WASHINGTON (AP) — Hackers infiltrate Pentagon computers more than 160,000 times a year, threatening “catastrophic damage,” but the military rarely detects and seldom investigates the interlopers, government investigators said Wednesday.
“At a minimum, these attacks are a multimillion-dollar nuisance to Defense. At worst, they are a serious threat to national security,” the General Accounting Office said.
Citing Pentagon estimates, a GAO report said as many as 250,000 attempts may have been made to penetrate military computer networks last year, and 65 percent — 162,500 — were successful.
But only about one in 150 was detected and reported, the GAO said, and “the potential for catastrophic damage is great.”
The report, presented to the Senate Governmental Affairs subcommittee on investigations, dealt with the more than 90 percent of Pentagon data that is unclassified. It nevertheless could contain highly sensitive information on troop movements, procurement and maintenance of weapons systems.
Beyond young hackers who may have no criminal intent, about 120 countries already have or are developing computer attack capabilities. “In some extreme scenarios, studies show that terrorists or other adversaries could seize control of Defense information systems and seriously degrade the nation’s ability to deploy and sustain military forces,” said the GAO, Congress’ investigative wing.
The report quoted the Pentagon as accepting that the document fairly represented the increasing threat of Internet attacks. Officers attributed some of the problems to poorly designed systems or to the use of off-the-shelf computer products without inherent security safeguards.
Pentagon spokeswoman Susan Hansen said that information on weapons systems and other classified material was secure.
Sen. Sam Nunn of Georgia, the committee’s ranking Democrat, said cyberspace crime poses a whole new challenge to the government. “Is the bad actor a 16-year old, a foreign agent, an anarchist or a combination thereof?” he asked. “How do you ascertain the nature of a threat if you don’t know the motive of your adversary?”
GAO information management chief Jack Brock told the hearing of a notorious 1994 case where two hackers attacked computers of the Air Force command and control research facility in Rome, N.Y., more than 150 times. “The hackers took control of the lab’s network for several days,” he said.
To avoid detection, the hackers went through international telephone lines, passing ports in South America, Seattle and New York to reach the Air Force computer. From there, they broke into computer systems of NASA, Wright-Patterson Air Force Base, defense contractors around the country and South Korea’s atomic energy center.
One of the hackers a British 16-year-old who used the code name “Datastream Cowboy,” was caught. The other never was identified.
Researchers in the New York project deal with wartime commands sent to pilots and information on air tactics. Brock said the military would have to spend $4 million to replace it if hackers irreparably damaged the project.
The report noted that the Defense Information Systems Agency has conducted 38,000 attacks on Defense computer systems via the Internet to see how well they are protected. The agency gained access 65 percent of the time.
Of these successes, only 4 percent were detected by target organizations, and in only 27 percent of those cases was the detection reported to the systems agency.