Branchoria UFO Hackers UFO Hackers

The hacking cases, UFO claims, court battles, and evidence gaps behind a modern myth.

Within Weak Security

The Warnings That Came Before Mc Kinnon

Earlier government warnings showed that weak passwords, penetrations, and re-entry tools were known defense-network problems before McKinnon.

On this page

  • What the 1996 GAO assessment warned about
  • How Mc Kinnon's case echoed earlier weaknesses
  • Why known risks can still become public scandals
Preview for The Warnings That Came Before Mc Kinnon

Introduction

Long before Gary McKinnon gained access to US military and NASA systems in 2001–2002, government auditors had already warned that the Department of Defense (DoD) faced serious and recurring computer-security problems. A key warning came from a 1996 report by the US General Accounting Office (GAO, now the Government Accountability Office), which concluded that defence networks were being attacked frequently, that many intrusions succeeded, and that attackers often exploited basic weaknesses such as poor password controls and inadequate system administration. The significance of the McKinnon case is therefore not that it revealed an unknown vulnerability. Rather, it demonstrated in a highly public way that weaknesses identified years earlier had not been fully resolved. [National Security Archive]nsarchive2.gwu.eduOpen source on gwu.edu.

GAO Warnings illustration 1

The Warnings That Came Before McKinnon

What the 1996 GAO assessment warned about

In May 1996, the GAO published Information Security: Computer Attacks at Department of Defense Pose Increasing Risks (GAO/AIMD-96-84). The report examined the growing number of attacks against DoD computer systems and concluded that unauthorised users were increasingly gaining access to sensitive military information. According to GAO testimony accompanying the report, DoD estimated that its systems experienced as many as 250,000 attacks or probes during 1995, while only a fraction of intrusions were believed to be detected and reported. [GAO+2GAO]gao.govComputer Attacks at Department of Defense Pose…Information Security: Computer Attacks at Department of Defense Pose Increasing Risk…

More important than the raw numbers was the pattern of attacker behaviour described by the auditors. The GAO warned that successful intruders were not merely browsing systems. Attackers were stealing information, altering data, damaging software, and installing mechanisms that allowed them to return later without repeating the original intrusion process. In modern terminology these would be described as persistence or re-entry techniques. [GAO]gao.govInformation Security: Computer Attacks at Department of…GAO noted that: (1) as many as 250,000 DOD computer systems were attacked i…

The report also highlighted a broader management problem. Security weaknesses were not isolated to a single installation or programme. Instead, the GAO described systemic difficulties in protecting sensitive but unclassified military networks and ensuring that access controls, monitoring practices, and configuration standards were consistently enforced across the department. [National Security Archive]nsarchive2.gwu.eduOpen source on gwu.edu.

The Man Who Hacked the U.S. Government

Channel: Newsthink · Views: 816.8K · Uploaded: March 2024 · Length: 18 minutes

Open on YouTube

Earlier evidence of password and access-control failures

The 1996 findings did not emerge in isolation. GAO had already investigated earlier intrusions, including a well-known case involving Dutch hackers who penetrated dozens of DoD systems during the period surrounding Operations Desert Shield and Desert Storm. That investigation found that attackers commonly exploited easily guessed passwords, default vendor accounts, and known operating-system weaknesses. Once inside, they often sought administrator privileges and established methods for later re-entry. [GAO]gao.govHackers Penetrate DOD Computer SystemsGAO discussed the intrusions of Dutch hackers into Department of Defense (DOD) unclassified, sen…

This historical detail is particularly important because it shows that weak passwords and persistence mechanisms were recognised defence-network problems nearly a decade before McKinnon’s activities. The issue was not a lack of awareness. Auditors and investigators had repeatedly documented the same categories of weakness throughout the early and mid-1990s. [GAO]gao.govHackers Penetrate DOD Computer SystemsGAO discussed the intrusions of Dutch hackers into Department of Defense (DOD) unclassified, sen…

GAO Warnings illustration 2

How McKinnon’s Case Echoed Earlier Weaknesses

When allegations against McKinnon became public, many reports focused on his UFO-related motivations and the embarrassment caused by an outsider accessing military computers. Yet the technical themes closely resembled those highlighted in earlier GAO assessments.

