March 5, 1998 5:05 PM PST
Computer security problems growing
While security experts say the publicity has highlighted a serious problem, they are skeptical about the government's ability to do anything about it.
News last week that Pentagon computer systems had been hacked, allegedly by two California teenagers, and Monday night's "denial of service" attack on university, Navy, and NASA computers across the country have elevated the issue of computer security to the front pages of the nation's newspapers.
And while neither of the widely publicized incidents was reported to have resulted in serious data loss or the exposure of sensitive national security information, observers say the attacks vividly demonstrated a vulnerability that could result in disastrous losses in the future.
Indeed, a study released yesterday reported that computer security breaches were up 16 percent from 1996 to 1997, and that computer-related crime including security breaches had cost 241 surveyed organizations $136 million last year. Another study released today showed personal security to be of paramount interest to Internet users.
The Pentagon security breach and Monday's attack may have brought the danger of computer security to the attention of newspaper editorial writers and the general public. But government concern has been rising since a report was filed late last year by the President's Commission on Critical Infrastructure Protection.
That report warned that "the resources necessary to conduct a cyberattack are now commonplace. A personal computer and a simple telephone connection to an Internet service provider anywhere in the world are enough to cause a great deal of harm."
Last week, U.S. attorney general Janet Reno announced that the FBI would step up efforts to investigate computer security breaches. Reno will ask Congress for an additional $64 million in funds for a new center devoted to those investigations.
The announcement was met with both applause and skepticism within the industry. On one hand, security proponents believe that law enforcement has not paid adequate attention to the threat posed by hackers. On the other hand, many observers see law enforcement as an inadequate tool to cope with attacks that can be launched by anyone from trouble-making teenagers in rural California to hostile foreign governments.
"Making it illegal doesn't stop hackers, especially if they're operating anonymously from offshore," said Peter Neumann of consultancy SRI International. "If a terrorist wanted to take over all of those Pentagon machines, it would be child's play, and that would be a serious problem."
At the Pentagon and other government sites, classified information is protected by a so-called "air wall," which means it is stored in computers not accessible through an external network. But security experts note that the government considers the aggregation of enough stolen unclassified information a national security threat. Beyond that, the ease with which two California youths allegedly gained access to the Pentagon's computer system raises questions about the government's ability to secure its information, unclassified and otherwise.
"If the Department of Defense is this bad at protecting unclassified information, you've got to wonder if there isn't an open window somewhere [to classified information] and someone has gotten through it," mused David Kennedy, director of research for the International Computer Security Association.
Many observers hoped the recent high-profile events would spur people and organizations to take security more seriously.
"I hope that the government is suitably embarrassed about hackers getting into the Pentagon and that it installs some better safeguards," said Georgetown University computer science professor Dorothy Denning, a noted security authority.
"But these agencies were all created to work separately," Denning said. "They just can't do that in today's world. They need to be able to bridge the gap, and people are resistant to that."
Even if the federal government can get its own agencies to work together, it will face another natural antipathy, insofar as it requires cooperation from the computer industry itself.
"Industry and government are in slightly different places on security," said Steptoe & Johnson attorney Elizabeth Banker, former assistant general counsel to the President's Commission on Critical Infrastructure Protection. "In certain places, industry doesn't want help from the government."
Banker noted that companies only report 5 percent to 10 percent of all computer break-ins. Companies are reluctant to report such incidents because they risk a high-profile investigation that could damage the company's reputation for security while offering little recompense in the long run.
"There are civil remedies," said Banker. "But if it's a 16-year-old, you don't want to sue him for his allowance."
Another point of contention between the computer industry and the government is the government's refusal to allow the export of strong encryption technologies and its desire to maintain encryption keys in government escrow.
"When you consider that the FBI is in kind of an adversarial position with members of the industry because of encryption, that sort of thing is going against their potential for success," she said.
Analysts differed on the extent of the threat posed by hackers. Even unclassified military information could be pieced together to glean secrets, said the government's Computer Incident Advisory Capability team security specialist Bill Orvis. And information not kept behind "air walls," such as hospital records, could be altered by hackers with devastating results.
Even the comparatively harmless "denial of service" attacks can wind up costing organizations hefty sums in lost productivity and technical support, according to Orvis. "Denial of service" attacks prevent servers from answering network connections and can crash individual computers.
Orvis said he was optimistic that the current incidents and publicity would cause people and organizations to take security more seriously. But he cautioned against blaming the victims in the latest attacks.
"I wouldn't say the Pentagon was any more lax about security than anyone else. If you're a systems manager and you have a certain number of computers to maintain, there's a tradeoff between how tight you can make security and how much time you're willing to spend," he said.
"What you spend securing it may very well be more than you'd ever lose in an attack. Ten thousand computers times $150 per hour for service times the amount of time it takes to install those patches--it's a big number. I'm sure at the Pentagon they're making the same kinds of tradeoffs," he said.
Ultimately, both prevention and law enforcement may prove insufficient to protect information in a networked world.
"We need some radical surgery," opined SRI's Neumann, who said the problem lies with the basic infrastructure of computers and the Internet.
More secure technologies exist, according to Neumann, but are not finding their way to market on a widespread basis. These technologies include authentication techniques to verify identities and analysis methods to detect network misuse.
"The technology is out there now, but it's not being used in any systematic way," he said. "It wouldn't solve all of our problems, but it would change the nature of the problem. You'd be significantly better off than you are today."