Summary: GAO testified on intrusions by a group of Dutch computer hackers into Army, Navy, and Air Force computer systems. During a 14-month period that covered the Persian Gulf War, hackers from the Netherlands penetrated 34 Defense Department (DOD) sites. DOD officials, however, are still unable to determine the full scope of the problem because security measures for identifying intrusions are often lacking. At many sites, the hackers had access to sensitive information on topics like (1) military personnel, (2) logistics, and (3) weapons systems development. Although such information is unclassified, information from at least one system, which was successfully penetrated at several sites, directly supported Operation Desert Storm/Shield. The security weaknesses that permitted the intrusions and prevented their timely discovery highlight DOD's inadequate attention to computer security. Poor password management, failure to maintain and review audit trails, and inadequate security training all contributed to the intrusions. GAO highlighted some of these very weaknesses in a report issued two years ago (GAO/IMTEC-89-57, June 12, 1989). Without proper resources and attention, these weaknesses will persist and be exploited, undermining the integrity and confidentiality of government information.