The McKinnon case centred on claims that he located poorly protected systems, exploited weak account security, obtained password information, and installed remote-access software that allowed continued control of compromised machines. Those allegations mirrored the types of vulnerabilities the GAO had warned about years earlier: inadequate access controls, successful network penetrations, and the installation of tools that enabled repeated access after the initial compromise. [GAO]gao.govInformation Security: Computer Attacks at Department of…GAO noted that: (1) as many as 250,000 DOD computer systems were attacked i…

The comparison is striking because the earlier warnings were not theoretical. The GAO had already concluded that attackers regularly penetrated DoD systems and that successful intruders often created means of returning to those systems later. McKinnon’s alleged activities fit that pattern almost exactly, making his case appear less like a novel security failure and more like a public demonstration of unresolved problems. [GAO]gao.govInformation Security: Computer Attacks at Department of…GAO noted that: (1) as many as 250,000 DOD computer systems were attacked i…

UK hacker to learn extradition fate

Channel: Al Jazeera English · Views: 20.8K · Uploaded: October 2012 · Length: 2 minutes 6 seconds

Open on YouTube

Why Known Risks Can Still Become Public Scandals

One of the most revealing aspects of the McKinnon episode is the gap between recognising a risk and eliminating it. After the 1996 reports, the Department of Defense launched various information-assurance and network-defence initiatives. However, subsequent GAO reviews found that progress was uneven and that significant weaknesses remained in areas such as access control, system software management, and security oversight. [GovInfo]govinfo.govGAOREPORTS AIMD 99 107DOD Information Security: Serious Weaknesses Continue ToGAO updated its previous report on the security of the Department of Defen…

A 1999 GAO follow-up assessment concluded that serious information-security weaknesses continued to expose defence operations to unauthorised access, data theft, modification, and destruction. The auditors specifically noted that many of the weaknesses identified in 1996 persisted despite corrective efforts. [GovInfo]govinfo.govGAOREPORTS AIMD 99 107DOD Information Security: Serious Weaknesses Continue ToGAO updated its previous report on the security of the Department of Defen…

This helps explain why the McKinnon case attracted such attention. Public scandals often emerge not because a danger is newly discovered, but because a previously documented danger becomes impossible to ignore. The GAO’s warnings had already identified weak passwords, recurring penetrations, inadequate access controls, and attacker re-entry techniques as significant defence-network risks. McKinnon’s alleged intrusions transformed those audit findings from internal security concerns into a widely reported public example of how unresolved weaknesses could be exploited by an individual outsider. [GovInfo+2National Security Archive]govinfo.govGAOREPORTS AIMD 99 107DOD Information Security: Serious Weaknesses Continue ToGAO updated its previous report on the security of the Department of Defen…

GAO Warnings illustration 3

The Lasting Significance of the GAO Warnings

Viewed in hindsight, the 1996 GAO assessment serves as an important benchmark for understanding the McKinnon case. It showed that defence-network vulnerabilities associated with weak passwords, insufficient access controls, and attacker persistence were already well known before the UFO-hacking episode entered public consciousness. [National Security Archive]nsarchive2.gwu.eduOpen source on gwu.edu.

For historians of cybersecurity, the lesson is not merely that military systems were vulnerable. It is that auditors had documented many of the same weaknesses years before a high-profile intrusion brought them to wider public attention. The McKinnon case therefore stands as a visible example of a broader pattern that the GAO had already identified: known security weaknesses can remain operational risks for years, and when they are finally exploited in a dramatic way, the resulting scandal often reflects longstanding institutional problems rather than a sudden surprise. [GovInfo+2National Security Archive]govinfo.govGAOREPORTS AIMD 99 107DOD Information Security: Serious Weaknesses Continue ToGAO updated its previous report on the security of the Department of Defen…

Can Gary McKinnon be extradited?

