- Defense Information and Electronics Report
September 7, 2001
JTF-CNO Battles Surging Tide Of More-Destructive Computer Attacks
DOD's Joint Task Force for Computer Network Operations office is permanently
on an "at-war footing" because of the constant computer attacks against
Pentagon computer networks, according to JTF-CNO commander Army Maj. Gen.
The threats to Defense Department computer networks continue to increase in
number, sophistication and destructive potential, according to Bryan, who
leads the task force responsible for defending DOD computer systems.
"Because we consider ourselves at war, we maintain an at-war footing. A
24-by-seven-by-365, fully manned watch, in which we have computer analysts,
network experts and . . . real time sensors," Bryan said.
Both the people that attack DOD computers and the tools they use to do the
attacking have increased in number and sophistication, Bryan said. Computer
criminals are no longer primarily teenage hackers with too much time on
their hands, he said.
The other, more serious, threats to DOD networks fall into three groups,
Bryan explained. They are foreign governments, terrorist and dissident
organizations, and spies.
Although the cyber-adversaries have various political motivations, enemy
states and terrorist groups turn to information warfare for the same
reasons, Bryan said.
First of all, because the U.S. military capability is far superior to most
nations, information warfare is an "asymmetric" alternative to traditional
military confrontation. The ratio of risk to reward is much lower. A
computer attacker runs no risk of being killed during the attack.
Secondly, these groups know the United States and its military are greatly
dependent on information technology systems, so that the systems DOD uses to
be more effective can actually become liabilities. Lastly, enemies know the
U.S. is an open society, which is reluctant to block Internet gateways that
provide easy access for attackers.
The United States, in a sense, is a potential adversaries' "best dream come
true in terms of the potential for our capabilities to be exploited," Bryan
In addition, recent arrests of FBI counterintelligence agent Robert Hansen
and National Reconnaissance Office systems administrator Brian Regan, is
evidence that the threat from espionage is still alive in the wake of the
Cold War, he said.
A case can be made, he argued, that the threat from espionage is "on a scale
unprecedented" in America's history, and both Hansen and Regan exploited
their access to networked, classified information.
The Viruses and worms that attacked computer networks worldwide have also
become more menacing. The progression from the "Melissa" virus in the spring
of 1999 to the two versions of the "Code Red" worm that infected Pentagon
computers last month is illustrative of this increasing sophistication.
The Code Red worm, in fact, had more than twice the effect on DOD systems
than worms that were seen as recently as January, Bryan said. The "Anna
Kournikova" worm that appeared then, for example, caused only very minor
problems for DOD.
Code Red, by contrast, caused the department to shut down access to several
of its Internet gateways in response to the scanning activity that the worm
caused in computers it affected (Defense Information and Electronics Report,
Aug. 31, 2001, p1).
"In just a few months [attacks] went from very simple worms to complex
worms, to worms that by their very infection technique caused
denial-of-service scanning against networks," Bryan said.
While infection techniques are getting more vicious, the sheer numbers of
attempts to infiltrate DOD computers continue to rapidly increase, according
In 1998 the number of detected unauthorized "events" against DOD computers
was 5,844, according to Bryan's briefing. By 2000, that number had increased
to 23,662. So far this year, there have already been 28,106 of these events.
Bryan predicts there will be more than 40,000 by year's end.
While these numbers reflect everything from harmless, and perhaps even
accidental, attempts at unauthorized access, the skyrocketing volume does
indicate that malicious intrusion attempts are also increasing, according to
Although DOD computers are increasingly threatened, Bryan claimed the
JTF-CNO is doing a better job defending against those threats. Of the 28,106
"events" detected so far this year, for example, there have been just 369
The vast majority of those intrusions, moreover, were due to vulnerabilities
that the JTF-CNO has seen before and that are easily preventable, he said.
One of the problems that they are working to remedy, for example, is that
some DOD employees fail to adhere to the department's policy of having
The word "password," Bryan said, is the most common password at DOD.
Only 1 percent -- less than four -- of the intrusions were new intrusion
methods that necessitated intense analysis, Bryan indicated.
Formed through the merger of the Joint Task Forces for Computer Network
Attack and Defense, the U.S. Space Command task force changed its name to
JTF-CNO April 2, when responsibility for computer network attack capability
was formally transferred to SPACECOM.
In response to the increasing quantity and quality of threats, the JTF-CNO
has steadily increased its "optempo," or operational rate of activity, Bryan
So far this year, the JTF-CNO has participated in eight major computer
network defense and attack exercises involving the various unified commands.
The task force has also dealt with the real-world occurrence of six major
virus attacks in five months, including three variants of the Code Red virus
in just nine days last month, according to Bryan's briefing.
To keep up with the larger number of events, the optempo of the five
month-old JTF-CNO is continuing to increase. They are "very quickly
expanding and manning," getting additional funding for better technology,
participating in partnerships with the private-sector to increase the
technical capabilities of their people, and pushing "in the policy and legal
world for expanded authority" to pursue their mission, Bryan said.
-- Hampton Stephens