National Academy of Sciences
National Academy of Engineering
Institute of Medicine
National Research Council
Office of News and Public Information
National Academy of Engineering
Back | Home
News from the National Academies
Date: March 22, 1999
Contacts: Bob Ludwig, Media Relations Associate
Dumi Ndlovu, Media Relations Assistant
(202) 334-2138; e-mail <news@nas.edu>

EMBARGOED: NOT FOR PUBLIC RELEASE BEFORE NOON EST MONDAY, MARCH 22

U.S. Defense Systems Increasingly Vulnerable to Cyber Attacks,
Protection Called Inadequate

WASHINGTON -- The U.S. Department of Defense (DOD) is falling behind in a race to protect computer information systems that are increasingly critical to military operations, says a new congressionally mandated report from a committee of the National Research Council. Policies and practices for securing military information systems must be improved quickly, the report urges.

"As a nation we are counting on computing and communications technology to multiply the effectiveness of our fighting forces," said committee chair James McGroddy, retired senior vice president of research, IBM, Armonk, N.Y. "Enhancing the 'nervous system' that levers the 'muscle' side of the military comes with the challenge of ensuring that we do not increase vulnerability to information warfare attacks."

The military has substantial experience in the physical protection of information systems, such as guarding communication links and shielding command and control facilities. But site visits by the committee revealed that troops in the field do not appear to take protection of their computer information systems nearly as seriously as they do other aspects of defense. The committee observed one military field exercise where personnel in an operations center mistakenly took as a joke the penetration of their systems by a cyber attacker. Understanding the value of information systems in all aspects of military operations, and the need to protect them, is necessary throughout the military, the report says.

Site visits also revealed security practices that were far inferior to the best commercial practices for information systems protection, or the best security practices of DOD. The report stresses that the military must ensure that personnel quickly recognize that guarding against an information attack is more critical and more difficult than conducting an information attack against an adversary.

Legal Limits

In addition to technology constraints, legal ones also exist in many instances. For example, DOD is prohibited by U.S. law and by national policy from taking retaliatory action in peacetime against a cyber attacker. Current laws put the responsibility for apprehending and prosecuting a cyber attacker in the hands of civilian law enforcement agencies, not the military. In the event of an attack on military information systems, DOD personnel are allowed to provide technical assistance in locating and identifying the perpetrator, but they are restricted from acting on their own. DOD should review the legal limits on its ability to defend against a cyber attack, the report says.

DOD's passive defense posture is destined to fail against a determined attacker, the committee said, because adversaries pay no price for unsuccessful attacks and make repeated attempts to breach systems security until they succeed. While it was not asked by Congress to address larger issues of national policy, the committee recommended that DOD explore changes to public policies that govern the circumstances under which counter-attack is an appropriate response to a cyber attack.

Interoperable Systems

Information superiority is an essential element of Joint Vision 2010, the department's blueprint for the military of the future. The committee's report reviews DOD's current and planned C4I (command, control, communications, computers, and intelligence) programs, which enable the military to conduct operations in a rapid, coherent, and coordinated fashion throughout the various branches of the military. Responsive and reliable information technology can provide more timely intelligence and greater awareness of location and environment.

Military command and control systems that exchange data more efficiently allow faster and more effective combat planning and execution, as well as deployment of smaller forces that can be much more autonomous and lethal. The armed services utilize a wide range of complex systems of varying ages and design to accomplish these goals. Enabling these systems to work together in new ways is a tremendous challenge. Industry often struggles with similar issues.

While DOD's current strategy for information exchange among military branches is aimed in the right direction, it is not being effectively or quickly executed. There has been insufficient progress in building and using a common system infrastructure, for example. DOD should develop a set of C4I system "interoperability scorecards," the report says, to assess progress in meeting its goals.

Just as individual military units routinely report their combat readiness, DOD should develop a system that enables combat units to report their readiness in communicating with other branches of the military using C4I systems. This evaluation, the report says, must focus on the ability of forces to conduct a mission from start to finish, based on a realistic set of scenarios for how these units are to be employed.

Information Technology Culture

C4I systems use computing and communications technology developed mostly by the private sector. The study revealed, however, that DOD's process for updating these systems has not been adequately redesigned to keep up with rapid advancements in commercial information technology.

The military has a major challenge in competing effectively with private industry, the committee says, to attract and retain professionals with expertise in engineering, computer systems, and computer applications -- areas that are vital to designing and running C4I systems. The private sector can offer greater monetary rewards, personal recognition, and opportunity for advancement.

Each branch of the military should establish an area of specialization in combat information operations, the report says. Also needed are better professional career paths for C4I specialists, and added emphasis on the importance of information technology in the military education of DOD leadership.

The study was sponsored by the U.S. Department of Defense. The National Research Council is the principal operating agency of the National Academy of Sciences and the National Academy of Engineering. It is a private, non-profit institution that provides science advice under a congressional charter. A committee roster follows.

Read the full text ofRealizing the Potential of C4I: Fundamental Challenges for free on the Web, as well as more than 1,800 other publications from the National Academies. Printed copies are available for purchase from the National Academy Press Web site or at the mailing address in the letterhead; tel. (202) 334-3313 or 1-800-624-6242. Reporters may obtain a pre-publication copy from the Office of News and Public Information at the letterhead address (contacts listed above).

NATIONAL RESEARCH COUNCIL
Commission on Physical Sciences, Mathematics, and Applications
Computer Science and Telecommunications Board

Committee for the Review of Programs for Command, Control,
Communication, Computers, and Intelligence (C4I) in the
Department of Defense


        James C. McGroddy*(chair)
        Senior Vice President for Research
        IBM (retired)
        Armonk, N.Y.

        Charles Herzfeld (vice chair)
        Private Consultant
        Silver Spring, Md.

        Norman Abramson*
        Vice President and Chief Technical Officer
        Aloha Networks
        San Francisco

        Edward Balkovich
        Director
        Systems and Control Engineering
        Bell Atlantic Network Services
        Arlington, Va.

        Jordan Baruch*
        President
        Jordan Baruch Associates
        Washington, D.C.

        Richard Baseil
        Vice President
        Telcordia Technologies
        Red Bank, N.J.

        Thomas Berson
        President and Founder
        Anagram Laboratories
        Palo Alto, Calif.

        Richard Kemmerer
        Professor and Former Chair
        Department of Computer Science
        University of California
        Santa Barbara

        Butler Lampson*
        Engineer
        Microsoft Corp.
        Cambridge, Mass.

        David M. Maddox
        Private Consultant, and
        General, U.S. Army (retired)
        Arlington, Va.

        Paul D. Miller
        President and Chief Executive Officer
        Alliant Technologies
        Hopkins, Minn.

        Carl O'Berry
        Lieutenant General (retired)
        U.S. Air Force
        Scottsdale, Ariz.

        John H. Quilty
        Senior Vice President and General Manager
        MITRE Corp.
        McLean, Va.

        Robert H. Reed
        Director
        Lear Astronics Corp.
        Myrtle Beach, S.C.

        H. Gregory Tornatore
        Program Area Manager
        Strategic and Tactical Communications Systems
        Johns Hopkins University
        Laurel, Md.

        RESEARCH COUNCIL STAFF

        Herbert S. Lin
        Senior Scientist and Study Director

        Jon Eisenberg
        Program Officer

        _________________________________________
        * Member, National Academy of Engineering