Hamre Acts to Hamper Hackers
By Linda D. Kozaryn
American Forces Press Service
BRUSSELS, March 18, 1998 As U.S. troops, combat aircraft and warships gathered in the Persian Gulf in February, the U.S. military was quietly attacked on a second front. Defense officials detected systematic, sophisticated intrusions into DoD computer networks.
Was this the work of hackers who regularly attempt electronic break-ins, or was it a true cyber attack by the Iraqis? That was the question defense and justice department officials had to answer -- quickly. What they learned is now serving as a wake-up call at home and abroad.
Deputy Defense Secretary John J. Hamre traveled to Europe, March 14 to 19, to discuss the growing threat to computer-based information systems. In Cologne and Bonn, Germany, Brussels, Belgium, Paris, The Hague and London, Hamre warned NATO allies: if this can happen to us; it can happen to you. Because computers are linked together, information assurance is only as strong as the weakest link in the chain, he said.
People regularly try to breach DoD computer networks, Hamre explained here March 17. "We get people every day who are just pinging on our computers," he said. "It's been going on for several years. There's kind of a hackers' mentality that it's fun to get inside."
In the first part of February, DoD officials noticed a pattern which could have been the early stage of a computer attack. They noticed the incidents of break-ins were more frequent and more systematic, Hamre said. "Because this was occurring at the same time we were preparing for potential operations in the Gulf, we were particularly concerned that they might be related."
For three weeks, defense officials tracked unauthorized activity. "After about the first week, we became convinced that it was probably hackers," Hamre said. "But, we didn't know for sure because there was an overseas element to this."
As it turned out, in late February the FBI arrested two 16-year-old boys in California for allegedly breaking into DoD networks. Even though Pentagon officials were relieved, the incident remained cause for grave concern since it could well have been an Iraqi cyber invasion.
Hamre said the teenagers did not get into DoD's classified computers which were all protected. "But, we still do an awful lot of things over unclassified systems that could have been damaged." The episode stressed the importance of better protecting DoD systems.
"Two kids were able to create an awful lot of disruption in the Department of Defense," Hamre said. "We went to 24-hour shifts. We created a crisis action team. We had to go through an enormous amount of effort to protect the computer systems, to monitor them and clean them up."
Was it simply a test of skill for the two young hackers? Did they understand it was wrong to break into these computers? Hamre said children who've grown up with computers may not understand the difference between what's real and what's a game. They may not understand that breaking into a computer electronically, is no different than breaking into somebody's house. It's private property.
"One of the kids, when asked why did he do it, said, 'It's the power, dude,'" Hamre reported. What they may not realize "is that they're really opening doors for other people whose motives aren't as innocent."
Private industry as well as the government needs to change this mindset and instill computer discipline, Hamre said. "There was a famous case several years ago about a clique that would break into computers to change the grades kids got in classes."
Hackers even defaced the CIA homepage about two years ago, changing the title from the "Central Intelligence Agency" to the "Central Stupidity Agency." While the CIA break-in was obvious to anyone opening the homepage, detecting electronic breaches is not always easy, Hamre said. "What's a lot harder is if someone doesnt want you to know they've been in your computer and they've manipulated the data.
"Let's say that a hacker -- just to have fun -- got into the Pentagon's telephone directory and changed every tenth number. It would take several days to figure out why the numbers were not going through? Since it wouldn't be happening all the time, it wouldn't be clear that a computer hacker had randomly changed telephone numbers."
The potential for disrupting defense operations via computer manipulation is multifaceted, Hamre said. Almost all DoD business is now done on computers -- everything from sending messages, to ordering supplies, to paying troops, to keeping track of medical records. "If someone can come in and disrupt those computers, change the data or send misleading messages, they could do tremendous damage to a military operation."
Once it's discovered data has been intentionally manipulated, people lose confidence in computer networks, Hamre said. "How do you know that it's real? You're looking at a screen and the name says John Hamre, but how do you know it's really John Hamre at the other end of that computer terminal?
"It takes you a long time to regain confidence in the system. You have to download all the computers, go back to historical tapes, bring them back up again, and see if that data looks real. It's a very long and cumbersome and expensive process."
The recent experience highlights the need for a much more systematic "information assurance" program to safeguard computers, Hamre said. The goal is to ensure DoD computer information is "true, reliable and has not been manipulated," he said. This will require continually monitoring central computer processors and employing software that automatically signals an alert. Sensitive data must be encrypted and unauthorized people must be kept off the net.
So far, DoD classified networks have been secure. Firewalls separate them from the other networks, Hamre said. "But, firewalls in computers are just like firewalls in a movie theater. They simply slow the movement of the fire so people can get out of the building. A firewall in software simply slows down a hacker as they're working their way through it so you can take action."
In the long run, DoD will have to encrypt data that goes from one computer to the next. "Before it leaves the computer, the message gets scrambled and then decoded at the other end," Hamre explained. Routine commercial transactions will be encrypted, while classified networks will have much stronger encryption.
"Key recovery" will go hand-in-hand with encryption. "You have to encrypt the data so that it can't be read when it's going over public networks. Then you have to develop a system of electronic identification so that when you're reading that encrypted message, you can confirm whoever sent it to you is really that individual."
DoD employees will have an "electronic dog tag," Hamre said Although some people fear this will enable the government to read their e-mail, he said, this is not the case. "Our program is simply going to be buying encryption and key recovery for Department of Defense communications so we'll be able to confirm who's talking to us."
Eventually, Hamre said he believes most people are going to want to adopt encryption so that when they use their credit card on the Internet, it's not going to be compromised. "Most business applications and Department of Defense applications will require a key recovery system so that we'll have confidence in who we're talking to."
DoD has already has negotiated a contract with Netscape to place an encryption and key recovery system on the web browser for more than a million DoD users. "This fall, we hope to have this encryption and key recovery system operational," Hamre said.
Another related DoD goal is promoting computer literacy among the ranks, Hamre said. Young troops today have far more computer savvy than the previous generation, he said. "We ought to find ways to help soldiers, sailors, airmen and Marines who have an interest in computers to become more proficient."
Unfortunately, retaining highly skilled people is difficult. "As soon as our people become trained they become very attractive to the private sector," Hamre said. He's asked Rudy deLeon, undersecretary for personnel and readiness, to suggest personnel policy changes to ensure DoD trains and keeps highly skilled computer people. This may include added tuition assistance and training programs and bonuses in certain critical skill areas. DeLeon is scheduled to report his recommendations in about three weeks, he said.
"I hope this generation becomes even more interested in computers than what they are now because we're going to need their help," Hamre said. "Us old buzzards don't know what to do."