NSA concerns could hamper DOD Y2K fix

The National Security Agency has slapped a security blanket on the Pentagon's efforts to fix the Year 2000 millennium bug, which could further slow the Defense Department's already-behind-schedule Year 2000 fixes.

NSA has determined that all information detailing DOD's computers and its efforts to fix the Year 2000 problem are a "national security interest" and "highly sensitive." As a result, the Pentagon has cut off the military services and DOD project offices from the Defense Integrated Support Tool (DIST) database, which the Defense Information Systems Agency maintains to provide details on all DOD computer systems and interfaces for use in planning and deployment.

DIST, according to DISA, is a database of some 9,000 DOD systems that the department uses to track such key areas as system interfaces, compliance with high-priority standards, interoperability testing, consolidation goals and Year 2000-compliance planning. DIST was seen as critical to the Year 2000 problem because it provides a central source of information about interfaces between different DOD systems, which is a chief concern of Year 2000 conversion efforts.DOD began using DIST to track Year 2000 compliance in August 1996, and a Dec. 19, 1997, memo from the Office of the Secretary of Defense to DOD chief information officers identified DIST as the "central, authoritative database for tracking resolution of the Year 2000-related problems for systems throughout the department."

That aggregation of extensive details about Year 2000 problems with DOD systems poses a threat to national security, according to NSA.

"The DOD's Y2K conversion effort is a national security interest," NSA reported in a statement supplied to FCW. "All information detailing these information systems and the progress being made toward their conversions is considered to be highly sensitive."

DOD is not trying to cover up information about its Year 2000 efforts, a DOD spokeswoman said. "We couldn't hide what we're doing if we wanted to, and we certainly don't want to," she said. "The idea is to move these fixes along at the fastest possible clip but not to jeopardize other security measures as we do it."

While industry and service sources said they could understand NSA's security concerns, they said the classification could hobble the Pentagon's already-delayed Year 2000 remediation efforts. One former high-ranking DOD official described the classification issue as symptomatic of what he called the Pentagon's "gross mismanagement" of Year 2000 issues.

The classification of the DIST database, which Electronic Data Systems Corp. developed, already has adversely affected personnel working on Year 2000 issues. Capt. Clifford Szafran, the Navy's Year 2000 team leader, said the NSA classification forced DISA to move the database from unclassified networks to the Secret Internet Protocol Router Network (SIPRNET), to which only a limited number of DOD personnel have access.

"No one doing Y2K has SIPRNET access,'' Szafran said during a panel discussion at last week's Navy Connecting Technology Spring '98 Conference in Norfolk, Va. "We're now left with creating a Department of Navy database, and we hope to have that up by June.''

Szafran said lack of access to a DOD-wide Year 2000 database would make it difficult to resolve Year 2000 system interface problems. Hardest hit may be the Marines, who must develop computer interfaces not only with their systems but with the Navy and Army, Szafran said.

The Marine Corps has "no issue" with DIST being classified, a Marine spokesman said. "It makes it a little more difficult to track other service systems, but there are other ways to get that information."

William Curtis, DOD's Year 2000 czar, said last week that the classification of the DIST database is "no big deal... we're going to have a new Y2K database up at the end of May."

Classifying the DIST database does not necessarily mean cutting off access, said Cynthia Rand, former principal director for information management at the Office of the Assistant Secretary of Defense for Command, Control, Communications and Intelligence (ASD/C3I). "Does [classifying DIST] make it more cumbersome? Yes, it does," said Rand, now a director for business development for civilian agencies at Lucent Technologies Inc. "But there are ways [access could be provided]. It's a change from what was done before, and we need to make the change quickly."

Working Against the Clock

But a Pentagon source said the DIST classification has slowed efforts across DOD to complete an inventory of all of the agency's information systems and the systems' corresponding Year 2000 problems. The inventory was originally due in March.

Szafran said it may take the Navy until November to complete its inventory— just a little more than a year before 2000.A DOD spokeswoman said Anthony Valletta, former acting ASD/C3I, classified DIST this February in a memo, which stated that "a review analysis of the information contained in the DIST database indicates that while individual records may be unclassified, the compilation of two or more of these records reveals vulnerability or capability information that if compromised would result in serious damage to the national security of the United States."

NSA said it assessed DIST's vulnerability at the request of the ASD/C3I and determined that "aggregation of seemingly harmless data can become highly sensitive when amassed in one location. The sum of its parts paint a much broader picture than the owners of the data ever intended. We brought this to the attention of ASD/C3I and demonstrated particular vulnerabilities which had not been considered previously."

NSA added that it also examined commercial security features that DISA used to protect the DIST database and found they "were not sufficient to protect classified data.''

One knowledgeable DOD Year 2000 official disputed NSA's description of the security vulnerability. "NSA could not hack its way into DIST from the outside,'' this official said. "So they gained status as an authorized user on the system and then hacked the database.''

The DOD spokeswoman said the Joint Chiefs of Staff plans to have a new Year 2000 database in operation by June, and she described the system as better, in some ways, than the DIST database. "The DIST database was too unwieldy for the fast response time that Y2K requires. The new database will be a streamlined version to take care of only Y2K issues.'' But, she added, that database also "may be classified initially.''

Olga Grkavac, senior vice president with the Information Technology Association of America's Systems Integration Division, said that although she understood NSA's concerns, the Pentagon needs a Year 2000 database, particularly to help resolve system interface issues.

"DOD is lagging behind other agencies" in making Year 2000 fixes,'' Grkavac said, "and this is information it needs to have to fix the Year 2000 problem. There has to be a way to put all the critical systems information in a database that people [working on Year 2000] can gain access to.''