Clear and Present Danger?

Government Warns that Its Computer Systems Need Security Improvements

By Peter Dizikes

N E W Y O R K, Aug. 29 — Are computer hackers getting the upper hand on the U.S. government? That's what a government official is saying today at House subcommittee hearing in San Jose, Calif., as Congress scrutinizes the government's current level of security in the wake of a series of recent computer attacks. "Virtually all of the largest federal agencies have significant computer security weaknesses that place critical federal operations and assets at risk to computer-based attacks," said Keith A. Rhodes, chief technology officer of the General Accounting Office (GAO), in testimony prepared for the session.

Moreover, Rhodes says, more danger for Washington may lie ahead.

"Recent attacks foreshadow much more devastating Internet threats to come," added Rhodes. "Over 100 countries already have or are developing computer attack capabilities … NSA [the National Security Agency] has determined that potential adversaries are developing a body of knowledge about U.S. systems and methods to attack them."

As a consequence, Rhodes claimed, "there is a growing risk that terrorists or hostile foreign states could severely damage or disrupt national defense or vital public operations though computer-based attacks on the nation's critical infrastructures."

Behind the Private Sector?

At issue is more than just the Internet slowdowns such as those caused by the Code Red virus this summer, but the possibility that cyber-intruders could erase or alter crucial government information.

"It's certainly a concern," said Jeff Carpenter of the Computer Emergency Response Team (CERT) at Carnegie-Mellon University in Pittsburgh, prior to his own testimony at the hearings. "As the government and other sectors increase their information on the Internet, they increase their exposure, too."

And some computer security experts say the government has fallen behind the business world in protecting its information.

"The private sector has to a great extent been ahead of the curve compared to the government in security," says Mark Rasche of Predictive Systems, a network consulting agency in Reston, Va., and a former prosecuting attorney for the Justice Department. "The economics dictate that it be so."

In Rashe's view, businesses have a greater financial incentive to upgrade security. "It's not that we don't know what the solutions are," he says of the government's approach. "We're just not willing to dedicate the resources to them."

And Rhodes is calling for cooperation between the government and the high-tech industry to work on the problem.

"Most of the nation's critical infrastructure is owned by the private sector," Rhodes said. "Solutions, therefore, need to be developed and implemented in concert with the private sector."

In the Wake of Code Red

The hearings — held by the House Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations — come at the end of a summer during which government Web sites have periodically been under siege from hackers.

The Code Red worm, intended to cause outages at the White House Web site, spread rapidly throughout the Internet starting on July 19, and then in another cycle beginning July 31. Earlier this month, a related and possibly more dangerous worm, Code Red II, surfaced on the Web.

The White House technical staff averted a shutdown of its site, but the Pentagon had to close down numerous Defense Department Web pages on Aug. 1, and the worm ended up intermittently slowing down Internet traffic worldwide over a period of a few days.

Ultimately, the Code Red worms did not create great damage on the Web, although they infected more than 400,000 computers — according to CERT's estimate — and took a financial toll on companies and government agencies that either were affected by the worm or had to spend money upgrading their security.

Both worms took advantage of security flaws in two Microsoft operating systems — Windows NT and Windows 2000 — and in Microsoft's IIS server software. It is not known who unleashed Code Red on the Internet.

Cat and Mouse in Cyberspace

While the effects of Code Red have been generally contained, security experts warn that the pair of worms are a harbinger of growing sophistication among rogues in cyberspace.

"Over past 10 years, we've seen intruder community continue to develop their techniques," notes Carpenter. "They've increased their use of worm behavior to propagate attack of machines at exponential rates."

However, considering all the different functions of the government, it's also clear that some agencies, like those involving defense and national security, are already using far more sophisticated security techniques than others.

In those areas, notes Rasche, "there are classified networks that are reasonably secure. They come from a culture where security is paramount. But are they totally secure? No."

Still, Rasche adds, "One would hope that the computers carrying the nuclear codes are more secure than those at the Bureau of Land Management."

http://abcnews.go.com/sections/scitech/DailyNews/govt_security010829.html

-- Martin Thompson (mthom1927@aol.com), August 29, 2001