Breaking Into Computers Is a Crime--Pure and Simple

During the last few years, much has been written to publicize the feats of computer hackers. There was, for example, the popular movie “War Games,” about a teen-ager who, using his home computer, was able to tap into a military computer network and play games with the heart of the system. The games got out of control when he chose to play “thermonuclear war.” The teen-ager, who was depicted with innocent motives, eventually played a crucial role in solving the problem and averting a real nuclear exchange, in the process emerging as hero. A real-life example in early November involved a so-called computer virus (a self-replicating program spread over computer networks and other media as a prank or act of vandalism), which nearly paralyzed 6,000 military and academic computers.

Unfortunately, perhaps because the effect of such “pranks” seems remote to most people, it is tempting to view the hacker as something of a folk hero--a lone individual who, armed with only his own ingenuity, is able to thwart the system. Not enough attention is paid to the real damage that such people can do. But just consider the consequences of a similar “prank” perpetrated on our air-traffic control system, or a regional power-control grid, or the banking system, or a hospital information system. The incident last week in which an electronic intruder broke into an unclassified Pentagon computer network, altering or destroying some files, caused potentially serious damage.

We do not really know the full effect of the November virus incident that brought many computers on the Cornell-Stanford network to a halt, but credible published estimates of the cost in man-hours and computer time have been in the millions of dollars. The vast majority of professional computer scientists and engineers who design, develop and use these sophisticated networks are dismayed by this total disregard of ethical practice and forfeiture of professional integrity.

Ironically, these hackers are perhaps driven by the same need to explore, to test technical limits that motivates computer professionals; they decompose problems, develop an understanding of them and then overcome them. But apparently not all hackers recognize the difference between penetrating the technical secrets of their own computer and penetrating a network of computers that belong to others. And therein lies a key distinction between a computer professional and somebody who merely knows a lot about computers.

Clearly a technical degree is no guarantee of ethical behavior. And hackers are not the only ones who abuse the power inherent in their knowledge. What, then, can we do?

For one thing, we--the public at large--can raise our own consciousness: Specifically, when someone tampers with someone else’s data or programs, however clever the method, we all need to recognize that such an act is at best irresponsible and very likely criminal. That the offender feels remorse, or that the virus had unintended consequences, does not change the essential lawlessness of the act, which is in effect breaking-and-entering. And asserting that the act had a salutary outcome, since it might lead to stronger safeguards, has no more validity than if the same argument were advanced in defense of any crime. If after experiencing a burglary I purchase a burglar alarm for my house, does that excuse the burglar? Of course not. Any such act should be vigorously prosecuted.

On another front, professional societies such as the IEEE Computer Society can take steps to expel, suspend or censure as appropriate any member found guilty of such conduct. Finally, accrediting agencies, such as the Computing Sciences Accreditation Board and the Accreditation Board for Engineering and Technology, should more vigorously pursue their standards, which provide for appropriate coverage of ethical and professional conduct in university computer science and computer engineering curriculums.

We are well into the information age, a time when the computer is at least as vital to our national health, safety and survival as any other single resource. The public must insist on measures for ensuring computer security to the same degree as other technologies that are critical to its health and safety.