IG: DOD's computers vulnerable

The Defense Department is acquiring information systems that may not have adequate or cost-effective security and its increasing use of multilevel security technology lacks coordination and oversight according to an audit by the DOD Office of the Inspector General.

The lack of security and coordination could give unauthorized users access to DOD's classified information. While most classified information is stored on networks not open to the Internet multilevel security technology increasingly allows the flow of information between classified and unclassified networks according to the IG.

DOD's growing dependence on this complex infrastructure "heightens concern about the vulnerability of electronic threats to the Defense Information Infrastructure " the report states.

The report recommends several ways to address concerns about the inconsistent use of multilevel security technology and DOD's overall management of security policy for acquiring automated information systems.

DOD must install and monitor the use of multilevel security technology to prevent unauthorized access to classified information the report states. However no specific guidance exists on developing and installing multilevel security technology according to the audit which took place April through November of 1996.

Several DOD programs - including the Reserve Component Automation System the Joint Component Automated Logistics System and the Sustaining Base Information Services - have since dropped the security requirement or failed to determine how to achieve multilevel security.

The report also calls for the assistant secretary of Defense for command control communications and intelligence (ASD C3I) to establish security policies and procedures unique to information systems. The ASD C3I also should develop a "sensitivity labeling standard" for data storage and processing to be used throughout DOD.

The DOD Multilevel Security Program Office should have the authority and resources to coordinate all multilevel security initiatives the report concluded. From fiscal 1990 through fiscal 1996 the program office received less than $12 million to develop and install multilevel security applications.

A spokeswoman for the ASD C3I said that a letter dated May 19 from former ASD C3I Emmett Paige Jr. stated that it was the office's response to the audit report. In that letter Paige agreed with the finding that multilevel security requirements are not fully defined because DOD's policies are outdated and fragmented. The spokeswoman said ASD C3I officials would have no further comment until Aug. 11 when the IG's office requests a final response from the ASD C3I.

A new directive regarding security requirements for information systems will be released in October according to the letter.

Also DOD officials are reviewing a new labeling policy which should be released soon the letter stated.Christopher Klaus founder and chief technology officer of Atlanta-based Internet Security Systems Inc. said many more government agencies are abandoning long-standing policies of sheltering classified documents from any network that could be accessed from outside the agency.

"There's more and more classified stuff getting connected in some way to the Internet " Klaus said. "I'm not quite sure if there's any formal policy that would require them to take the necessary steps to be secure."Part of DOD's problems in implementing multilevel security may stem from the lack of demand for the operating systems in the commercial world. John Pescatore senior consultant with Trusted Information Systems Inc. Glenwood Md. said much of the commercial world spurned the use of trusted operating systems that support multilevel security because of prohibitive costs so they chose to use firewalls instead to guard the perimeters of systems.

As a result DOD finds itself without commercial options of multilevel operating systems that it can afford."If your requirements are different than the mass market then you have to pay for it. [DOD's] approach to try to get it built into the operating system is not going to work unless they pay for it " Pescatore said.

Featured

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected