Government Ill-Prepared to Fight Hackers Not enough funding or expertise

Charles Piller, Los Angeles Times Monday, March 6, 2000

Facing a sharp rise in serious Internet hacking episodes, the federal government two years ago started its biggest counterattack on cyber criminals, creating the National Infrastructure Protection Center to protect the United States' multibillion-dollar investment in computer networks.

But with funding this year of just $18.5 million -- far less than the cost of a single combat jet or the venture capital raised by many dot-com start-ups -- Internet security experts doubt that NIPC can provide much of a bulwark against cyber sabotage.

And as the agency struggles to solve the latest wave of attacks that blocked access to major Web sites last month, it faces an even greater long-term challenge: NIPC badly needs the cooperation of the industry, but many technology leaders deeply distrust the agency and its approach to network security.

The center, an agency led by the FBI, was assigned the gargantuan task of providing early warnings to network managers and hunting down malicious hackers. Its efforts so far have left a bitter taste in the fast-moving culture of technology.

``The FBI has really alienated most of the people in the Internet world, and now all of sudden, they want to be our friends,'' said Phil Karn, a top Internet security expert at Qualcomm Corp., a thriving telecommunications company in San Diego. ``There's definitely a perception that the government . . . has only one tool -- criminal law -- and that they see that as a solution to everything.''

Security experts value law enforcement, although they also see prevention -- particularly stronger computer encryption -- as the more effective solution to cyber crime. But that solution flies squarely into the FBI's long-held position that encryption must not erode its domestic and foreign espionage and criminal surveillance abilities.

Leading outside security experts also consider the NIPC's charge overly broad, a result of the catch-all approach taken when the agency was created by the Clinton administration. The Commerce Department also has a computer security agency, but without law enforcement powers. Industry security experts doubt the NIPC's ability to track down cyber criminals while coordinating, educating and alerting the industry and government agencies about security threats during a nationwide pandemic of computer hacking and high-tech espionage.

The fears that prompted the creation of NIPC have been confirmed by the rapid increase in computer crime.

The Computer Emergency Response Team at Carnegie Mellon University said that it handled more than 8,000 incidents last year -- more than double the 1998 figure. These ranged from attacks that caused the recent spate of Web site failures to destructive computer viruses and small-scale hacking episodes.

As a result of the large computer- crime caseload and overly broad mission, the ``NIPC seems pretty unorganized and unprepared,'' said Amit Yoran, president of RipTech, a security company in Alexandria, Va., and former head of computer vulnerability assessment for the Department of Defense Information Systems Agency.

``The place is just a little bit overwhelmed'' as it faces tasks better suited to an industry consortium or nongovernmental group, he said.

Michael Vatis, the FBI official and Harvard Law School graduate who heads the NICP, declined to comment for this article, as did other agency officials. Previously, they have noted a shortage in both funds and in the number of their computer-forensic experts. Moreover, the NIPC is unable to pay its computer specialists what they would earn in the private sector, starving the agency for talent, experts say.

The agency also has attained some notable successes, including the April 1999 apprehension of David Smith, perpetrator of the Melissa computer virus that caused tens of millions of dollars in damage. But with crime traveling on Internet time, high-profile victories are the exception.

Broader success, say security experts, is hampered by divisions between the agency and the security industry -- a rift so profound that only 32 percent of serious hacker attacks are even reported to law enforcement, according to the Computer Security Institute.

The low rate of reporting comes from a desire to avoid embarrassing disclosures and from doubts about the NIPC's ability to track down cyber criminals.

That distrust derives partly from long-standing differences over issues such as the creation and export of powerful encryption software that scrambles computer files to protect them from prying eyes.

The FBI has long resisted strong encryption and has thwarted exports of the most advanced encryption methods to try to preserve its own surveillance capacity. But that has scared away many companies from building into their products the most effective security techniques that would block potential computer hackers.

``The problem is, the U.S. government has completely compromised itself on giving advice on security, because every time the FBI has weighed in on this issue it's been to weaken it,'' said Jeff Schiller, network manager for the Massachusetts Institute of Technology and a leading computer security expert.

Although many companies affected by the most recent hacking case are cooperating with the NIPC, others have refused to, according to Sen. Robert Bennett, R-Utah, chairman of the Senate Year 2000 panel.

``There's evidence to suggest that some private groups had some information on the hackers and that they were reluctant to share it with the government,'' fearing that confidential data would be placed at risk, Bennett said.

Meanwhile, the FBI's culture of withholding information is unsettling to other agencies involved in NIPC, according to Scott Charney, a partner at the PricewaterhouseCoopers accounting company and, until recently, head of the Department of Justice's Computer Crime Section.

``Law enforcement agents are trained to keep information confidential, for a lot of good reasons,'' Charney said. But the problem is that the FBI has to work with other security agencies and private companies that don't operate in the same clandestine way, he added.

Karn points out that the slow- moving criminal justice approach is ill-suited to the pace of technological change. ``The time can be better spent hardening our defenses,'' he said, if the government permits the industry to develop stronger encryption methods to keep out criminals and even law enforcement.

--------------------------------------------------------------------------------

THE RISING COST

Last year, 57 percent of large corporations and public agencies reported computer attacks over the Internet, up from 37 percent in 1996, according to a survey by the Computer Security Institute, a San Francisco group funded by individuals who work for major technology companies and government agencies.

Meanwhile, estimates of financial losses associated with all types of computer crime range into the billions annually, according to the institute. Some analysts say that the recent attacks on Yahoo and other Web sites cost the companies upward of $100 million in lost sales and ad revenues.

The National Infrastructure Protection Center/FBI caseload also has exploded -- from 200 in 1996 to more than 800 last year -- in part, experts say, because technology that allows invasions of computer networks has advanced more rapidly than the capacity to block those attacks or to track down criminals.

Source: Los Angeles Times

http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2000/03/06/MN95267.DTL

-- Martin Thompson (mthom1927@aol.com), March 06, 2000