News

TRANSCRIPT

[EXCERPTS] DoD News Briefing


Thursday, April 23, 1998 - 2:25 p.m. (EDT)
Mr. Kenneth H. Bacon, ASD (PA)

................

Q: Masters of Download. The nature of the material, software they reportedly downloaded, and how much currency that software would actually have on the market in terms of selling it to terrorists.

A: Anybody can go into the Internet and find their site and get this stuff. I've done it, you can do it as well. Let me just give you a general description of what they did and what they didn't do. Because what they did differs significantly from what has been described that they did.

First of all, there was no compromise of classified or critical systems as a result of what happened. This happened last fall. It's not something that just happened. It happened last fall, and we were aware of the attempts to penetrate the system last fall when it did happen.

Second, the materials they downloaded do not, and I stress, do not, control Department of Defense systems such as the global positioning system, nor did the intrusion have any adverse affect on the readiness of our forces, the capability to command our forces or to carry out our operations.

Having said all that, we take this and other intrusions seriously. It is being investigated by the proper authorities, and we have, since last fall, made some changes in this system to make it more difficult to conduct the type of intrusions that this group, Masters of Downloading, did.

Q: A spokesman for the National Infrastructure Protection Center in testimony before Congress in March quoted a DISA statistic that they estimate as many as 250,000 possible attempts to enter DoD type computers in 1995. Has that number increased, and has there been a change in the pattern of hacking attempts where it's become maybe more concentrated?

A: That figure, 250,000, came, as I recall, from a General Accounting report, a GAO report that came out I think in May of 1996. Basically 250,000 is an arithmetic estimate and it's based on a certain assessment that DISA makes of its own computers. It's a...

Charlie, do you have some good information you want to play on these computer penetration attempts? [Laughter] I wondered if maybe you had tape recorded that hearing and we could actually... It's like going on the Internet where you can push a button and hear a video report, see a video report or hear an audio report of what's going on.

Q: Let the record reflect that I accept that quietly. [Laughter]

A: At any rate, it was an estimate, and in 1995 DISA itself received reports of approximately 500 actual incidents. These could be viruses, they could be what they call malicious code. Some people might think of all computer codes as malicious, but these are maybe distorted codes or rewritten codes, various intrusions or other probes.

Since they believe that only 0.2 percent of efforts to intrude are reported, they extrapolated that there could have been as many as 250,000 attempts based on the fact that there were 500 actual reports. Their statistical surveys have found that only a very small percentage of actual attempted intrusions are reported, and therefore, they multiplied it out to get the 250,000.

Q: When you say reported, do you mean detected or...

A: They said reported, but I suppose it could mean detected, as well.

Q: The number of those detections or reported intrusions, are they increasing sharply since '95? Do you have statistics which...

A: I do, actually. Write these down. In 1992 there were 53 attacks. These are based on the information that the Defense Information Systems Agency maintains on officially reported attacks; 1992, 53 attacks; 1992, 115 attacks; 1994, 255 attacks; 1995, 559 attacks; 1996, more than 725 attacks; and in 1997, there was a decline to 575 attacks.

Q: Can you say whether the French are behind any of these attacks? [Laughter]

A: Mais non. [Laughter]

Q: ...aren't able to get into classified systems (inaudible), a danger or a risk. How secure are your telecommunications systems, the classified information? Are these hackers, could they be a threat to that type of system?

A: First, we believe that the classified systems, the Secret, classified systems are much harder to break into, obviously, than the non-classified systems. Many of our non-classified systems use commercial telephone lines, etc. We think that the classified systems are secure. It's the non-classified systems where we've had the biggest problems, and this is a matter of growing concern to the Defense Department, and it's one that we're spending more and more time on.

The Deputy Secretary of Defense, John Hamre, has issued a series of policy directives in the last couple of months, ordering ways to improve the security of our computer systems. We're spending approximately 3.6 billion dollars on computer security over the next five years. We're appointing individual officials by name to each computer network to be in charge of security so there will be sort of a central person to reach out to whenever there's a security problem, somebody whose responsibility it is to make sure that the networks are as secure as possible.

We're looking at a variety of other steps that can be taken to make our computer systems more secure.

