NSA concerns could hamper DOD Y2K fix

The National Security Agency has slapped a security blanket on the Pentagon's efforts to fix the Year 2000 millennium bug, which could further slow the Defense Department's alreadybehindschedule Year 2000 fixes. NSA has determined that all information detailing DOD's computers and its efforts to

The National Security Agency has slapped a security blanket on the Pentagon's efforts to fix the Year 2000 millennium bug, which could further slow the Defense Department's already-behind-schedule Year 2000 fixes.

NSA has determined that all information detailing DOD's computers and its efforts to fix the Year 2000 problem are a "national security interest" and "highly sensitive." As a result, the Pentagon has cut off the military services and DOD project offices from the Defense Integrated Support Tool (DIST) database, which the Defense Information Systems Agency maintains to provide details on all DOD computer systems and interfaces for use in planning and deployment.

DIST, according to DISA, is a database of some 9,000 DOD systems that the department uses to track such key areas as system interfaces, compliance with high-priority standards, interoperability testing, consolidation goals and Year 2000-compliance planning. DIST was seen as critical to the Year 2000 problem because it provides a central source of information about interfaces between different DOD systems, which is a chief concern of Year 2000 conversion efforts.DOD began using DIST to track Year 2000 compliance in August 1996, and a Dec. 19, 1997, memo from the Office of the Secretary of Defense to DOD chief information officers identified DIST as the "central, authoritative database for tracking resolution of the Year 2000-related problems for systems throughout the department."

That aggregation of extensive details about Year 2000 problems with DOD systems poses a threat to national security, according to NSA.

"The DOD's Y2K conversion effort is a national security interest," NSA reported in a statement supplied to FCW. "All information detailing these information systems and the progress being made toward their conversions is considered to be highly sensitive."

DOD is not trying to cover up information about its Year 2000 efforts, a DOD spokeswoman said. "We couldn't hide what we're doing if we wanted to, and we certainly don't want to," she said. "The idea is to move these fixes along at the fastest possible clip but not to jeopardize other security measures as we do it."

While industry and service sources said they could understand NSA's security concerns, they said the classification could hobble the Pentagon's already-delayed Year 2000 remediation efforts. One former high-ranking DOD official described the classification issue as symptomatic of what he called the Pentagon's "gross mismanagement" of Year 2000 issues.

The classification of the DIST database, which Electronic Data Systems Corp. developed, already has adversely affected personnel working on Year 2000 issues. Capt. Clifford Szafran, the Navy's Year 2000 team leader, said the NSA classification forced DISA to move the database from unclassified networks to the Secret Internet Protocol Router Network (SIPRNET), to which only a limited number of DOD personnel have access.

"No one doing Y2K has SIPRNET access,'' Szafran said during a panel discussion at last week's Navy Connecting Technology Spring '98 Conference in Norfolk, Va. "We're now left with creating a Department of Navy database, and we hope to have that up by June.''

Szafran said lack of access to a DOD-wide Year 2000 database would make it difficult to resolve Year 2000 system interface problems. Hardest hit may be the Marines, who must develop computer interfaces not only with their systems but with the Navy and Army, Szafran said.

The Marine Corps has "no issue" with DIST being classified, a Marine spokesman said. "It makes it a little more difficult to track other service systems, but there are other ways to get that information."

William Curtis, DOD's Year 2000 czar, said last week that the classification of the DIST database is "no big deal... we're going to have a new Y2K database up at the end of May."

Classifying the DIST database does not necessarily mean cutting off access, said Cynthia Rand, former principal director for information management at the Office of the Assistant Secretary of Defense for Command, Control, Communications and Intelligence (ASD/C3I). "Does [classifying DIST] make it more cumbersome? Yes, it does," said Rand, now a director for business development for civilian agencies at Lucent Technologies Inc. "But there are ways [access could be provided]. It's a change from what was done before, and we need to make the change quickly."

Working Against the Clock

But a Pentagon source said the DIST classification has slowed efforts across DOD to complete an inventory of all of the agency's information systems and the systems' corresponding Year 2000 problems. The inventory was originally due in March.

Szafran said it may take the Navy until November to complete its inventory— just a little more than a year before 2000.A DOD spokeswoman said Anthony Valletta, former acting ASD/C3I, classified DIST this February in a memo, which stated that "a review analysis of the information contained in the DIST database indicates that while individual records may be unclassified, the compilation of two or more of these records reveals vulnerability or capability information that if compromised would result in serious damage to the national security of the United States."

NSA said it assessed DIST's vulnerability at the request of the ASD/C3I and determined that "aggregation of seemingly harmless data can become highly sensitive when amassed in one location. The sum of its parts paint a much broader picture than the owners of the data ever intended. We brought this to the attention of ASD/C3I and demonstrated particular vulnerabilities which had not been considered previously."

NSA added that it also examined commercial security features that DISA used to protect the DIST database and found they "were not sufficient to protect classified data.''

One knowledgeable DOD Year 2000 official disputed NSA's description of the security vulnerability. "NSA could not hack its way into DIST from the outside,'' this official said. "So they gained status as an authorized user on the system and then hacked the database.''

The DOD spokeswoman said the Joint Chiefs of Staff plans to have a new Year 2000 database in operation by June, and she described the system as better, in some ways, than the DIST database. "The DIST database was too unwieldy for the fast response time that Y2K requires. The new database will be a streamlined version to take care of only Y2K issues.'' But, she added, that database also "may be classified initially.''

Olga Grkavac, senior vice president with the Information Technology Association of America's Systems Integration Division, said that although she understood NSA's concerns, the Pentagon needs a Year 2000 database, particularly to help resolve system interface issues.

"DOD is lagging behind other agencies" in making Year 2000 fixes,'' Grkavac said, "and this is information it needs to have to fix the Year 2000 problem. There has to be a way to put all the critical systems information in a database that people [working on Year 2000] can gain access to.''

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.