Rome Laboratory, located in the rolling hills of Upstate New York, is the United States Air Force's premier command-and-control research facility. It conducts projects on everything from artificial intelligence to radar guidance to target detection. In April 1994, IT personnel discovered that hackers had broken into the Rome network. For at least three days, the cybercriminals had unrestricted access to the system and were able to copy and download classified files. The monetary cost of the intrusion was significant -- at least $500,000 -- but the security risk was much greater. "We have only the intruders to thank for the fact that no lasting damage occurred," stated the official Air Force report. "Had they decided, as a skilled attacker most certainly will, to bring down the network immediately after the initial intrusion, we would have been powerless to stop them."
Unfortunately for the Department of Defense (DOD), the Rome Laboratory intrusion was not an isolated incident. (See "Hacking the DOD" on the next page.) The U.S. General Accounting Office reports that hackers attempt to break into DOD computers at least 250,000 times a year. Too often, they succeed. But the lessons the DOD has learned from combating the hackers can be applied to risk management and IT security everywhere.