DOD: Change Passwords

Concerned that efforts to fix computer systems for the Year 2000 problem may expose its information infrastructure to cyberattacks, the Defense Department has ordered its network managers to change all administrative and user passwords on their unclassified networks.

The order is the result of mandatory guidance issued last month to all of the military services' network security organizations by the Joint Task Force for Computer Network Defense. While a JTF-CND spokesperson could not confirm or deny rumors that the guidance may be the result of a recent breach of computer security, the spokesperson said that the FBI's National Infrastructure Protection Center is currently investigating intrusions into unclassified DOD networks.

"We're trying to start a better process for password protection," the spokesperson said. "We gave [our components and other DOD organizations] several weeks to do this [because] we know it can't be done overnight."

The JTF-CND, which was formed last December, serves as the focal point for DOD to organize the defense of DOD computer networks and systems. When cyberattacks are detected, the JTF-CND is responsible for directing departmentwide defenses to stop or contain damage and restore DOD network functions operations.

The mandatory actions called for by the JTF-CND directive include changing all administrative and user passwords for all unclassified systems and then restarting the operating systems for systems that are connected to the network. The process is known as a "warm boot" and is not a full shutdown of the system, the spokesperson said.

Major commands affected by the guidance and responsible for managing compliance in their respective services include the Air Force Information Warfare Center, the Army's Land Information Warfare Activity, the Defense Information Systems Agency, the Marine Corps' Marine Forces-CND and the Navy Component Task Force-CND.

As a result of the directive, the NCTF-CND issued classified and unclassified messages ordering password changes. However, a spokesman for the Space and Naval Warfare Systems Command, one of the primary recipients of the message, declined to comment because of the sensitivity of the message's content.

In an administrative message issued last week by the NCTF-CND, the Navy offered technical guidance to system administrators on how to deal with the lack of password date-change tracking functionality in Microsoft Corp.'s Windows NT.

As a result, the Navy has made three software tools available over the Internet to help administrators automate the enforcement of password changes.

In May, Art Money, senior civilian official acting as the assistant secretary of Defense for command, control, communications and intelligence, issued a DOD-wide memorandum about the potential threat to DOD networks posed by the Year 2000 computer problem. In that memo, Money cited DOD Administrative Instruction 26, which provides specific guidance on the use of passwords.

A DOD spokesperson said there is "no inherent connection between the May 5 Money memo and the July 23 [JTF-CND] message—other than they are related in the context of the department constantly putting out guidance that requires vigilance over our networks."