From: Rick Smith <smith@sctc.com>
Date: Fri, 28 Jun 1996 10:22:36 +0800
To: cypherpunks@toad.com
Subject: Re: CIA Fears UmpTeen InfoNukes
Message-ID: <199606271857.NAA10915@shade.sctc.com>
MIME-Version: 1.0
Content-Type: text/plain


m5@vail.tivoli.com (Mike McNally) asks:

> ...  the article included a claim that there have been
>250,000 attempted break-ins on DoD computers over the past year.

>Does anybody know how they count that?

The number comes from the recent GAO report, which provides it as an
estimated upper bound of the number of attacks. Notice how rapidly the
press loses the distinction between an estimated upper bound and a
hard number. The GAO report claims that 559 attacks were reported on
DOD machines last year, and that "only 1 in about 150 incidents" are
reported. That comes out to less than 84,000, and I'm not sure where
the extra factor of 3 comes from. The GAO report is vage about the
distinction between "reported" and "successful" attacks in statistics
from different sources, and this may account for some of it.

The GAO report also gives statistics from recent penetration work
done by DISA. What they did was mount a bunch of attacks on DOD
systems and see what happened. They claimed a 65% success rate.  Only
4% of the successful attacks were detected, and only 27% of those
detected were reported back up the line to the Pentagon.

It's an interesting report. It's gao/aimd-96-84, and you can get it
via their website at (no kidding) http://www.gao.gov

Rick.
smith@sctc.com        secure computing corporation