Channel: Channel 4 News · Views: 47.5K · Uploaded: March 2012 · Length: 6 minutes

Open on YouTube

Amazon book picks

Further Reading

Books and field guides related to The Warnings That Came Before Mc Kinnon. Use these as the next step if you want deeper reading beyond the article.

Browse more on Amazon: Hacking Exposed The Art of Deception The Cuckoo's Egg

As an Amazon Associate I earn from qualifying purchases.

eBay marketplace picks

Marketplace Samples

Example marketplace items related to this page. Use the search link to explore similar finds on eBay.

Using USA
Browse more on eBay.co.uk

Example items shown for inspiration; availability and pricing can change. Branchoria may earn a commission if you purchase through outbound eBay links.

Endnotes

  1. Source: gao.gov
    Link: https://www.gao.gov/products/aimd-96-84
    Source snippet

    Computer Attacks at Department of Defense Pose...Information Security: Computer Attacks at Department of Defense Pose Increasing Risk...

  2. Source: gao.gov
    Link: https://www.gao.gov/products/t-aimd-96-92
    Source snippet

    Information Security: Computer Attacks at Department of...GAO noted that: (1) as many as 250,000 DOD computer systems were attacked i...

  3. Source: gao.gov
    Link: https://www.gao.gov/products/t-imtec-92-5
    Source snippet

    Hackers Penetrate DOD Computer SystemsGAO discussed the intrusions of Dutch hackers into Department of Defense (DOD) unclassified, sen...

  4. Source: govinfo.gov
    Title: GAOREPORTS T AIMD 96 92
    Link: https://www.govinfo.gov/content/pkg/GAOREPORTS-T-AIMD-96-92/pdf/GAOREPORTS-T-AIMD-96-92.pdf
    Source snippet

    Computer Attacks at Department of Defense Pose...1Computer Security: Hackers Penetrate DOD Computer Systems (GAO/T-IMTEC-92-5, No...

  5. Source: govinfo.gov
    Title: GAOREPORTS AIMD 99 107
    Link: https://www.govinfo.gov/content/pkg/GAOREPORTS-AIMD-99-107/html/GAOREPORTS-AIMD-99-107.htm
    Source snippet

    DOD Information Security: Serious Weaknesses Continue ToGAO updated its previous report on the security of the Department of Defen...

  6. Source: gao.gov
    Title: aimd 98 274
    Link: https://www.gao.gov/assets/aimd-98-274.pdf
    Source snippet

    AIMD-98-274 Financial Management28 Sept 1998 — system is vulnerable to penetration by unauthorized users due to weaknesses in computer se...

  7. Source: gao.gov
    Link: https://www.gao.gov/assets/t-aimd-98-308.pdf
    Source snippet

    (GAO/AIMD-96-84, May 22, 1996). 6GAO's Office of Special...Read more...

    Published: May 22, 1996

  8. Source: media.defense.gov
    Link: https://media.defense.gov/1997/Nov/19/2001713673/-1/-1/1/98-024.pdf
    Source snippet

    Controls Over Systems Serving the DoD...19 Nov 1997 — The DoD established its personnel security program to ensure that granting Federal...

  9. Source: nsarchive2.gwu.edu
    Link: https://nsarchive2.gwu.edu/NSAEBB/NSAEBB424/docs/Cyber-010a.pdf

  10. Source: gao.justia.com
    Link: https://gao.justia.com/department-of-defense/1996/6/information-security-t-aimd-96-108/T-AIMD-96-108-full-report.pdf
    Source snippet

    Computer Hacker Information Available on the Internet5 Jun 1996 — 1Information Security: Computer Attacks at Department of Defense Pose I...

  11. Source: nsarchive.gwu.edu
    Title: United States Government Accountability Office
    Link: https://nsarchive.gwu.edu/sites/default/files/documents/5014245/United-States-Government-Accountability-Office.pdf
    Source snippet

    Security Management(GAO/T-AIMD-96-108, June 5, 1996). Information Security: Computer Attacks at Department of Defense Pose. Increasing Ri...

