Debunking the 250k figure.. Pentagon trashed for putting "spin" on cyber attacks. SAN FRANCISCO (Wired) [2.26.98] - The disclosure by the Pentagon that "cyber attacks" had been waged against at least 11 military computer systems is either politically motivated scaremongering or evidence of technical ignorance, system administrators and computer security experts say. In a breakfast meeting with reporters Wednesday, deputy secretary of defense John Hamre sent headline writers to maximum alert when he said that in recent weeks, a small number of individuals had launched a "highly organized and systematic" attack on the Pentagon's computer systems. Only unclassified materials such as logistical and administrative data had been probed or accessed, Hamre said. He declined to provide specifics, citing the need for secrecy pending an investigation. But one source, a former defense contractor employee familiar with federal computer technology and security, was suspicious of Hamre's agenda in making the unprompted announcement. "Most administrators are loathe to admit mistakes like this," the source said, "which makes me really wonder if the report even originated inside the technical group at the Pentagon." The source said that Hamre's statements may be politically motivated, designed to build support for increased Defense Department funding in an era when government coffers are shrinking. Hamre reportedly said the Defense Department has been attempting in recent years to update its systems against security attacks, but that "We have to do a good deal more in this area," he said. Hamre made the remarks to the Defense Writers Group, an exclusive cadre of journalists affiliated with national news media organizations. Pentagon public affairs officials refused to provide a transcript of the meeting, or comment on what was said. Early news stories reported Hamre's comments rather uncritically and did little to clarify the nature of the attacks. Hamre himself was not specific about whether or not hackers were attempting to query federal systems -- such as merely opening up a telephone connection to a federal machine linked to the Internet, or sending such a machine a harmless "ping" request -- or genuinely getting in. All high-profile computer systems are commonly queried by curious computer users running programs such as "port scanners" that knock on network doors, and only identify if any are open. One source told Wired News that up until a year ago, every attempt to open a telnet connection -- a common networking scheme used to operate computers remotely -- to a government system was considered an attack. Sorting out exactly what happened with the "cyber attacks" is a tricky proposition. "This has all the appearances of just being a game," Hamre told the reporters. "Somebody trying to get in so they can say they got in," he said. According to a Washington Post report Thursday, intruders attempted to enter four Navy and seven Air Force systems and had actually accessed administrative information in some cases. "That could be anything, on any computer they own," said James Wilson, system administrator for CruxNET. "Someone probably broke into their Web server again," said Wilson. "It happens to all major government servers every once in a while. That is why the Web servers have absolutely no connection to anything near being valuable," Wilson said. This physical isolation of sensitive information from public networks is a standard network security practice known as compartmentalizing. For the government to leave even payroll information accessible to an Internet, sources said, suggests negligence. -- Peter Neumann, moderator of the RISKS Digest mailing list -- a weekly roundup of intrusions and security threats around the world -- confirmed that no sensitive information was available through government Web sites. Neumann suggested that there is a difference between attempted break-ins, which are routine, and actual penetrations, which are not. "When you hear a report that a system is under attack, it doesn't mean that anyone penetrated it," said Neumann, adding that "The stuff that's on the Internet is there because it's supposed to be disseminating information." Another source said that if systems really were compromised beyond routine Web page hacks, then the administrators at those sites need a lesson in basic TCP/IP security. "If it's been going on for weeks, and they haven't been able to stop it, well then clearly their skills are lacking," he said. "Fool me once, shame on you. Fool me twice, shame on me," the administrator said. "Being attacked isn't a big deal, and should be expected of any site that is well known, and the admins should be prepared to deal with it," the source said. But the larger question of protecting valuable and sensitive data -- beyond human resources files -- is a much more serious matter, said Neumann, who was an advisor to the President's Commission on Critical Infrastructure Protection. That report examined the vulnerability of the nation's key energy and communications infrastructures. The report is still largely classified, but last fall Neumann said that the upshot is that as far as critical infrastructure goes, "we're in bad shape." Still, despite Hamre's announcement, Neumann said that hard data on intrusions doesn't come easily. "It's very hard to get the correct numbers of how many things are actually broken into," he said. "They don't talk about it."