Senate panel obliterates infowar funds

The Senate Appropriations Committee last month gave the go-ahead to a bill that strips the Defense Department of funds to protect against information warfare attacks.

Following the lead of the House, the Senate version of the 1999 Defense appropriations bill eliminates all $69.9 million requested by DOD for joint infrastructure protection and replaces those funds with $500,000 for software security research.

This "is a lack of foresight and a very poor showing of leadership on the part of Congress," said Rick Forno, president of Intac Corp., a consulting firm specializing in information systems security training, and formerly the senior information security analyst for information resources in the House. "We're spending millions of dollars so the systems will be running on Jan. 1, 2000, but [unfortunately] they'll be open to attack."

John Pike, a defense analyst with the Federation of American Scientists, said the removal of infrastructure protection funding is baffling, particularly after all the "rain dancing" that has taken place around the issue. "I would have thought this would have been totally noncontroversial," he said.

DOD officials said the department is working on its response to the bill, adding that the issue of infrastructure protection and information assurance has been, and will continue to be, a top priority for the secretary and assistant secretary of Defense. "Obviously it would not have been [in the original request] if we did not feel there was a need for it," a DOD spokeswoman said.

Congress approved the measure despite recent warnings from the nation's top intelligence official that foreign governments and terrorists are actively targeting U.S. computer systems and networks. CIA Director George Tenet told the Senate Governmental Affairs Committee that foreign nations have begun to emphasize information warfare training [FCW, June 29].

In addition, a former senior DOD official said he has urged DOD to give Congress classified data on the attack carried out in October 1997 by the so-called Masters of Downloading (MOD) hacker group to "show Congress what really happened."

MOD claimed that it penetrated the Defense Information Systems Network operated by the Defense Information Systems Agency and stole classified software and data that would allow the group to "take down" all of DISN. The group also claimed to have copied software that controls military satellites. DOD has maintained that no classified information was compromised in that attack.

"We've all got a very shaky future in front of us" if the work needed to protect the nation's critical infrastructure is left up to the FBI's National Infrastructure Protection Center, said Mark Gembicki, president of WarRoom Research, Annapolis, Md., and head of the Manhattan Cyber Project, a government/industry partnership to study the threat of information warfare attacks on the nation's infrastructure. The center was formed by the Clinton administration this year to track and analyze electronic threats to the nation's critical infrastructure and industry.

"DOD has more talent in the infrastructure protection area

...and they need to play a key role," Gembicki said. "Even though industry owns the infrastructure, the real-world experience to defend it is really in the Department of Defense."

Gembicki said the need for DOD to protect the nation's critical infrastructures is great. According to a study his company plans to release at the end of the summer, Gembicki said of the 320 Fortune 1000 companies operating critical infrastructures— such as telecommunications, electric power and finance companies— all predicted a "catastrophic event" from a cyberattack by 2000.

Senate Appropriations staff could not be reached for comment. But Anthony Valletta, vice president of SRA Federal Systems and the former assistant secretary Defense for command, control, communications and intelligence (ASD/C3I), said the removal of the infrastructure-

protection funding probably means that Congress will force DOD to fund the initiative itself with funds from other programs.

The Senate may have cut funding for infrastructure protection, but it funded other technology initiatives. For example, the committee directed the secretary of the Navy to allocate up to $25 million from the service's operation and maintenance funds "to make significant progress toward ensuring that smart cards...are issued and used throughout the Navy and Marine Corps."

Specifically, the bill directs the Navy to outfit with smart cards at least two AirCraft Carrier Battle Groups, two Carrier Air Wings and two Amphibious Ready Groups, including all Marine units embarked aboard these ships.

An official from the Navy's Office of the Chief Information Officer said the language surprised him, and although it may be a good idea, it was not in the Navy's plans for the coming year.

The Senate also directed the heads of the various military departments to develop a plan for adopting the best commercial inventory practices to handle various supply items.

Olga Grkavac, senior vice president of the Information Technology Association of America's Systems Integration Division, said the Senate bill's language is encouraging. "We think there are incredible savings and efficiencies that DOD can take advantage of" by adopting commercial business practices, she said.

Navy officials said they could not comment on the bill but added that they "are watching these developments with interest" and have every intention of complying with Congress' directives.