Pentagon finds holes in DMS

The Director of Operational Test and Evaluation Fiscal Year 2000 Annual Report

The Pentagon's latest operational test and evaluation report found substantial shortfalls with some of the Defense Department's biggest information technology systems, including security holes in the Defense Message System.

The annual report of the Director, Operational Test and Evaluation, was delivered to Congress in February and made public in early March. The report includes the Pentagon's assessment of all major systems tested and evaluated in 2000 as part of the acquisition process.

Among other things, the report found that DMS is not fully secure. Testers were able to penetrate the system several times, including the five DMS test sites, its infrastructure nodes, and the Regional Node and Operations security Center.

DMS is a $1.6 billion program designed to provide writer-to-reader message services for classified and top-secret information to all defense users at their desktops.

The primary mode of infiltrating DMS included the exploitation of so-called trust relationships. Microsoft Corp. Windows environments within a site domain rely on trust relationships across the domain. Thus, DMS depends on the level of security maintained in other systems operating in the same domain, the report explained.

"Weak passwords, clear-text scripts/files with sensitive information, and lax procedures continued to cause most vulnerabilities," the report stated. "[Regional Node and Operations Security Center] security is hampered by lack of a firewall."

In addition, Pentagon testers found that messaging between DMS and existing Pentagon and allied systems "suffered due to missing routing information and procedural problems." It also states, "Errors in implementing important change notifications are indicative of system immaturity and lack of attention to detail by system administrators."

Other systems noted in the evaluation report included:

Global Combat and Support System: During testing, users had trouble getting information and had little confidence in it once they did. Maneuver Control System: The evaluation identified shortfalls in database accuracy, interoperability, logistics supportability and user acceptance. Performance likely would erode further in a battlefield environment, the report stated. Theater Battle Management Core System: The evaluation showed more than 500 deficiencies, primarily in data integrity and a lack of timely dissemination of the air battle plan to other system nodes. Land Warrior: The report noted that the restructured program looks good, but challenges remain, especially in the integration of all the subsystems. Army digitization: The report noted that much progress has been made, but current capabilities are still immature. Army Force XXI Battle Command, Brigade and Below: The evaluation found significant improvement, but the system may not be scalable up to division level.