[ISN] Hacker attacks hitting Pentagon

[InfoSec News]

http://www.baltimoresun.com/news/nationworld/bal-te.nsa02jul02,0,754404.story?coll=bal-home-headlines

By Siobhan Gorman
sun reporter
July 2, 2006

Sun exclusive

WASHINGTON -- The number of reported attempts to penetrate Pentagon
computer networks rose sharply in the past decade, from fewer than 800
in 1996 to more than 160,000 last year - thousands of them successful.  
At the same time, the nation's ability to safeguard sensitive data in
those and other government computer systems is becoming obsolete as
efforts to make improvements have faltered and stalled.

A National Security Agency program to protect secrets at the Defense
Department and intelligence and other agencies is seven years behind
schedule, triggering concerns that the data will be increasingly
vulnerable to theft, according to intelligence officials and
unclassified internal NSA documents obtained by The Sun.

When fully implemented, the program would build a new encryption
system to strengthen protections on computer networks and would more
effectively control the access of millions of people to government
computer systems and buildings.

Launched in 1999, the program was to have been completed last year,
but it fell behind in part because of differences between the NSA and
the Pentagon. The NSA is trying to revamp the program, although the
deadline has slid to 2012, with the most substantive security
improvements planned for 2018.

An internal NSA report in April 2005 described the problem as
"critical," noting that 30 percent of the agency's security equipment
does not provide "adequate" protection; another 46 percent is
approaching that status.

"Much of the existing cryptographic equipment is based on ...  
technologies that are 20-30+ years old," said the report from the
agency's information security directorate. At the same time, it noted,
technology for breaking into computer systems has improved, which
"gives our adversaries enhanced capabilities."

Pentagon computers, in particular, are under constant attack.  
Recently, Chinese hackers were able to penetrate and steal data from a
classified computer system serving the Joint Chiefs of Staff,
according to two sources familiar with the incident. A security team
spent weeks eliminating the breach and installing additional
safeguards.

The Pentagon declined interview requests for two information security
officials, but a spokesman said in a written statement that the NSA is
continually assisting the Pentagon to "maintain best security
practices" and raise the level of information security.

NSA spokesman Don Weber said in a statement that because information
security is a core mission of the agency, "any speculation that we,
along with our partners would leave national security systems
vulnerable, is unfounded."

Among 18 current and former officials and security experts interviewed
for this article, several would speak only on condition of anonymity
because many details of the program are sensitive and reveal
vulnerabilities in the nation's defenses.

Encryption, which is an electronic lock, is among the most important
of security tools, scrambling sensitive information so that it can
ride securely in communications over the Internet or phone lines, and
requiring a key to decipher.

Powerful encryption is necessary for protecting information that is
beamed from soldiers on the battlefield or that guards data in
computers at the NSA's Fort Meade headquarters. Without updated
encryption, sensitive information could be stolen by China or other
countries that have regularly tried to break into U.S. government
systems to steal military and intelligence secrets. There are emerging
concerns about Iran's desire to do so, as well.

"This stuff is enormously important," said John P. Stenbit, the
Pentagon's chief information officer until 2004. "If the keys get into
the wrong hands, all kinds of bad things happen. You don't want to
just let a hacker grab the key as it's going through the Internet."

The NSA report warned that "serious risks" in the Pentagon's security
system jeopardize its ability to execute its missions effectively. A
December 2005 NSA planning document described the program as crucial
for ensuring adequate protection for all national security programs.

"It's a pretty critical thing to do right ... because the government
relies on confidential communications so heavily," said Martin Roesch,
founder of Sourcefire, a computer security company in Columbia, Md.  
"It's kind of a fundamental capability."


A growing threat

As the program, known as Key Management Infrastructure, has faltered,
the potential for penetrating government computers has grown.  
Intelligence officials have said that as many as 100 countries pose
legitimate threats to U.S. government computers and those of companies
doing government work.

In the past decade, reported attempts to hack into Pentagon computers
have grown 200-fold, according to the Pentagon.

"Numerous states, terrorist and hackers groups, criminal syndicates,
and individuals continue to pose a threat to our computer systems,"  
Maj. Gen. Michael D. Maples, director of the Defense Intelligence
Agency, warned Congress this year. "Over the last few years, hackers
have exploited thousands of [Department of Defense] systems."

In addition to the NSA's aging security technology, some of the tools
required for encrypting data lack security protections and are
vulnerable, so an infiltrator could uncover and possibly replicate the
tools to access government data, according to the NSA's December 2005
planning document.

Intelligence specialists say potential attacks could include foreign
governments snooping for U.S. intelligence and military secrets and
using identity information to create false IDs, which could enable
them to gain access to military or intelligence facilities, computers
and even weapons systems, they said.

"What's at stake here is the security of the nation, because we are
under monster attack from China, Russia, Israel, France and so on," a
former government official said.

News reports last year revealed a major Chinese campaign called Titan
Rain that targeted unclassified Pentagon computer networks and others
at the Energy and Homeland Security departments. In a Miami case, the
Justice Department charged two men this year with channeling military
technology secrets to China that were obtained through hacking. It
brought similar charges against three others last fall in a case in
Los Angeles.

"The threat is much larger than we ever thought it was," said David
Szady, a former top counterintelligence official at the FBI and the
CIA. The Chinese "have been able to develop their military and their
systems on the backbone of United States technology."

