Army Major General David Bryan declined to offer precise figures on the number of attacks on the Pentagon's classified systems, but confirmed that hackers have broken into unclassified systems 215 times during the past year.

"To my knowledge we have not had any successful intrusions into our classified networks," Bryan added.

The DOD was unsure of the identities of the hackers, said Bryan, who added that they could as easily have been kids as terrorists or hostile nations.

Many Incidents

According to figures released by the Pentagon, 23,662 incidents involving unclassified networks occurred last year, up slightly from 22,144 in 1999.

However, hostile attacks comprised slightly under two percent of these incidents, the Pentagon says.

Michael Rasmussen, a senior industry analyst for Giga Information Group, told NewsFactor Network that the majority of intrusions -- at least, on the DOD's unclassified systems -- were most likely general port scans.

In many cases, the hackers use automated tools downloaded from the Internet to conduct the probes.

"A lot of the hacker community has a 'Big Brother' mentality," Rasmussen told NewsFactor. "Many will knock on doors just to see what's going on."

Need for Security

Rasmussen said that the Pentagon probably decided to publicize its data at this point because it needs to address the issue. The frequency of incidents is "not going to really [be] cut down" by such disclosures, Rasmussen said, adding that the press has already exposed other governmental security agencies' IT defense vulnerabilities.

The most notable were the March 22nd denial-of-service (DoS) attacks on the FBI's network by hackers from the former Soviet Union.

"I know that some of the exploits [in the FBI attack] had security patches available, some dating back to 1998," Rasmussen said. "These hackers are watching for vulnerabilities, and people do not maintain the proper security," he added, whether they're in the private sector, the military or some other branch of government.

Ignorance to Blame

Rasmussen cited ignorance and a lack of qualified security personnel for problems like those the Defense Department has been experiencing.

"It's easier to deploy a Web server than to set up a security system," said Rasmussen. "Most [certification] classes do not touch upon security. These classes are about installing products with ease, not turning things off and locking things down. They don't realize that security is part of it all."

Too frequently, organizations assume that their often understaffed IT security team will communicate all threats to their networks, while also maintaining and patching them, Rasmussen said.

Added Rasmussen: "Systems administrators have to take responsibility for the day-to-day security of their systems. There's a misconception about who is responsible for IT infrastructures. "Organizations need to start making security maintenance as part of the job description for systems administrators. They need to be held accountable," he said.

The Pentagon's Wells assured news sources that the department has "greatly accelerated" technology development and deployment to defend critical systems against future, and possibly more devastating, cyberattacks.

Earlier this week, the Pentagon announced that it began upgrading its security by issuing smart cards to its employees.

The rollout is expected to continue through August 2002, and will also involve upgrading the department's IT hardware and workstation software.