In Theory, Reality, U.S. Open to Cyber-Attack

The ground rules were simple: Use laptop computers purchased at local stores and software downloaded from the Internet. Target only unclassified government computer systems. And see how far you can get.

The “Red Team” hackers hit the jackpot. In less than three months, they secretly penetrated computers that control electrical grids in Los Angeles, Washington and other major cities. They broke into networks that direct 911 emergency response systems. They even got access to the Pentagon’s National Military Command Center, the heart of America’s war fighting operation.

The Pentagon’s mid-1997 “Eligible Receiver” exercise, carried out by a team of about 30 computer specialists from the National Security Agency, showed the theoretical vulnerability of America’s civilian and military logistics and infrastructure to cyber-attack.

Now “Moonlight Maze” has proved the case. The FBI-led inquiry found that real hackers apparently based in Russia have used the Internet to download essential military technical research, including missile guidance programs, and other data from unclassified Defense Department and other government computers for more than a year. The FBI’s inability to identify the covert intruders only highlights the danger in America’s increasingly wired world.

‘Extraordinarily Vulnerable’

The United States has become “extraordinarily vulnerable” to cyber-savvy foes who seek to penetrate or sabotage critical computer systems, said Richard Clark, President Clinton’s national coordinator for security, infrastructure protection and counter-terrorism.

“An enemy could systematically disrupt banking, transportation, utilities, finance, government functions and defense,” Clark said in an interview. “We know other countries that are developing information technology and are doing reconnaissance of our computer networks.”

Experts say the United States clearly leads the way in cyber-warfare technology. But Russia, Israel, France, England and India are also seeking to develop cyber-weapons, U.S. officials say. China is further behind but has demonstrated increasing sophistication.

“It’s cheaper and easier than building a nuclear weapon,” Clark said. “It takes fewer people and far less money.”

In May 1998, Clinton issued a presidential directive to reorient the U.S. government and private industry to guard against the danger that computers may become if used by vandals, terrorists, criminals and governments. He set a five-year goal to protect “those physical and cyber-based systems essential to the minimum operations of the economy and government.”

With more than $500 million set aside to upgrade computer security, one obvious priority has been to improve the government’s now-primitive computer security systems. Many are first-generation and fail to detect the increasingly sophisticated hacker attacks. Other changes are also underway.

Last week, for example, the Pentagon quietly made computer security a component of military strategy and a pillar of national defense. An interim joint task force formed last December to monitor and defend the Pentagon’s global information networks was formally shifted to the U.S. Space Command, becoming a key part of its combat mission.

In addition, the Treasury Department opened the first Information Sharing and Assessment Center with a consortium of private banks, finance houses and insurance companies. The center, based in Reston, Va., will work as a clearinghouse for computer threats and pass high-tech fixes to members.

Similar government-backed high-tech centers will be opened for electric utilities and oil companies, railroad and aviation companies, and the telecommunications industry.

The administration has sparked a controversy, however, by proposing a law that would allow limited monitoring of government computer networks. Supporters say it is needed to better protect tax, Medicare, military and other government records. Critics have called the plan a vast government attack on privacy and civil liberties.

The more immediate problem, however, is the stunning pace of technological change. Government and corporate computer network administrators play a cat-and-mouse game with those who see every new defense as a challenge to be overcome.

“The state of the art is such that, while we are putting up protective barriers and firewalls and such, there is general agreement that there are no 100% guarantees,” said John Gilligan, who directs information technology and information systems at the Energy Department, one of the Moonlight Maze targets.

“They’re fine for [protecting against] the less experienced and even more sophisticated hackers,” he added. “But the technology does not allow us to guarantee that we can withstand a very sophisticated attack against our systems. That’s one of the vulnerabilities we face.”

But Gilligan also argued that the danger is usually overstated. With each menacing new virus-infected e-mail, alarmists in the media and politicians have darkly warned that a digital surprise attack--usually called “an electronic Pearl Harbor”--could suddenly devastate America’s infrastructure.

“I think right now we’re still somewhat protected,” Gilligan said. “To get access to the electricity grid computers, to start to shut some of the grid, you have to really work at it. . . . To do a Pearl Harbor, you’d need a lot of inside information.”

Indeed, the evidence suggests a certain amount of hype and hysteria have overshadowed the reality of cyberspace.

The FBI is the government’s lead agency for investigating computer-related crimes involving more than $5,000 and has seen its caseload double each year--200 two years ago, 400 last year, 800 pending this year. But the bulk of its caseload has been traced to malicious hackers looking for profit or revenge, rather than terrorists or organized-crime groups.

‘Electronic Joy Riders’

The Pentagon detects 80 to 100 “hits” by would-be hackers on its computers each day. But only about 10 require further investigation, and most prove to be what experts call “electronic joy riders,” usually teenagers playing on the Net.

As a rule, the government’s classified computer systems are separated from its online computers and have no network connections to the outside world.

But a surprising amount of confidential data have been available even on public Internet sites. Late last year, for example, Defense Secretary William S. Cohen ordered the removal of officers’ addresses and telephone numbers, along with other sensitive information, from the department’s 1,000-plus World Wide Web sites.