Another country emerging as a concern is Iran. "They certainly are
able to, and would have an interest in doing it," said one former
senior intelligence official.

Cracking the government's aging encryption system would require a high
level of training of the type most likely occurring in countries such
as China or Russia.

But as commercial code-breaking technology improves, intelligence
experts said, it is possible that a technically astute terrorist or
even an unusually focused teenage hacker could infiltrate government
computers.

If hackers can break through weak encryption systems on government and
contractors' computers, they can hunt through different networks for
bits and pieces of information to thread together and assemble a
fairly good idea of U. S. defense capabilities - with the intent of
either copying them or devising a system to defeat them, said one
former NSA employee.

The new system would address a number of the security challenges that
exist with the explosion of wireless, networked communication devices,
according to internal NSA documents. The most sensitive data is
generally held in internal systems that are not exposed to the
Internet. But the Pentagon and other government agencies are
increasingly using Internet-based communications.

And as the demand grows for "smart" identification cards with computer
chips that verify the card holder's identity, so does the need for
sophisticated ways to manage who is being assigned cards, so that the
cards do not end up in the wrong hands, said Stephen Kent, a chief
scientist at BBN Technologies who has chaired government panels on
information security.


False starts

Sprawled across several government agencies, but centered at the NSA,
the Key Management Infrastructure program is actually a compilation of
about 25 programs; its costs, which are classified, are difficult to
gauge. One estimate pegs spending so far at $2 billion or more, said a
former government official familiar with the program. Other estimates
are in the hundreds of millions.

A critical problem with the project, according to several current and
former intelligence officials, is one that has afflicted other large
programs at the agency: poor management.

Like other major NSA efforts - such as the failed Trailblazer program
to rapidly sift out threat information, and the troubled Groundbreaker
program aimed at upgrading the agency's computer networks - an
ever-changing game plan has caused many of the project's problems,
current and former senior intelligence officials said.

One former senior intelligence official said that the NSA had
unrealistic expectations from the start and repeatedly opted for
delays to try to perfect the program. That left the government with
aging security protections in the quest for security nirvana, the
official said.

"NSA often will say, 'Well, this is not totally secure, so you can't
use it,' when the only alternative is nothing," the former official
said. "My worry is this push for perfect security is the enemy of good
security.

NSA officials have also had a difficult time forging consensus among
the agencies involved with the project, especially the Pentagon,
according to former officials familiar with the conflict.

"Anybody who doesn't like the way you're doing it can essentially
withdraw," the former senior intelligence official said. "It's a
program that is actually planned for failure."

After several false starts, the first phase of the program was
canceled in 2003, and its replacement has been in the planning stages
since then.

The NSA is re-evaluating the program, intelligence officials said.  
That reassessment - owed at least in part to pressure from Maj. Gen.  
Dale W. Meyerrose, the chief technology officer under spy chief John
D. Negroponte and the Pentagon - is expected to produce a new
blueprint, Meyerrose said in an interview. It also coincided with
incoming NSA Director Lt. Gen. Keith B. Alexander's agency-wide
review.

Under the current plan, the initial phase will be completed in 2012.  
Even then, it would at best provide only a level of security
equivalent to the existing system, current and former government
officials said. The agency would, however, be able to upgrade the
revised system, which is not possible now, they said.

Meyerrose acknowledged that the project has taken "a little longer
than we thought." He chalked it up to a lack of leadership in the
intelligence community to get behind the program, which he said would
change under the new spymaster. The program's planners, he said,
underestimated how difficult it would be to "synchronize" all the
moving parts of the program.

After the first false start, the NSA asked the consulting firm Booz
Allen Hamilton, which was involved in aspects of the project, to take
on a broader role to get the program's many segments working together.  
But the NSA is unhappy with the firm's performance, which it deemed
slow and rigid, one former government official said. A spokesman for
Booz Allen declined to comment, citing confidentiality agreements.

Booz Allen's contract is slated to end in October, and the NSA plans
to do the work on its own, probably with assistance from a new
contractor, the former official said.

Although Richard C. Schaeffer, in charge of the NSA's information
security division, characterized the current timetable for the program
as "aggressive" in a statement to The Sun, some officials are
concerned that the schedule is sliding again, according to a former
government official familiar with the program. The NSA was supposed to
award a contract for the revamped program last December, but that
shifted to June and then to October.

"It's pretty scandalous. It certainly has been a start, restart,
start, restart," said one former intelligence official. "It seems
stunning to me."

Meanwhile, given the pace of technology, every year that the project
slips, it becomes less relevant, said a former government official
familiar with the project.

"You're going to introduce something that is completely obsolete," he
said.

While 2012 is the target date for wrapping up the current phase of the
program, Meyerrose said, some portions will be implemented in the
interim.

But some intelligence officials said they are concerned that
components of the program could be delayed until 2018, when the next
phase of more substantive security changes is to be completed, and the
April 2005 NSA report highlights this possibility.

The program's delay also is likely to hold up some major Pentagon
efforts that rely on secure information, such as the Global
Information Grid, a network under development that aims to manage all
national security information around the world, former intelligence
officials said. Both the NSA report and planning documents emphasize
the dependency of this network and other defense programs on the key
management program.

"If you can't communicate securely, the enemy has the potential to
know what you're doing," one former official said. "Information
security is Job One."

siobhan.gorman (at) baltsun.com

Copyright © 2006, The Baltimore Sun