Army rebuilds networks after hack attack

The Army has launched a massive multimillion-dollar initiative to secure systems at Fort Campbell, Ky., the home base for the Army's elite attack helicopter units, after its systems were hacked, officials familiar with the initiative confirmed.

The project, called the Fort Campbell Network Upgrade, which could cost as much as $30 million, follows the service's enterprise management plan to update all of the fort's computers to Microsoft Corp. Active Directory by January because the company will no longer support the Windows NT 4.0 operating system.

But industry officials familiar with the update, who requested anonymity because of national security and business concerns, said the two-phase project was launched after systems were penetrated. "There was a total intrusion into the network system," an industry official said.

"That's a lot of money to spend on [information technology] at one installation," said another industry official. "Do you know what the Army could do with $30 million for IT servicewide?"

Cybersecurity has taken a higher profile within the Defense Department as military officials have stressed network-centric warfare, in which data is put on networks much more quickly, thereby making it more widely available. Under this scheme, however, security becomes more essential because of the warfighter's dependence on this data and the potential ramifications if such information were to fall into enemy hands.

The cyberattack on Fort Campbell has spurred Army IT officials to increase their efforts to develop a servicewide information assurance plan and acquisition strategy in preparation for a procurement that could happen as early as next year, industry officials said.

"There is consensus among [officials] that they need to implement host-based intrusion detection," the industry official said.

Host-based intrusion-detection systems monitor, detect and respond to user and system activity and attacks on a given network. Army officials primarily use intrusion-

detection systems in a less central manner.

Army officials were reluctant to discuss the cyberattacks, but people familiar with the incidents say the invasion of Fort Cambell's networks apparently took place last fall. A group of individuals from the Army's Computer Emergency Response Team (CERT) at Fort Belvoir, Va., started working at Fort Campbell as a result of the intrusion, the industry official said.

Army CERT officials determined that hackers penetrated the Fort Campbell network so they could monitor the daily exchange of information there. "They were actually inside the network and had been there for a couple months," the official said.

Army CERT officials followed the hackers' activities for a couple of months to determine their origin and intention. "They let it go on for awhile, [and] then pulled the plug," the industry official said. Fort Campbell IT officials then started updating the network.

Maj. Gen. James Hylton, commanding general of the Network Enterprise Technology Command, which includes Army CERT, declined to comment on the intrusion at the fort. "We are a nation at war, and although protection of our networks has always had a high priority, we are even more vigilant now," Hylton said in a written statement. "The less the enemy knows, the better it is for the people [who] protect our networks."

"I will not go into specifics on what types of defensive measures we have in place," he wrote. "However, I will say that great emphasis is placed on constant vigilance."

Lt. Gen. Steve Boutelle, the Army's chief information officer, also declined to comment on the intrusion at Fort Campbell, explaining that information about investigations related to computer network defense is classified. However, Boutelle made cybersecurity one of the cornerstones of his presentation to Army and industry officials last week at the Directorate of Information Management/Army Knowledge Management conference. "Your systems are being attacked," he said.

Officials with the Joint Task Force-Global Network Operations (JTF-GNO), who oversee protection of military networks, also declined to comment on the intrusion. "All intrusions into [DOD] systems are investigated by appropriate investigative agencies," said Tim Madden, task force spokesman, in a statement. "JTF-GNO and the agencies involved do not discuss ongoing operations."

JTF-GNO officials, however, have reported gradual increases in the number of attempted intrusions on the military's networks during the past three years. The task force reported 40,076 in 2001, 43,086 in 2002, 54,488 in 2003 and 24,745 as of June 2004, Madden said.

"The increase simply reflects the increase in the number of computers and people using them worldwide," he said.

Another industry official said Army

IT officials will hire 20 people to investigate what happened to systems at Fort Campbell and to look into the significant increase in attempted intrusions into Army networks during the past year, which Boutelle attributes to the current geopolitical climate.

During the past five years, DOD systems experienced similar attempted intrusions as military officials began carrying out their new doctrine of net-centric warfare. Department officials believe the intrusions originated in China, Brazil and Lithuania, but the only governments that have developed doctrines for cyberwarfare are China and India, said a military IT official who requested anonymity.

The department's new information assurance policies released this summer include the draft, titled "End-to-End Information Assurance Component of the Global Information Grid Integrated Architecture." The policies have resulted from the increase in attempted intrusions into DOD systems, the military official said.