security so there
will be sort of a central person to reach out to whenever there's
a security problem, somebody whose responsibility it is to make
sure that the networks are as secure as possible.
We're looking at a variety of other steps that can be taken to make
our computer systems more secure.
Q: ...the one, you said it wasn't related to GPS. What did it do?
A: As I understand it, it was a system that, first of all, it was
software. What they were able to download was some software that
is used to automate recordkeeping functions and some management
functions on a portion of a network that did deal with some
communications and possibly some navigation, some positioning
information. But what they were able to download was the software.
We don't have any information that they manipulated it in a way
that was damaging to the system.
Q: Is that illegal?
A: It's certainly impolite... [Laughter] I'm not prepared to say
whether it was illegal. But it is being investigated by law
enforcement authorities to make that determination right now.
Q: Have there been any successful penetrations into classified
systems?
A: Not that I'm aware of, but it's something that I will double
check.
Q: Was this incident last fall in any way related to the incident
that Mr. Hamre spoke of that occurred in February..
A: No. Not that we're aware of.
Q: I understand that a Joint Task Force is being formed to deal
with protecting the Pentagon computers. Is this still in the
conceptual stage, or have the blocks actually started coming
together?
A: I can't answer that question. We are taking, every week,
new steps to improve computer security, and the most fundamental
step that we're taking is to increase awareness of the problem.
And that was one of the, as I said, one of the signal achievements
of the exercise the Joint Staff ran, ELIGIBLE RECEIVER, to improve
the awareness of people within the Department of what the computer
security issue is. We are also taking a number of other steps that
involve looking at all sorts of software that's bought commercially
to find out whether it adequately serves the needs of preventing
viruses or setting up firewalls between systems, that type of thing.
So we're doing a lot.
One of the main things that Deputy Secretary Hamre has done is to
issue instructions to all the services and all the military commands
to spend more time dealing with computer security. One of the things
I pointed out last week was that we're trying to develop better
computer counterintelligence capabilities so that we can learn more
quickly when systems are being penetrated, who's penetrating them,
and try to one, stop it; and two, find the cause of it and take
appropriate action with law enforcement authorities if necessary.
Q: Can I follow up on just that question? Because this factor you
cited of .2 percent intrusion after detected is just appallingly
low. I don't know if that's...
A: That's not what I said. The exact quote here is that they think
that only, this is a quote from DISA, that "only 0.2 percent of
incidents report."
Q: But we don't know what that means. I have no idea what it means.
A: I'll try to get the DISA report. DISA has testified before
Congress on this. We'll get you the testimony. I'll give you a
perfect example.
You might turn on your computer -- you or I might turn on your
computer and after you put in a disk and/or downloaded something
from the Internet, and it might, a virus detector might say that
a virus has been detected. Do you regard this as an intrusion or
an attack on your computer system? If so, do you report it or do
you say maybe I have a malfunctioning disk and not report it.
I think it's that type of thing.
It's obviously, it's a big system. As I said the other day,
there are, I think, over two million computers that were
concerned about... There are thousands and thousands of local
area networks and thousands of long distance networks as well,
so it's a massive undertaking to find out exactly what's going on.
One of the things we're trying to do is to centralize the
recordkeeping and to regularize it in a way so that it's much
easier to keep records, and it's easier for everybody to
understand what's going on because they're working from a common
set of definitions.
Q: If DoD knew about this back in the fall and it was so horrible,
why wasn't it announced just like the February attempts were announced?
A: Well, first of all, as you can see from the figures I read,
there are hundreds of attacks, several hundred attacks every year
that we detect; there may be, or that are reported. There may be
many more that aren't reported. We're not in the business of
announcing every time somebody... This is more than one a day.
We're not in the business of going out and announcing these things.
For one thing, I think there's sort of an echo effect or an imitator
effect here. We don't want to encourage copycats. We don't want to
encourage more teenage hackers than there already are trying to
figure out ways to get into the DoD systems.
Q: Are these attacks, are they getting more serious? Are the
hackers getting more sophisticated? Are we seeing the equivalent
of spray painting graffiti, or are we seeing something more
serious?
A: We have to take all of it seriously, even innocent youthful
attempts to break into Pentagon systems, because we basically
don't want people trying to fiddle with our information in any
way. I don't think I can quantify the seriousness of these
various attacks. Sometimes it takes us awhile to figure out
exactly what's going on. There's also the question of how much
of the iceberg is above the water, how much is under the water.
We take all of these things seriously.
==
There's a compelling reason to master information & news.
Clearly there will be better job and financial opportunites..
Other high stakes will be missed by people if they don't
master and connect information. -- Everette Dennis
--
http://www.dis.org/erehwon/
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Dimensional Communications (www.dim.com)
Received on Fri Apr 24 16:38:33 1998