Infamous Hacker’s Sentencing Brings Little Comfort to Officials

The sentencing in Los Angeles on Monday of Kevin Mitnick, the nation’s most notorious computer hacker, for breaking into Sun Microsystems computers would ordinarily be cause for celebration by the federal government.

Officials are still smarting from Mitnick’s 1983 efforts to break into the Pentagon’s computers.

But federal officials are in no mood to celebrate. It has been 16 years since Mitnick--apparently motivated not by money but by the intellectual thrill of reading highly sensitive information--mocked federal computer security. Yet, reeling from a series of recent attacks by hackers, officials fear that they are no closer now to solving the problem and may actually be losing the war against computer invasions.

“It’s not a matter of if America has an electronic Pearl Harbor,” said Rep. Curt Weldon (R-Pa.), chairman of the National Security subcommittee on military research and development. “It’s a matter of when.”

Attackers Penetrate Federal Web Pages

In the last three months alone, anti-government hackers have invaded Web pages maintained by the U.S. Senate, the FBI, the Army, the White House, several Cabinet departments and the Idaho National Engineering and Environmental Laboratory, which does work for the Energy Department.

So far, the attacks--which range from notes posted on the White House Web site making light of President Clinton’s involvement with former White House intern Monica S. Lewinsky to more ominous assaults that have penetrated the Pentagon’s computers--have caused some temporary shutdowns of Web sites without compromising U.S. security.

But federal cyber-cops suffered another blow last month when the House Appropriations Committee, responding to privacy concerns raised by civil liberties advocates, denied the Justice Department’s request for a “federal intrusion detection network” to monitor all government computer networks.

Indeed, the 37-year-old Mitnick remains one of the few examples of successful government detection and prosecution of a computer criminal. In a decadelong crime spree, the self-taught hacker has faced federal and state charges for attempting to break into dozens of computers at universities and private companies.

Mitnick pleaded guilty in March to five counts of a federal indictment charging him with making unauthorized electronic transfers of proprietary software. He has spent more than four years in jail.

Mitnick likely will be released to a halfway house for time served by U.S. District Judge Mariana Pfaelzer when his case comes up Monday. What’s more, he continues to blast the government for what he calls “overzealous” prosecution. Late last month, for example, his lawyers filed a motion accusing the federal government of inflating the financial damage his crimes caused in a bid to build a case against him.

“The government has had another agenda in prosecuting him,” said Mitnick’s Los Angeles lawyer, Don Randolph. “They are trying to make an example of someone accused of computer break-ins. But we think it is wrong any time the government goes beyond its prosecutorial role.”

Mitnick’s sentencing is not expected to slow the wave of computer break-ins. Aided by the availability of more powerful personal computers and faster Internet connections--and facing government computer staffs depleted by corporate raiders--hackers who run the gamut from teenage vandals to domestic and foreign terrorists are taking aim at government computers.

Alarmed lawmakers are weighing legislation aimed at subduing the new Web war tactics.

One measure, introduced earlier this month by Rep. F. James Sensenbrenner Jr. (R-Wis.), calls for more money to train U.S. computer scientists, more secure networking standards and a change in procurement standards to allow beleaguered government agencies easier access to cutting-edge computer security technology.

A number of congressional panels has looked into bolstering government computer security, including the House Science subcommittee on technology. Rep. Constance A. Morella (R-Md.), who chairs the subcommittee, said last month that “the lack of adequate computer security in our federal agencies has the potential to wreak even more havoc” than the Year 2000 computer bug.

No one has precise figures on the number of assaults on government computers. And government experts are loath to talk about the problem for fear of encouraging even more computer break-ins.

But Carnegie Mellon University in Pittsburgh, where a federally funded coordination center tracks about a third of government and commercial Internet servers, reports that the pace of break-ins this year is on track to double 1998’s record of nearly 4,000. The Federal Computer Incident Response Capability Center, which tracks some but not all government computers, said that there were 68 incidents in June involving 145,737 government computers, triple the number from six months earlier.

“This is a huge problem and is certainly increasing,” said Peter Mell, a computer scientist at the National Institute of Standards and Technology, an arm of the Commerce Department.

