http://www.baltimoresun.com/news/nationworld/bal-t
e.nsa02jul02,0,754404.story?coll=bal-home-headlines
By Siobhan Gorman
sun reporter
July 2, 2006
Sun exclusive
WASHINGTON -- The number of reported attempts to penetrate
Pentagon
computer networks rose sharply in the past decade, from
fewer than 800
in 1996 to more than 160,000 last year - thousands of them
successful.
At the same time, the nation's ability to safeguard
sensitive data in
those and other government computer systems is becoming
obsolete as
efforts to make improvements have faltered and stalled.
A National Security Agency program to protect secrets at the
Defense
Department and intelligence and other agencies is seven
years behind
schedule, triggering concerns that the data will be
increasingly
vulnerable to theft, according to intelligence officials and
unclassified internal NSA documents obtained by The Sun.
When fully implemented, the program would build a new
encryption
system to strengthen protections on computer networks and
would more
effectively control the access of millions of people to
government
computer systems and buildings.
Launched in 1999, the program was to have been completed
last year,
but it fell behind in part because of differences between
the NSA and
the Pentagon. The NSA is trying to revamp the program,
although the
deadline has slid to 2012, with the most substantive
security
improvements planned for 2018.
An internal NSA report in April 2005 described the problem
as
"critical," noting that 30 percent of the
agency's security equipment
does not provide "adequate" protection; another
46 percent is
approaching that status.
"Much of the existing cryptographic equipment is based
on ...
technologies that are 20-30+ years old," said the
report from the
agency's information security directorate. At the same
time, it noted,
technology for breaking into computer systems has improved,
which
"gives our adversaries enhanced capabilities."
Pentagon computers, in particular, are under constant
attack.
Recently, Chinese hackers were able to penetrate and steal
data from a
classified computer system serving the Joint Chiefs of
Staff,
according to two sources familiar with the incident. A
security team
spent weeks eliminating the breach and installing additional
safeguards.
The Pentagon declined interview requests for two information
security
officials, but a spokesman said in a written statement that
the NSA is
continually assisting the Pentagon to "maintain best
security
practices" and raise the level of information
security.
NSA spokesman Don Weber said in a statement that because
information
security is a core mission of the agency, "any
speculation that we,
along with our partners would leave national security
systems
vulnerable, is unfounded."
Among 18 current and former officials and security experts
interviewed
for this article, several would speak only on condition of
anonymity
because many details of the program are sensitive and reveal
vulnerabilities in the nation's defenses.
Encryption, which is an electronic lock, is among the most
important
of security tools, scrambling sensitive information so that
it can
ride securely in communications over the Internet or phone
lines, and
requiring a key to decipher.
Powerful encryption is necessary for protecting information
that is
beamed from soldiers on the battlefield or that guards data
in
computers at the NSA's Fort Meade headquarters. Without
updated
encryption, sensitive information could be stolen by China
or other
countries that have regularly tried to break into U.S.
government
systems to steal military and intelligence secrets. There
are emerging
concerns about Iran's desire to do so, as well.
"This stuff is enormously important," said John
P. Stenbit, the
Pentagon's chief information officer until 2004. "If
the keys get into
the wrong hands, all kinds of bad things happen. You don't
want to
just let a hacker grab the key as it's going through the
Internet."
The NSA report warned that "serious risks" in
the Pentagon's security
system jeopardize its ability to execute its missions
effectively. A
December 2005 NSA planning document described the program as
crucial
for ensuring adequate protection for all national security
programs.
"It's a pretty critical thing to do right ... because
the government
relies on confidential communications so heavily,"
said Martin Roesch,
founder of Sourcefire, a computer security company in
Columbia, Md.
"It's kind of a fundamental capability."
A growing threat
As the program, known as Key Management Infrastructure, has
faltered,
the potential for penetrating government computers has
grown.
Intelligence officials have said that as many as 100
countries pose
legitimate threats to U.S. government computers and those of
companies
doing government work.
In the past decade, reported attempts to hack into Pentagon
computers
have grown 200-fold, according to the Pentagon.
"Numerous states, terrorist and hackers groups,
criminal syndicates,
and individuals continue to pose a threat to our computer
systems,"
Maj. Gen. Michael D. Maples, director of the Defense
Intelligence
Agency, warned Congress this year. "Over the last few
years, hackers
have exploited thousands of [Department of Defense]
systems."
In addition to the NSA's aging security technology, some of
the tools
required for encrypting data lack security protections and
are
vulnerable, so an infiltrator could uncover and possibly
replicate the
tools to access government data, according to the NSA's
December 2005
planning document.
Intelligence specialists say potential attacks could include
foreign
governments snooping for U.S. intelligence and military
secrets and
using identity information to create false IDs, which could
enable
them to gain access to military or intelligence facilities,
computers
and even weapons systems, they said.
"What's at stake here is the security of the nation,
because we are
under monster attack from China, Russia, Israel, France and
so on," a
former government official said.
News reports last year revealed a major Chinese campaign
called Titan
Rain that targeted unclassified Pentagon computer networks
and others
at the Energy and Homeland Security departments. In a Miami
case, the
Justice Department charged two men this year with channeling
military
technology secrets to China that were obtained through
hacking. It
brought similar charges against three others last fall in a
case in
Los Angeles.
"The threat is much larger than we ever thought it
was," said David
Szady, a former top counterintelligence official at the FBI
and the
CIA. The Chinese "have been able to develop their
military and their
systems on the backbone of United States technology."
Another country emerging as a concern is Iran. "They
certainly are
able to, and would have an interest in doing it," said
one former
senior intelligence official.
