Fit to fight the info war?

The Pentagon's top testing office has recommended that the Defense Department conduct a massive information warfare test to determine the vulnerability of its secret networks, but military experts question the wisdom and necessity of such a test.

The Office of the Director, Operational Test and Evaluation, recommended the test in its annual report to Congress, made public the first week of March. The report includes evaluations conducted during 2000 of all major procurement programs. Lee Frame runs the office as acting director.

The report concluded that, among other problems, Pentagon information systems—such as the Secret IP Router Network (SIPRNET), over which classified messages are passed, and Defense Information Infrastructure (DII), the department's information backbone—are built on the same technology as the Internet. During an information warfare attack, the military systems would be vulnerable to the same disruptions as commercial systems.

The proposed test would include major command and control systems such as the Defense Message System, Global Command and Control System, Global Combat Support System, and Theater Battle Management Core System. SIPRNET and three of the four systems are managed by the Defense Information Systems Agency.

"We recommend that a supportability test of the DII/SIPRNET be conducted that involves all systems under acquisition oversight, while all their interoperable systems are exercised at levels simulating wartime conditions," the report stated. "The test focus is their ability to withstand information warfare attack and handle stress."

That recommendation was met with skepticism from experts within DOD and the defense industry. The Office of the Director, Operational Test and Evaluation, "has gotten to where they want to do system of systems tests on everything," said retired Brig. Gen. Jack Schmitt, vice president of Army systems integration at Burdeshaw Associates Ltd., a Bethesda, Md., consulting company. "It's admirable, but it's very difficult to isolate out every other variable so that you understand the fault lies with the system being tested vs. all other systems."

The Office of the Director, Operational Test and Evaluation, is "able to vote yea or nay on a procurement system," Schmitt said, leaving the services little choice but to comply with requirements. He added that a similar system of systems test required a few years ago by the same office of the Army's Tactical Internet software has been "a major headache."

Industry sources also say the test probably would have to be conducted during previously scheduled joint exercises by isolating sections of the SIPRNET, testing one section at a time and then reviewing the data. One industry source said the testers might harm the SIPRNET during such an exercise, but Schmitt downplayed that possibility.

A joint statement from the Office of the Secretary of Defense and DISA also questioned the necessity of the test.

SIPRNET "is in fact an [IP] router network, and it uses many of the same kinds of hardware and software," according to the statement. "It is our view, however, that those commonalities do not translate into similar vulnerabilities."

The statement outlined the differences, highlighting SIPRNET's security features: "The SIPRNET is a closed system; the Internet is not. The SIPRNET uses protected distribution systems; the Internet does not. Information flowing on the SIPRNET is encrypted; most on the Internet is not. Users on the SIPRNET must be vouchsafed on to the network; users on the Internet need not be."

The statement added that DOD continually tests the security of the network under near-real wartime conditions and during peacekeeping operations such as those in Bosnia, Kosovo and East Timor.

Though the system of testing systems is an admirable goal, Schmitt said, "I would look for another way to do it."