Dutch teenagers broke into Pentagon computers during the Persian Gulf War and modified or copied unclassified but sensitive information related to U.S. war operations, congressional investigators said yesterday.
The hackers gained access to crucial information on military personnel, the type and amount of military equipment being moved to the gulf region and the development of important weapons systems, General Accounting Office officials said. The GAO report on the incidents was presented at a Senate Governmental Affairs subcommittee on government information. The GAO is the investigative arm of Congress.
Sen. Herbert Kohl (D-Wis.), the subcommittee chairman, said the GAO was withholding specific details, such as the names of the hackers and the dates and specific places of their intrusions, because of an ongoing investigation by the Justice Department.
"Even without details, the GAO's findings are very disturbing," said Kohl. "It appears that we were lucky this time. As far as we can tell, our troops in the Middle East were not jeopardized" by the information heist.
Jack L. Brock Jr., director of the GAO's government information division, told the subcommittee that between April 1990 and May 1991, a group of Dutch hackers penetrated Army, Navy and Air Force computer systems at 34 unspecified sites. Brock did not say how many of the intrusions occurred during the five-month U.S. buildup in the gulf region after Iraq's invasion of Kuwait in August 1990 or how many occurred during the war that began in January and ended in late February.
Brock said the Defense Department was "still unable to determine the full scope of the problem" because of inadequate measures for identifying intrusions.
The hackers generally gained access to the Pentagon computer systems by traveling through several networks, such as Internet, an unclassified network composed of more than 5,000 smaller networks nationwide and overseas and used mainly by government and academic researchers. The hackers then exploited various security weaknesses to gain access into military sites. The most common weaknesses included computer accounts with easily-guessed passwords or no passwords, and well-known security holes in computer operating systems, Brock said.
The GAO found little evidence that the hackers destroyed information in the Pentagon computers, but in several instances they modified and copied military information, Brock said.
In a few cases the hackers stored this information at major U.S. universities, Brock said. He did not identify the institutions. He said the hackers also modified system logs to avoid detection and to remove traces of their activities.
In most cases, administrators of the Pentagon computer systems did not detect the intrusions but were alerted by university, contractor or other officials, Brock said. The GAO official said actions were taken to halt intrusions after their discovery, but he added that the vulnerability problem has not been solved.
"These security weaknesses continue to exist," Brock said. "Without the proper resources and attention, these weaknesses will continue . . . to be exploited, thus undermining the integrity and confidentiality of government information."