Security gaps persist in DOD nets
- By Dan Verton
- Aug 29, 1999
Despite countless warnings dating to 1996, the Defense Department's information networks continue to be plagued by serious security flaws and weaknesses that have opened up almost every area of the department to cyberattacks and fraud, according to a new General Accounting Office report.
Released last week, GAO's report, "DOD Information Security: Serious Weaknesses Continue to Place Defense Operations at Risk," comes just months after DOD formed the Joint Task Force for Computer Network Defense to serve as the focal point for DOD to organize the defense of its computer networks and systems. When cyberattacks are detected, the JTF-CND is responsible for directing departmentwide defenses to stop or contain damage.
The GAO report follows up on more than two dozen reports issued since 1996 that outlined serious security flaws throughout DOD. "DOD has made limited progress in correcting general control weakness we reported in 1996," GAO concluded. "As a result, these weaknesses persist across every area of general controls."
Security gaps identified in the report include weaknesses in access controls, software development and unauthorized roles and responsibilities for users.
According to the report, support personnel working with an unidentified DOD system were able to alter system audit logs, which record all system activity and are a critical tool in identifying fraud and unauthorized access.
In another case, access authorizations for more than 20,000 users were not documented, according to the report.
In addition, GAO found that application programmers, including outside contractors, "had direct access to production resources, increasing the risk that unauthorized changes to production programs and data could be made and not detected."
On one system, 74 users had privileges enabling them to change program source code without supervisory oversight, the report stated.
Mike Dorsey, a special agent with the Naval Criminal Investigative Service who is working directly with the JTF-CND to investigate computer crimes against DOD networks, said unauthorized attempts to access DOD systems are on the rise but that DOD does not have the resources to respond to every incident.
A spokeswoman for DOD said the department is addressing all the issues contained in the report.