IG: DOD's computers vulnerable
- By Heather Harreld
- Jul 06, 1997
The Defense Department is acquiring information systems that may not have adequate or cost-effective security and its increasing use of multilevel security technology lacks coordination and oversight according to an audit by the DOD Office of the Inspector General.
The lack of security and coordination could give unauthorized users access to DOD's classified information. While most classified information is stored on networks not open to the Internet multilevel security technology increasingly allows the flow of information between classified and unclassified networks according to the IG.
DOD's growing dependence on this complex infrastructure "heightens concern about the vulnerability of electronic threats to the Defense Information Infrastructure " the report states.
The report recommends several ways to address concerns about the inconsistent use of multilevel security technology and DOD's overall management of security policy for acquiring automated information systems.
DOD must install and monitor the use of multilevel security technology to prevent unauthorized access to classified information the report states. However no specific guidance exists on developing and installing multilevel security technology according to the audit which took place April through November of 1996.
Several DOD programs - including the Reserve Component Automation System the Joint Component Automated Logistics System and the Sustaining Base Information Services - have since dropped the security requirement or failed to determine how to achieve multilevel security.
The report also calls for the assistant secretary of Defense for command control communications and intelligence (ASD C3I) to establish security policies and procedures unique to information systems. The ASD C3I also should develop a "sensitivity labeling standard" for data storage and processing to be used throughout DOD.
The DOD Multilevel Security Program Office should have the authority and resources to coordinate all multilevel security initiatives the report concluded. From fiscal 1990 through fiscal 1996 the program office received less than $12 million to develop and install multilevel security applications.
A spokeswoman for the ASD C3I said that a letter dated May 19 from former ASD C3I Emmett Paige Jr. stated that it was the office's response to the audit report. In that letter Paige agreed with the finding that multilevel security requirements are not fully defined because DOD's policies are outdated and fragmented. The spokeswoman said ASD C3I officials would have no further comment until Aug. 11 when the IG's office requests a final response from the ASD C3I.
A new directive regarding security requirements for information systems will be released in October according to the letter.
Also DOD officials are reviewing a new labeling policy which should be released soon the letter stated.Christopher Klaus founder and chief technology officer of Atlanta-based Internet Security Systems Inc. said many more government agencies are abandoning long-standing policies of sheltering classified documents from any network that could be accessed from outside the agency.
"There's more and more classified stuff getting connected in some way to the Internet " Klaus said. "I'm not quite sure if there's any formal policy that would require them to take the necessary steps to be secure."Part of DOD's problems in implementing multilevel security may stem from the lack of demand for the operating systems in the commercial world. John Pescatore senior consultant with Trusted Information Systems Inc. Glenwood Md. said much of the commercial world spurned the use of trusted operating systems that support multilevel security because of prohibitive costs so they chose to use firewalls instead to guard the perimeters of systems.
As a result DOD finds itself without commercial options of multilevel operating systems that it can afford."If your requirements are different than the mass market then you have to pay for it. [DOD's] approach to try to get it built into the operating system is not going to work unless they pay for it " Pescatore said.