IG: DOD's computers vulnerable

The Defense Department is acquiring information systems that may not have adequate or cost-effective security and its increasing use of multilevel security technology lacks coordination and oversight according to an audit by the DOD Office of the Inspector General.

The lack of security and coordination could give unauthorized users access to DOD's classified information. While most classified information is stored on networks not open to the Internet multilevel security technology increasingly allows the flow of information between classified and unclassified networks according to the IG.

DOD's growing dependence on this complex infrastructure "heightens concern about the vulnerability of electronic threats to the Defense Information Infrastructure " the report states.

The report recommends several ways to address concerns about the inconsistent use of multilevel security technology and DOD's overall management of security policy for acquiring automated information systems.

DOD must install and monitor the use of multilevel security technology to prevent unauthorized access to classified information the report states. However no specific guidance exists on developing and installing multilevel security technology according to the audit which took place April through November of 1996.

Several DOD programs - including the Reserve Component Automation System the Joint Component Automated Logistics System and the Sustaining Base Information Services - have since dropped the security requirement or failed to determine how to achieve multilevel security.

The report also calls for the assistant secretary of Defense for command control communications and intelligence (ASD C3I) to establish security policies and procedures unique to information systems. The ASD C3I also should develop a "sensitivity labeling standard" for data storage and processing to be used throughout DOD.

The DOD Multilevel Security Program Office should have the authority and resources to coordinate all multilevel security initiatives the report concluded. From fiscal 1990 through fiscal 1996 the program office received less than $12 million to develop and install multilevel security applications.

A spokeswoman for the ASD C3I said that a letter dated May 19 from former ASD C3I Emmett Paige Jr. stated that it was the office's response to the audit report. In that letter Paige agreed with the finding that multilevel security requirements are not fully defined because DOD's policies are outdated and fragmented. The spokeswoman said ASD C3I officials would have no further comment until Aug. 11 when the IG's office requests a final response from the ASD C3I.

A new directive regarding security requirements for information systems will be released in October according to the letter.

Also DOD officials are reviewing a new labeling policy which should be released soon the letter stated.Christopher Klaus founder and chief technology officer of Atlanta-based Internet Security Systems Inc. said many more government agencies are abandoning long-standing policies of sheltering classified documents from any network that could be accessed from outside the agency.

"There's more and more classified stuff getting connected in some way to the Internet " Klaus said. "I'm not quite sure if there's any formal policy that would require them to take the necessary steps to be secure."Part of DOD's problems in implementing multilevel security may stem from the lack of demand for the operating systems in the commercial world. John Pescatore senior consultant with Trusted Information Systems Inc. Glenwood Md. said much of the commercial world spurned the use of trusted operating systems that support multilevel security because of prohibitive costs so they chose to use firewalls instead to guard the perimeters of systems.

As a result DOD finds itself without commercial options of multilevel operating systems that it can afford."If your requirements are different than the mass market then you have to pay for it. [DOD's] approach to try to get it built into the operating system is not going to work unless they pay for it " Pescatore said.


  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.