Cracking the government's aging encryption system would
require a high
level of training of the type most likely occurring in
countries such
as China or Russia.
But as commercial code-breaking technology improves,
intelligence
experts said, it is possible that a technically astute
terrorist or
even an unusually focused teenage hacker could infiltrate
government
computers.
If hackers can break through weak encryption systems on
government and
contractors' computers, they can hunt through different
networks for
bits and pieces of information to thread together and
assemble a
fairly good idea of U. S. defense capabilities - with the
intent of
either copying them or devising a system to defeat them,
said one
former NSA employee.
The new system would address a number of the security
challenges that
exist with the explosion of wireless, networked
communication devices,
according to internal NSA documents. The most sensitive data
is
generally held in internal systems that are not exposed to
the
Internet. But the Pentagon and other government agencies are
increasingly using Internet-based communications.
And as the demand grows for "smart"
identification cards with computer
chips that verify the card holder's identity, so does the
need for
sophisticated ways to manage who is being assigned cards, so
that the
cards do not end up in the wrong hands, said Stephen Kent, a
chief
scientist at BBN Technologies who has chaired government
panels on
information security.
False starts
Sprawled across several government agencies, but centered at
the NSA,
the Key Management Infrastructure program is actually a
compilation of
about 25 programs; its costs, which are classified, are
difficult to
gauge. One estimate pegs spending so far at $2 billion or
more, said a
former government official familiar with the program. Other
estimates
are in the hundreds of millions.
A critical problem with the project, according to several
current and
former intelligence officials, is one that has afflicted
other large
programs at the agency: poor management.
Like other major NSA efforts - such as the failed
Trailblazer program
to rapidly sift out threat information, and the troubled
Groundbreaker
program aimed at upgrading the agency's computer networks -
an
ever-changing game plan has caused many of the project's
problems,
current and former senior intelligence officials said.
One former senior intelligence official said that the NSA
had
unrealistic expectations from the start and repeatedly opted
for
delays to try to perfect the program. That left the
government with
aging security protections in the quest for security
nirvana, the
official said.
"NSA often will say, 'Well, this is not totally
secure, so you can't
use it,' when the only alternative is nothing," the
former official
said. "My worry is this push for perfect security is
the enemy of good
security.
NSA officials have also had a difficult time forging
consensus among
the agencies involved with the project, especially the
Pentagon,
according to former officials familiar with the conflict.
"Anybody who doesn't like the way you're doing it
can essentially
withdraw," the former senior intelligence official
said. "It's a
program that is actually planned for failure."
After several false starts, the first phase of the program
was
canceled in 2003, and its replacement has been in the
planning stages
since then.
The NSA is re-evaluating the program, intelligence officials
said.
That reassessment - owed at least in part to pressure from
Maj. Gen.
Dale W. Meyerrose, the chief technology officer under spy
chief John
D. Negroponte and the Pentagon - is expected to produce a
new
blueprint, Meyerrose said in an interview. It also coincided
with
incoming NSA Director Lt. Gen. Keith B. Alexander's
agency-wide
review.
Under the current plan, the initial phase will be completed
in 2012.
Even then, it would at best provide only a level of security
equivalent to the existing system, current and former
government
officials said. The agency would, however, be able to
upgrade the
revised system, which is not possible now, they said.
Meyerrose acknowledged that the project has taken "a
little longer
than we thought." He chalked it up to a lack of
leadership in the
intelligence community to get behind the program, which he
said would
change under the new spymaster. The program's planners, he
said,
underestimated how difficult it would be to
"synchronize" all the
moving parts of the program.
After the first false start, the NSA asked the consulting
firm Booz
Allen Hamilton, which was involved in aspects of the
project, to take
on a broader role to get the program's many segments
working together.
But the NSA is unhappy with the firm's performance, which
it deemed
slow and rigid, one former government official said. A
spokesman for
Booz Allen declined to comment, citing confidentiality
agreements.
Booz Allen's contract is slated to end in October, and the
NSA plans
to do the work on its own, probably with assistance from a
new
contractor, the former official said.
Although Richard C. Schaeffer, in charge of the NSA's
information
security division, characterized the current timetable for
the program
as "aggressive" in a statement to The Sun, some
officials are
concerned that the schedule is sliding again, according to a
former
government official familiar with the program. The NSA was
supposed to
award a contract for the revamped program last December, but
that
shifted to June and then to October.
"It's pretty scandalous. It certainly has been a
start, restart,
start, restart," said one former intelligence
official. "It seems
stunning to me."
Meanwhile, given the pace of technology, every year that the
project
slips, it becomes less relevant, said a former government
official
familiar with the project.
"You're going to introduce something that is
completely obsolete," he
said.
While 2012 is the target date for wrapping up the current
phase of the
program, Meyerrose said, some portions will be implemented
in the
interim.
But some intelligence officials said they are concerned that
components of the program could be delayed until 2018, when
the next
phase of more substantive security changes is to be
completed, and the
April 2005 NSA report highlights this possibility.
The program's delay also is likely to hold up some major
Pentagon
efforts that rely on secure information, such as the Global
Information Grid, a network under development that aims to
manage all
national security information around the world, former
intelligence
officials said. Both the NSA report and planning documents
emphasize
the dependency of this network and other defense programs on
the key
management program.
"If you can't communicate securely, the enemy has the
potential to
know what you're doing," one former official said.
"Information
security is Job One."
siobhan.gorman (at) baltsun.com
Copyright © 2006, The Baltimore Sun
_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com
|