DOD: Systems need more protection

The Defense Department must do more to guard against cyber threats, said Robert Lentz, the department's director of information assurance.

"As our dependence on information networks increases, it creates new vulnerabilities, as adversaries develop new ways of attacking and disrupting U.S. forces," he said. "Everyone must be made aware of his or her role in assuring the nation's information."

Lentz, speaking late last week to a House Subcommittee on terrorism, unconventional threats and capabilities, said that in recent years the department has become more reliant on off-the-shelf products proven in the commercial world. But some experts said that off-the-shelf code can require frequent security patches because holes repeatedly emerge in commercial code. And off-the-shelf software mainly comes from people with no security clearance or workers in other countries.

Foreign labor "has been wonderful for the economy," said Eugene Spafford, a Purdue University professor and director of the school's Center for Education and Research and Information Assurance and Security. "But it has introduced tremendous vulnerability to our software."

Much of the commercial software used by defense agencies was never meant for use in a military environment, or subjected to the ferocity of attacks often seen by defense networks. Last year alone the department defended itself against 50,000 attack attempts to gain access to the network, Lentz said.

Robert Dacey, director of the General Accounting Office's technology team, credited DOD with being one of the most advanced agencies for information assurance. However, a GAO report released last week said the department lacks policies needed to tightly guard data and ways to enforce the policies it does have. Although the department has an Information Assurance Program, officials don't have a way to measure compliance with the government's security policies, according to the report.