Loading ...
Sorry, an error occurred while loading the content.


Expand Messages
  • Fred Cohen
    Defense Information and Electronics Report September 7, 2001 JTF-CNO Battles Surging Tide Of More-Destructive Computer Attacks DOD s Joint Task Force for
    Message 1 of 1 , Sep 10, 2001
      Defense Information and Electronics Report
      September 7, 2001
      JTF-CNO Battles Surging Tide Of More-Destructive Computer Attacks
      DOD's Joint Task Force for Computer Network Operations office is permanently
      on an "at-war footing" because of the constant computer attacks against
      Pentagon computer networks, according to JTF-CNO commander Army Maj. Gen.
      Dave Bryan.
      The threats to Defense Department computer networks continue to increase in
      number, sophistication and destructive potential, according to Bryan, who
      leads the task force responsible for defending DOD computer systems.
      "Because we consider ourselves at war, we maintain an at-war footing. A
      24-by-seven-by-365, fully manned watch, in which we have computer analysts,
      network experts and . . . real time sensors," Bryan said.
      Both the people that attack DOD computers and the tools they use to do the
      attacking have increased in number and sophistication, Bryan said. Computer
      criminals are no longer primarily teenage hackers with too much time on
      their hands, he said.
      The other, more serious, threats to DOD networks fall into three groups,
      Bryan explained. They are foreign governments, terrorist and dissident
      organizations, and spies.
      Although the cyber-adversaries have various political motivations, enemy
      states and terrorist groups turn to information warfare for the same
      reasons, Bryan said.
      First of all, because the U.S. military capability is far superior to most
      nations, information warfare is an "asymmetric" alternative to traditional
      military confrontation. The ratio of risk to reward is much lower. A
      computer attacker runs no risk of being killed during the attack.
      Secondly, these groups know the United States and its military are greatly
      dependent on information technology systems, so that the systems DOD uses to
      be more effective can actually become liabilities. Lastly, enemies know the
      U.S. is an open society, which is reluctant to block Internet gateways that
      provide easy access for attackers.
      The United States, in a sense, is a potential adversaries' "best dream come
      true in terms of the potential for our capabilities to be exploited," Bryan
      In addition, recent arrests of FBI counterintelligence agent Robert Hansen
      and National Reconnaissance Office systems administrator Brian Regan, is
      evidence that the threat from espionage is still alive in the wake of the
      Cold War, he said.
      A case can be made, he argued, that the threat from espionage is "on a scale
      unprecedented" in America's history, and both Hansen and Regan exploited
      their access to networked, classified information.
      The Viruses and worms that attacked computer networks worldwide have also
      become more menacing. The progression from the "Melissa" virus in the spring
      of 1999 to the two versions of the "Code Red" worm that infected Pentagon
      computers last month is illustrative of this increasing sophistication.
      The Code Red worm, in fact, had more than twice the effect on DOD systems
      than worms that were seen as recently as January, Bryan said. The "Anna
      Kournikova" worm that appeared then, for example, caused only very minor
      problems for DOD.
      Code Red, by contrast, caused the department to shut down access to several
      of its Internet gateways in response to the scanning activity that the worm
      caused in computers it affected (Defense Information and Electronics Report,
      Aug. 31, 2001, p1).
      "In just a few months [attacks] went from very simple worms to complex
      worms, to worms that by their very infection technique caused
      denial-of-service scanning against networks," Bryan said.
      While infection techniques are getting more vicious, the sheer numbers of
      attempts to infiltrate DOD computers continue to rapidly increase, according
      to Bryan.
      In 1998 the number of detected unauthorized "events" against DOD computers
      was 5,844, according to Bryan's briefing. By 2000, that number had increased
      to 23,662. So far this year, there have already been 28,106 of these events.
      Bryan predicts there will be more than 40,000 by year's end.
      While these numbers reflect everything from harmless, and perhaps even
      accidental, attempts at unauthorized access, the skyrocketing volume does
      indicate that malicious intrusion attempts are also increasing, according to
      Although DOD computers are increasingly threatened, Bryan claimed the
      JTF-CNO is doing a better job defending against those threats. Of the 28,106
      "events" detected so far this year, for example, there have been just 369
      successful intrusions.
      The vast majority of those intrusions, moreover, were due to vulnerabilities
      that the JTF-CNO has seen before and that are easily preventable, he said.
      One of the problems that they are working to remedy, for example, is that
      some DOD employees fail to adhere to the department's policy of having
      difficult-to-guess passwords.
      The word "password," Bryan said, is the most common password at DOD.
      Only 1 percent -- less than four -- of the intrusions were new intrusion
      methods that necessitated intense analysis, Bryan indicated.
      Formed through the merger of the Joint Task Forces for Computer Network
      Attack and Defense, the U.S. Space Command task force changed its name to
      JTF-CNO April 2, when responsibility for computer network attack capability
      was formally transferred to SPACECOM.
      In response to the increasing quantity and quality of threats, the JTF-CNO
      has steadily increased its "optempo," or operational rate of activity, Bryan
      So far this year, the JTF-CNO has participated in eight major computer
      network defense and attack exercises involving the various unified commands.
      The task force has also dealt with the real-world occurrence of six major
      virus attacks in five months, including three variants of the Code Red virus
      in just nine days last month, according to Bryan's briefing.
      To keep up with the larger number of events, the optempo of the five
      month-old JTF-CNO is continuing to increase. They are "very quickly
      expanding and manning," getting additional funding for better technology,
      participating in partnerships with the private-sector to increase the
      technical capabilities of their people, and pushing "in the policy and legal
      world for expanded authority" to pursue their mission, Bryan said.
      -- Hampton Stephens
    Your message has been successfully submitted and would be delivered to recipients shortly.