Cyber Threats: How Serious?

In describing the intrusions into its computer sites, the Department of Defense's words had the gravity of a serious breach of national security. They were "the most organized and systematic attack the Pentagon has seen to date," announced an official.

In an interview days later, one of the perpetrators, a high school boy in Cloverdale, Calif., who in cyberworld is known as Makaveli, explained his motive: "It's power, dude, you know, power."

Is the Information Age a time of unprecedented strategic vulnerability for the United States, where enemies can wage war by unconventional means? Or is it a venue mainly for electronic ankle-biting that is more annoying than dangerous?

"All of the above," says Frank Cilluffo, a senior analyst at the Center for Strategic and International Studies in Washington. "At one end, it's a tool for conventional warfare, terrorism, and organized crime. At the other, it's the hackers, the kids, whose intent is not necessarily hostile."

Experts place their concern on different points of Mr. Cilluffo's spectrum. To date, most activity has been at the less-serious end. But most agree that the unprecedented reliance on the flow of information between computers and along the Internet has opened new vulnerabilities.

In dealing with the risks, the old rules don't apply. When cyber intrusions can be launched from anywhere, the traditional distinction between foreign defense and domestic law enforcement blurs. So does the neat separation of government and private-sector responsibility when the phone lines, for instance, transport growing amounts of civilian information and commerce as well as more than 90 percent of military communications.

Aside from the regularity of hacker headlines, like the Pentagon intrusion earlier this month, which reportedly did not penetrate any classified sites, the issue of cyber-security has been relatively low key. Its breadth and complexity had something to do with that. Experts also point out there has been no catastrophic incident - an indication to some that there is no cause for alarm. In addition, there has been ambivalence among some policymakers about the wisdom of broadcasting vulnerability.

Presidential commission

Whatever the reason, that low-key approach is changing. Indeed, the White House is expected to soon implement the first broad-based, national effort to respond to the threat. A commission set up by President Clinton in 1996 has urged steps such as more R&D to find better information-security tools, a concerted effort to raise public awareness, and the creation of new structures for greater cooperation between government and industry.

Gen. Robert Marsh, chairman of the Presidential Commission on Critical Infrastructure Protection, says he expects action on the group's recommendations "in a week or two." It would include, he hopes, appointing someone to the National Security Agency to act as a "highly visible" point person on information and infrastructure security.

The commission's work was massive, charged with examining how to protect key functions like the nation's communication and power systems, given their increasing dependence on computers. A small step was taken in late February when Attorney General Janet Reno put the FBI in charge of a new infrastructure protection center that will gather and disseminate information.

Still, even supporters of the pioneering work say it's just a start. In testimony to Congress last year, Peter Neumann, principal scientist in the Computer Science Lab at the research firm SRI International, wrote that the commission "has identified only the tip of a very large iceberg."

The key issue of the past few years has been encryption, and whether to allow its unfettered use in the US and its sale abroad. Encryption software makes files undecipherable to anyone but sender and receiver - a grave concern to law enforcement.

'Keys' to encryption

The White House is seeking legislation that would give law enforcement access to the "keys" to decode private files and messages. The computer industry and a number of organizations concerned about the effectiveness of keys as well as privacy rights are opposed to such governmental access. They also oppose the export prohibition, saying it's pointless because encryption is already flourishing worldwide.

The dispute over keys and exports has actually slowed the use of encryption, and many people, including General Marsh are eager to see the issue resolved. The debate "has impeded the progress of government and the private sector installing and using it," he says.

The vulnerability of the nation's information flow is partly a product of history. The Internet, developed initially as an academic research network with little thought for internal security, has now become a public highway. Similarly, early computer operating systems such as Unix and Windows were not designed with security in mind.

The wake-up call of Internet vulnerability occurred a decade ago when a Cornell student penetrated military and intelligence systems, shutting down thousands of computers. Though they were unclassified sites, the government responded by setting up the Computer Emergency Response Team (CERT) at Carnegie Mellon University in Pittsburgh. The government-funded group responds to major disruptions of the Internet with advice and electronic "patches" for holes created by hackers.

Crime on the rise

Jed Pickel, a member of CERT's technical staff, says the number of incidents reported to his team is rising - not surprising given the growth of usage of the Internet. Of more concern, is the spread of sophisticated "tool kits" - essentially instructions disseminated on the Internet - that allow even relatively unsophisticated operators to break into networked computers.

A survey released last week by the private, for-profit Computer Security Institute showed a sharp rise in computer crime and other information-security breaches. Of the 520 large US corporations, government agencies, and universities that responded to the survey, 64 percent reported breaches in the past year - up 16 percent. And of those invaded, there was a rise in the use of the Internet as the point of attack.

Hackers, per se, do not concern Cilluffo because much of their activity is motivated by a desire to intrude simply to demonstrate that it can be done. "The problem is they demonstrate vulnerability that can encourage others" with malevolent aims.

Electronic commerce on the Internet is still relatively small, but expected to grow steadily, offering added incentive for theft. An already-common problem is that of employees who wreak havoc by scrambling or deleting important files, such as personnel records or payrolls.

Overall, information security is "slightly better" than it was a decade ago, says Mr. Neumann, "but it has not improved commensurate with the increased threats and risks as everyone and everything races to be part of the Internet." He adds: "There is lots of good work going on in the research community, but it is not finding its way rapidly enough into the ... marketplace, because there is no financial incentive. Security is not a bottom-line item."