Q: ...the one, you said it wasn't related to GPS. What did it do?

A: As I understand it, it was a system that, first of all, it was software. What they were able to download was some software that is used to automate recordkeeping functions and some management functions on a portion of a network that did deal with some communications and possibly some navigation, some positioning information. But what they were able to download was the software. We don't have any information that they manipulated it in a way that was damaging to the system.

Q: Is that illegal?

A: It's certainly impolite. [Laughter] I'm not prepared to say whether it was illegal. But it is being investigated by law enforcement authorities to make that determination right now.

Q: Have there been any successful penetrations into classified systems?

A: Not that I'm aware of, but it's something that I will double check.

Q: Was this incident last fall in any way related to the incident that Mr. Hamre spoke of that occurred in February..

A: No. Not that we're aware of.

Q: I understand that a Joint Task Force is being formed to deal with protecting the Pentagon computers. Is this still in the conceptual stage, or have the blocks actually started coming together?

A: I can't answer that question. We are taking, every week, new steps to improve computer security, and the most fundamental step that we're taking is to increase awareness of the problem. And that was one of the, as I said, one of the signal achievements of the exercise the Joint Staff ran, ELIGIBLE RECEIVER, to improve the awareness of people within the Department of what the computer security issue is. We are also taking a number of other steps that involve looking at all sorts of software that's bought commercially to find out whether it adequately serves the needs of preventing viruses or setting up firewalls between systems, that type of thing. So we're doing a lot.

One of the main things that Deputy Secretary Hamre has done is to issue instructions to all the services and all the military commands to spend more time dealing with computer security. One of the things I pointed out last week was that we're trying to develop better computer counterintelligence capabilities so that we can learn more quickly when systems are being penetrated, who's penetrating them, and try to one, stop it; and two, find the cause of it and take appropriate action with law enforcement authorities if necessary.

Q: Can I follow up on just that question? Because this factor you cited of .2 percent intrusion after detected is just appallingly low. I don't know if that's...

A: That's not what I said. The exact quote here is that they think that only, this is a quote from DISA, that "only 0.2 percent of incidents report."

Q: But we don't know what that means. I have no idea what it means.

A: I'll try to get the DISA report. DISA has testified before Congress on this. We'll get you the testimony. I'll give you a perfect example.

You might turn on your computer -- you or I might turn on your computer and after you put in a disk and/or downloaded something from the Internet, and it might, a virus detector might say that a virus has been detected. Do you regard this as an intrusion or an attack on your computer system? If so, do you report it or do you say maybe I have a malfunctioning disk and not report it. I think it's that type of thing.

It's obviously, it's a big system. As I said the other day, there are, I think, over two million computers that were concerned about... There are thousands and thousands of local area networks and thousands of long distance networks as well, so it's a massive undertaking to find out exactly what's going on.

One of the things we're trying to do is to centralize the recordkeeping and to regularize it in a way so that it's much easier to keep records, and it's easier for everybody to understand what's going on because they're working from a common set of definitions.

Q: If DoD knew about this back in the fall and it was so horrible, why wasn't it announced just like the February attempts were announced?

A: Well, first of all, as you can see from the figures I read, there are hundreds of attacks, several hundred attacks every year that we detect; there may be, or that are reported. There may be many more that aren't reported. We're not in the business of announcing every time somebody... This is more than one a day. We're not in the business of going out and announcing these things. For one thing, I think there's sort of an echo effect or an imitator effect here. We don't want to encourage copycats. We don't want to encourage more teenage hackers than there already are trying to figure out ways to get into the DoD systems.

Q: Are these attacks, are they getting more serious? Are the hackers getting more sophisticated? Are we seeing the equivalent of spray painting graffiti, or are we seeing something more serious?

A: We have to take all of it seriously, even innocent youthful attempts to break into Pentagon systems, because we basically don't want people trying to fiddle with our information in any way. I don't think I can quantify the seriousness of these various attacks. Sometimes it takes us awhile to figure out exactly what's going on. There's also the question of how much of the iceberg is above the water, how much is under the water. We take all of these things seriously.

..............

Press: Thank you.