Date: March 22, 1999
Contacts: Bob Ludwig, Media Relations Associate
Dumi Ndlovu, Media Relations Assistant
(202) 334-2138; e-mail <email@example.com>
EMBARGOED: NOT FOR PUBLIC RELEASE BEFORE NOON EST MONDAY, MARCH 22
U.S. Defense Systems Increasingly Vulnerable to Cyber Attacks,
Protection Called Inadequate
WASHINGTON -- The U.S. Department of Defense (DOD) is falling behind in a race to protect computer information systems that are increasingly critical to military operations, says a new congressionally mandated report from a committee of the National Research Council. Policies and practices for securing military information systems must be improved quickly, the report urges.
"As a nation we are counting on computing and communications technology to multiply the effectiveness of our fighting forces," said committee chair James McGroddy, retired senior vice president of research, IBM, Armonk, N.Y. "Enhancing the 'nervous system' that levers the 'muscle' side of the military comes with the challenge of ensuring that we do not increase vulnerability to information warfare attacks."
The military has substantial experience in the physical protection of information systems, such as guarding communication links and shielding command and control facilities. But site visits by the committee revealed that troops in the field do not appear to take protection of their computer information systems nearly as seriously as they do other aspects of defense. The committee observed one military field exercise where personnel in an operations center mistakenly took as a joke the penetration of their systems by a cyber attacker. Understanding the value of information systems in all aspects of military operations, and the need to protect them, is necessary throughout the military, the report says.
Site visits also revealed security practices that were far inferior to the best commercial practices for information systems protection, or the best security practices of DOD. The report stresses that the military must ensure that personnel quickly recognize that guarding against an information attack is more critical and more difficult than conducting an information attack against an adversary.
In addition to technology constraints, legal ones also exist in many instances. For example, DOD is prohibited by U.S. law and by national policy from taking retaliatory action in peacetime against a cyber attacker. Current laws put the responsibility for apprehending and prosecuting a cyber attacker in the hands of civilian law enforcement agencies, not the military. In the event of an attack on military information systems, DOD personnel are allowed to provide technical assistance in locating and identifying the perpetrator, but they are restricted from acting on their own. DOD should review the legal limits on its ability to defend against a cyber attack, the report says.
DOD's passive defense posture is destined to fail against a determined attacker, the committee said, because adversaries pay no price for unsuccessful attacks and make repeated attempts to breach systems security until they succeed. While it was not asked by Congress to address larger issues of national policy, the committee recommended that DOD explore changes to public policies that govern the circumstances under which counter-attack is an appropriate response to a cyber attack.
Information superiority is an essential element of Joint Vision 2010, the department's blueprint for the military of the future. The committee's report reviews DOD's current and planned C4I (command, control, communications, computers, and intelligence) programs, which enable the military to conduct operations in a rapid, coherent, and coordinated fashion throughout the various branches of the military. Responsive and reliable information technology can provide more timely intelligence and greater awareness of location and environment.
Military command and control systems that exchange data more efficiently allow faster and more effective combat planning and execution, as well as deployment of smaller forces that can be much more autonomous and lethal. The armed services utilize a wide range of complex systems of varying ages and design to accomplish these goals. Enabling these systems to work together in new ways is a tremendous challenge. Industry often struggles with similar issues.
While DOD's current strategy for information exchange among military branches is aimed in the right direction, it is not being effectively or quickly executed. There has been insufficient progress in building and using a common system infrastructure, for example. DOD should develop a set of C4I system "interoperability scorecards," the report says, to assess progress in meeting its goals.
Just as individual military units routinely report their combat readiness, DOD should develop a system that enables combat units to report their readiness in communicating with other branches of the military using C4I systems. This evaluation, the report says, must focus on the ability of forces to conduct a mission from start to finish, based on a realistic set of scenarios for how these units are to be employed.
Information Technology Culture
C4I systems use computing and communications technology developed mostly by the private sector. The study revealed, however, that DOD's process for updating these systems has not been adequately redesigned to keep up with rapid advancements in commercial information technology.
The military has a major challenge in competing effectively with private industry, the committee says, to attract and retain professionals with expertise in engineering, computer systems, and computer applications -- areas that are vital to designing and running C4I systems. The private sector can offer greater monetary rewards, personal recognition, and opportunity for advancement.
Each branch of the military should establish an area of specialization in combat information operations, the report says. Also needed are better professional career paths for C4I specialists, and added emphasis on the importance of information technology in the military education of DOD leadership.
The study was sponsored by the U.S. Department of Defense. The National Research Council is the principal operating agency of the National Academy of Sciences and the National Academy of Engineering. It is a private, non-profit institution that provides science advice under a congressional charter. A committee roster follows.
Read the full text ofRealizing the Potential of C4I: Fundamental Challenges for free on the Web, as well as more than 1,800 other publications from the National Academies. Printed copies are available for purchase from the National Academy Press Web site or at the mailing address in the letterhead; tel. (202) 334-3313 or 1-800-624-6242. Reporters may obtain a pre-publication copy from the Office of News and Public Information at the letterhead address (contacts listed above).
NATIONAL RESEARCH COUNCIL
Commission on Physical Sciences, Mathematics, and Applications
Computer Science and Telecommunications Board
Committee for the Review of Programs for Command, Control,
Communication, Computers, and Intelligence (C4I) in the
Department of Defense
James C. McGroddy*(chair)
Senior Vice President for Research
Charles Herzfeld (vice chair)
Silver Spring, Md.
Vice President and Chief Technical Officer
Systems and Control Engineering
Bell Atlantic Network Services
Jordan Baruch Associates
Red Bank, N.J.
President and Founder
Palo Alto, Calif.
Professor and Former Chair
Department of Computer Science
University of California
David M. Maddox
Private Consultant, and
General, U.S. Army (retired)
Paul D. Miller
President and Chief Executive Officer
Lieutenant General (retired)
U.S. Air Force
John H. Quilty
Senior Vice President and General Manager
Robert H. Reed
Lear Astronics Corp.
Myrtle Beach, S.C.
H. Gregory Tornatore
Program Area Manager
Strategic and Tactical Communications Systems
Johns Hopkins University
RESEARCH COUNCIL STAFF
Herbert S. Lin
Senior Scientist and Study Director
* Member, National Academy of Engineering