Fending off attacks, Mell added, is very much like an arms race: “You have to be vigilant and stay up to date to protect your system . . . because every few weeks or so another weapon is released that makes everybody’s computers vulnerable.”

Indeed, the FBI estimated that illegal hacking of Web sites in general caused more than $123 million in losses last year and said that the activity poses “a growing threat . . . to the rules of law in cyberspace.”

In a recent classified briefing, the Justice Department told Congress that “massive attacks” have been launched on U.S. government computers in recent months, according to Weldon. He added that the attackers included not just teenagers but also “foreign nationals.”

“It appeared that these attacks were a systematic effort to break in and get government secrets,” he said.

While many of the most recent attacks on government computers appeared aimed at embarrassing exasperated law enforcement officials rather than stealing classified or sensitive information, assaults on government Web sites nevertheless have grown more aggressive in recent weeks.

Some experts said that defacings of federal Web sites stem from a 12-city FBI investigation of credit card fraud and misuse of pilfered passwords by a group suspected of illegal hacking. The agency has served 16 search warrants, from California to Texas. It also has questioned about 20 people, some of them teenage boys thought to be affiliated with a group known as Global Hell, or gH.

Shortage of Experts Hinders Security

In apparent reaction to the FBI crackdown, members of the group posted this message last month on the Interior Department’s Web site after breaking into one of its computers:

“The FBI declared war by raiding lots of gH members. Now, it’s our turn to hit them where it hurts . . . by going after every computer on the Net with a .gov prefix.”

The government’s efforts to combat break-ins have been complicated by a critical shortage of trained government computer experts. Many of the best and brightest government computer experts have been lured to private industry, where fast-growing computer networking and telephone firms like America Online Inc., Cisco Corp. and MCI/Worldcom Corp. are dangling lucrative pay and stock options.

Also playing a role in the growing number of computer break-ins is the proliferation of widely available and easy-to-use software that allows even computer novices to invade or attack Web sites.

Space Rogue, the moniker for a hacker who joined about 2,400 of his colleagues, security experts and government officials at the seventh annual DEF-CON hacking convention in Las Vegas this month, acknowledged that the widespread availability of these tools has been a factor in Web site defacings. However, he said, such software also allows “security professionals to protect themselves and to test” the integrity of their Web sites.

“I can use a crowbar to break into a house or bend a piece of metal. Should crowbars be outlawed?” Space Rogue asked rhetorically.

Although experts are uncertain whether the defacement of government Web sites may be a barometer of the government’s vulnerability to more serious computer threats, they all agree that the recent increase in the defacement of the sites is not a good sign.

The ease with which some government computers are being broken into has important implications for the nation.

Electronic commerce cannot flourish unless those using the Internet have faith that transactions are secure. Meanwhile, the government, which has broadened democratic discourse dramatically by using the Internet to disseminate information, could be forced to backtrack and return to the way business was conducted before: on paper or private computer networks not accessible to the public.

Some government officials already are mulling those options. After ordering all Army Web sites shut down last year pending a security review, Lt. Gen. William Campbell, Army director of information systems for command control and communications, said in an April speech that the military may take virtually all of its computer operations off the publicly accessible Internet.

In the days before the Internet, it was nearly impossible to break into most computers. An attacker had to have physical access to the machines, not to mention considerable technical knowledge, to do harm. But in today’s world of near-ubiquitous electronic connectivity and freely available hacking tools, it is easy for outlaws to penetrate machines around the world.

When Mell searched the Internet last year for attack software, he found sites containing hundreds of such programs. Known as scanners, the programs can automatically probe tens of thousands of Internet sites for vulnerabilities in the software that runs them.

The attacker can then do one of two things: He can exploit the software vulnerability in the computer to break in and search its hard drive and memory to change or steal stored information or he can use a second program to overload the machine with data requests, thereby denying others access to the site.

“Government agencies need to reconsider and probably pull back from their embrace of [computer] networking,” said James X. Dempsey of the Washington-based Center for Democracy and Technology. “Their vulnerability is a huge one. Hopefully, however, that won’t become an excuse to release less information to the public.”