During the first three months of 1999, federal agencies are likely to face unprecedented attacks on their computer systems via the Internet as part of a massive test of agencies' vulnerability to hackers.
GovExec.com has learned that groups of executive and legislative branch personnel and researchers from nonprofit organizations are currently putting together a set of wide-ranging efforts to test federal computer security. The simulated attacks would go well beyond previous tests of individual agencies' systems.
Although neither the cast of players nor the shape of the final program is clear yet, some details are starting to take shape.
Selected agencies engaged in critical infrastructure and defense activities will face attacks on a very large percentage of their computers, launched by their own staffers. The attacks will simulate intrusions by hackers in an effort to identify weaknesses in the security configuration of systems. There will be no long warning period before the attacks, and agencies will be required to report the results of the tests to a central authority. The testing will continue periodically and ongoing progress reports will be required.
Other federal agencies outside the national security arena will also face simulated attacks, launched either by a consortium of outside organizations, agency staffers, or both. Results will be compared across agencies to recognize organizations that have been diligent in eliminating vulnerabilities to intrusion. The tests will be repeated periodically to highlight progress.
The coming tests are the culmination of a series of events that date back to 1996, when the Justice Department's web site was defaced, in part with a picture of Adolph Hitler replacing that of Attorney General Janet Reno. Other agencies, including even the CIA, had similarly embarrassing experiences. The General Accounting Office reported that computer hackers "had penetrated Department of Defense computer systems; obtained and corrupted sensitive information; shut down and crashed entire systems and networks; and denied service to users who depend on automated systems to help meet critical missions." By September 1996, GAO reported "serious security weaknesses for ten of the largest federal agencies."
CIA Director George Tenet later told the Senate Governmental Affairs Committee that DoD had done a self-study during which it launched and measured the success of 38,000 attacks. The attacks were successful 65 percent of the time and 63 percent of the attacks went completely undetected.
By early 1998, GAO, prodded by the Governmental Affairs Committee, engaged the National Security Agency to conducted simulated hacker attacks on individual agencies' systems. The first targets were the Federal Aviation Administration and the State Department. GAO said the tests found "significant security weaknesses ... that threaten the integrity of their operations."
Last summer, GAO asked NSA to conduct a similar test on NASA's systems. During months of negotiations on how the exercise should be conducted, NASA told its divisions and offices about the tests. Most of the NASA division and office directors assigned staff to identify and correct security weaknesses in anticipation of the exercise. As a result, says one NASA system administrator, "I was finally allowed to make the security fixes that I had been asking to make for three years."
When the penetration tests finally were run, only a very small fraction of NASA offices were targets of the simulated attack. GAO has yet to release its report on the exercise.
NEXT STORY: IRS asked to pay bosses more than workers