    Published: June 5, 1996

  12. Source: nsarchive.gwu.edu
    Link: https://nsarchive.gwu.edu/document/21406-document-10a
    Source snippet

    Accounting Office, GAO/AIMD- 96-84, Information...22 May 1996 — This report and testimony by a GAO official reports on an examination of...

    Published: May 1996

Additional References

  1. Source: ieee-security.org
    Link: https://www.ieee-security.org/Cipher/Newsbriefs/1996/960522.GAOrept.html
    Source snippet

    GAO Reports DoD SBU Computer Security InadequateThe testimony indicated that about 65% of in-house attempts to penetrate these systems su...

  2. Source: dodig.mil
    Link: https://www.dodig.mil/In-the-Spotlight/Article/3606048/press-release-special-report-common-cybersecurity-weaknesses-related-to-the-pro/
    Source snippet

    Press Release: Special Report: Common Cybersecurity...The report outlines 24 open recommendations from previous DoD OIG audit reports ai...

  3. Source: industrialcyber.co
    Link: https://industrialcyber.co/reports/gao-reports-on-dod-developing-alternative-pnt-capabilities-though-some-efforts-remain-incomplete/
    Source snippet

    GAO reports on DOD developing alternative PNT...9 Aug 2022 — The GAO compiled and analyzed GPS threat information from relevant organiza...

  4. Source: papers.ssrn.com
    Title: SSRN ID1743384 code892424
    Link: https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID1743384_code892424.pdf?abstractid=1743384&mirid=1
    Source snippet

    ssrn.com“Reducing Systemic Cybersecurity Risk”14 Jan 2011 — GAO (Government Accountability Office) (1996), GAO Report AIMD 96-84, www.gao...

  5. Source: globalsecurity.orgglobalsecurity.org
    Title: globalsecurity.org GA O
    Link: https://www.globalsecurity.orgwww.globalsecurity.org/security/library/report/gao/aimd-98-170.htm
    Source snippet

    Information Security: Serious Weaknesses Put State Department and FAA Operations at Risk. (Statement/Record, 05/19/98, GAO...Read more...

  6. Source: archive.epic.org
    Title: GAO DOD security
    Link: https://archive.epic.org/security/GAO_DOD_security.html
    Source snippet

    Report on Pentagon Computer SecurityINFORMATION SECURITY - COMPUTER ATTACKS AT DEPARTMENT OF DEFENSE POSE INCREASING RISKS. (This report...

  7. Source: microsoft.com
    Title: Acrobat as pub
    Link: https://www.microsoft.com/en-us/research/wp-content/uploads/2016/11/Acrobat-as-pub.pdf
    Source snippet

    Information Security: Computer Attacks at the Department of Defense. Pose Increasing Risks, GAO/AIMD-96-84, General Accounting Office, Wa...

  8. Source: irp.fas.org
    Link: https://irp.fas.org/congress/1996_hr/s9606052.htm
    Source snippet

    in Cyberspace II. VULNERABILITIESThe recent GAO report, Information Security: Computer Attacks at Department of Defense Pose Increasing R...

  9. Source: irp.fas.org
    Link: https://irp.fas.org/gao/aim96084.htm
    Source snippet

    Information Security: Computer Attacks at...22 May 1996 — GAO reviewed the extent to which Department of Defense (DOD) computer systems...

    Published: May 1996

  10. Source: globalsecurity.orgglobalsecurity.org
    Link: https://www.globalsecurity.orgwww.globalsecurity.org/security/library/report/gao/ai98092.pdf
    Source snippet

    globalsecurity.orgGAO23 Sept 1998 — Audit reports issued from March 1996 through August 1998 identified significant information security...

    Published: March 1996

Topic Tree

Follow this branch

Parent topic

Weak Security How Weak Security Made the Case Bigger

Related pages 5