Experts Call for Better Computer Security

Warning that the nation’s increasingly sophisticated economy is “at risk” to potentially catastrophic breaches of computer security, a committee of experts called Wednesday for concerted preventive action by government and private industry.

The committee, established by the National Academy of Sciences’ National Research Council, warned in its final report that U.S. industry is virtually oblivious to computer security dangers that could rival the threat posed by foreign terrorists.

“The modern thief can steal more with a computer than with a gun,” said the 300-page report, the result of 18 months of work. “Tomorrow’s terrorist may be able to do more damage with a keyboard than with a bomb.”

The report by the 16-member committee encourages Congress to establish a quasi-official, nonprofit Information Security Foundation to serve as an industry clearinghouse for computer system security research.

The foundation would oversee a nationwide tracking system for computer network security breaches and establish standards for safeguarding government and private-sector computer networks into the year 2000.

Committee Chairman David C. Clark, a researcher at the Massachusetts Institute of Technology’s Laboratory for Computer Science, said that recent breaches of computer security appear to be “leading indicators” of more widespread problems during the next decade.

“Our central conclusion is that national computing and communications systems are vulnerable to potentially catastrophic security breaches and accidental failures,” Clark said. “So far, the nation has been remarkably lucky in escaping any successful systematic attempts to subvert critical computing systems. Unfortunately, there is reason to believe that our luck may soon run out unless we take action now.”

John V. Guttag, another MIT computer expert, said that the panel reviewed the need for security measures to protect against outsiders who try to “hack” their way into computer data banks as well as industrial sabotage by disgruntled employees or corporate rivals.

The report cited recent horror stories of computer system intrusion, including a West German known as “Wily Hacker” who in the mid-1980s attacked 450 computers operated by the U.S. military and its contractors, successfully gaining access to 30. He allegedly had ties to the Soviet KGB, the report said.

In another recent incident, a computer software “worm” burrowed into thousands of computers through a university research network in 1988.

The committee proposed that all private-sector computer users--from telecommunications giants to small retailers--join in a cooperative effort to adopt the improved security standards developed by the foundation.

The report said the security standards should be analogous to the Generally Accepted Accounting Standards, which provide universal guidelines for the nation’s business accountants. They would be based on criteria already established by the Defense Department.

The proposed “Generally Accepted Systems Security Principles” would not be strictly regulated technical standards. That would be impossible in an industry that has yet to agree on a universal operating system for personal computers, Clark noted.

The foundation would be funded through membership fees paid by cooperating industries and manufacturers and vendors of computer hardware and software products.