Panel Fears ‘Major Computer Disaster’

Modern thieves can steal more with a computer than with a gun, and America’s “luck” in avoiding a major computer disaster way soon run out unless security is tightened, an expert panel warned today.

A National Research Council committee concluded the United States has grown to rely on computers for everything from banking to health care without ensuring that such information is secure from accident or deliberate attack.

Furthermore, failures of computer system security, safety and reliability appear to be increasing in number and severity, the panel said.

Among the examples cited were: the much-publicized 1988 incident in which a reproducing computer program, called a worm, snarled as many as 6,000 computer systems; a nearly successful attempt to use thousands of phony automatic teller machine cards with identification numbers pirated from a computer, and a bid to defraud the Pennsylvania Lottery of $15.2 million by using a data base of unclaimed ticket numbers to produce a fake winning ticket.

Poor quality control also can make computer systems untrustworthy, the panel said. It cited an error in computer software controlling a radiation therapy machine that resulted in at least three patient deaths, and the scrambling of patient records at one hospital by a rogue program, or virus, that was accidentally introduced into its computer system.

“To date, we have been remarkably lucky. . . . As far as we can tell, there has been no successful systematic attempt to subvert any of our critical computing systems. Unfortunately, there is reason to believe that our luck will soon run out,” the 16-member panel said.

“The modern thief can steal more with a computer than with a gun. Tomorrow’s terrorist may be able to do more damage with a keyboard than with a bomb.”

Finding that no existing public or private organization is “positioned adequately to address the nation’s needs” in computer security, the experts called for creation of an Information Security Foundation funded by member subscriptions and fees for security evaluation and other services.

Neither of the two agencies traditionally assigned with overseeing technology--the National Institute of Standards and Technology and the National Security Agency--appears prepared to tackle such a task, the panel said in its 303-page report entitled “Computers at Risk.”

In addition, “the market does not work well enough to raise the security of computer systems at a rate fast enough to match the apparent growth in threats to systems,” said the panel, headed by David Clark of Massachusetts Institute of Technology in Cambridge.