Pentagon Networks Hacked 250,000 Per Year

Wednesday, March 21, 2012

Rafal Los

0a8cae998f9c51e3b3c0ccbaddf521aa

Recently I saw this little gem scroll by on Twitter, tweeted by an account called "@InsaneFacts":

"Each year the Pentagon estimates their computer network is hacked 250,000 times."

I don't even know if this is true, since the account doesn't cite any source, but let's analyze this sentence for a minute and why I keep writing about the importance of context in information security - or anything, really.

First, what does hacked mean to you?  After some Google'ing the best I could do was come up with this definition of 'computer crime' (or Cybercrime).  That page, or Google, doesn't really help me understand what it means to be 'hacked'.

Let's face it, every time some celebrity gets their password (typically stupidly simple and easily guessable like "password" or "love" or "crazy") guessed and their Twitter account is compromised to tweet naughty things the media goes crazy with "Celebrity hacked!" headlines... you know what I'm talking about.  But is this really 'hacking' or simple password guessing?

Not to deviate too far from the point here, 250,000 - that's a quarter million "hacks" - is a big, big number, even for an organization the size of the Pentagon.  If you ask me what it means to be hacked, out of context, I will tell you that it means to be breached and subverted digitally.  I will tell you that it means to have your defenses bypassed and your secrets, intellectual property or critical information exfiltrated or corrupted. 

Unfortunately, I suspect that if this actually happened at the Pentagon a quarter million times a year, America would be in a much, much worse position than we are today.  Our battle plans would be compromised, launch codes, schematics, and covert identities would be completely compromised and on one would be safe. 

A quarter million times... that's a compromise every 131.4 seconds unless my math is wrong.  Every two minutes or so the Pentagon would have been compromised.  Does this sound even remotely logical to anyone?

I suspect what they really mean is that the Pentagon's digital assets get attacked 250,000 per year.  This sounds more logical and palpable.  In fact, my home network gets 'attacked' at about this rate, or maybe even higher.

Alright, so I'm not writing this just to poke fun at someone's silly idea of FUD (Fear Uncertainty Doubt) which is no doubt being used to get more funding for some cyber-security initiative involving more expansive anti-virus, more firewalls, or what-not by some lobbyist.  I'm writing this post to alert you to the dangers of using words like 'hacked' without any context, or solid definition. 

I keep using the phrase "Statistics don't lie, those that make them up do" but I know I'm missing giving some smart person credit for it (no clue who though) - and I suspect this is just another case of someone trying to mis-use some out-of-context metric to prove their value

It's really meaningless, at best, and dangerously misleading at worst.  Hopefully whom ever put this out isn't being misleading on purpose, let's give them the benefit of not knowing better...

So before you cite a 'fact' like this - please understand what you're saying, and provide some context.

As a community though ... we need to create definitions that people like the media and our own community understand and can use without fear of being FUDdy...  We really, really need to define "hacked" ... preferably before this gets any more out of hand..

Cross-posted from Following the White Rabbit

Possibly Related Articles:
7895
Network->General
Information Security
Passwords Access Control DoD Attacks Network Security Pentagon National Security hackers FUD
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.