Defense Contractors May Be Chink in Cyber Security
RENEE MONTAGNE, host:
The Pentagon and the defense industry are trying to combat a growing threat to US national security: cyberattacks on information systems. Pentagon figures show that attempts to break into Department of Defense systems increased dramatically from 2003 to 2004, and cybersecurity analysts warn that defense contractors are even more vulnerable than the Pentagon to computer hackers. NPR's Vicky O'Hara reports.
VICKY O'HARA reporting:
Computer hackers used to be a malicious nuisance. But with the explosion of Internet technology, hacking has become a real security threat. Allen Paller is director of research at the SANS Institute, a Maryland-based group that teaches cybersecurity.
Mr. ALLEN PALLER (SANS Institute): America's computers are being riddled by attackers. They're being defended very badly.
O'HARA: All sectors of American society are under attack. But the huge databases of the US military and its contractors are an especially attractive target. The Pentagon says it tracked 80,000 attempted cyberintrusions against its systems last year, compared to 55,000 in 2003. Cybersecurity analysts say that defense contractors are even more vulnerable than the Pentagon, and they are the repositories of cutting-edge information about US defense systems.
Mr. IRA WINKLER (Internet Security Consultant): The problem comes up in that these are very, very large companies with hundreds of thousands of computers and they just provide many, many targets and it's hard to keep them consistently secure.
O'HARA: That is Ira Winkler, an Internet security consultant and author of the new book "Spies Among Us." He says that many defense contractors actually have good cybersecurity, but the defense industry is so interconnected, he says, that one weak spot can be catastrophic.
Mr. WINKLER: There are many parts of the defense world where you have some agencies that process top-secret information. You have other agencies which process information of limited use and scope. The problem is that those less-classified agencies would provide backdoors into some of the more secure agencies, but also provide some information which you would consider sensitive.
O'HARA: The most well-known example of cyberattack against military contractors is an operation known as Tighten Reign which was uncovered two and a half years ago. It was a group of extremely sophisticated hackers based in southern China's Guangdong province, and its primary targets were US government agencies and the defense industry. The Tighten Reign operators hit all of the major defense contractors, including Lockheed Martin which made the Mars lander. Again, Ira Winkler.
Mr. WINKLER: We have clear evidence that the Chinese were able to go ahead and get, like, detailed information about the Mars lander. You know, that information has a lot of dual-use purposes.
O'HARA: According to Allen Paller, Tighten Reign's operators in one evening got into the Army's security group, the Defense Information Systems Agency and one of the Navy's security groups.
Mr. PALLER: And on another night, they got away with the flight planning software that the Army and the Air Forces uses, and my point is that they did that all in a couple of evenings. So you can get an idea of how deep the penetration is.
O'HARA: No one knows for sure how much information was stolen, but one of the people who initially investigated Tighten Reign, and who asked to remain anonymous to protect his job, estimates it was billions of dollars' worth of intellectual property. None of it classified, but much of it highly sensitive. Steven Spoonamore, CEO of Cybrinth, a security consulting firm, says the problem of cyberintrusions has grown because the Pentagon increasingly goes outside of DOD for what it needs, including weapons systems.
Mr. STEVEN SPOONAMORE (CEO, Cybrinth): So who builds them? Contractors. And those contractors have a variety of levels of data custodial capacity. Some of them are very good; some of them are extremely poor.
O'HARA: Cyberexperts say that people in and out of the defense industry are one of the biggest security risks in using computers. The main reasons, they say, are that users fail to turn off their computers. They log into unknown or unauthorized Web sites, and they are naive in their administration of the system. Again, Ira Winkler.
Mr. WINKLER: I worked with a woman back in my intelligence days, her last name was Kirk. And I was joking with her that her password is `captain.' And she's like--standing there in horror going, `How do you know what my password is?'
O'HARA: Ira Winkler says he finds the same problem when he conducts cyberpenetration tests of various companies.
Mr. WINKLER: I found in one case 95 percent of all the passwords inside the company were the same as the user IDs. Again, very expected password.
O'HARA: And that particular company, he says, did classified work.
Cybersecurity experts emphasize that lack of computer security is not unique to the defense industry. It's just that military contractors hold the keys to some of the nation's most valuable defense secrets, making them a lucrative target for organized crime, foreign companies and foreign governments. And hackers, the experts warn, are becoming increasingly sophisticated at penetrating whatever cybersecurity exists and then covering their tracks.
Vicky O'Hara, NPR News, Washington.