High-Tech Industry Plans to Unite Against Hackers

Fresh from a meeting with President Clinton, high tech executives on Tuesday pledged to create a network for sharing security information that could prevent the kind of hacker attacks that disrupted popular Web sites last week.

But the industry, which makes no secret of its distrust of government intervention, found itself answering questions from reporters about why it did not heed FBI warnings in December about the likelihood of “denial-of-service attacks,” such as those that temporarily disabled Yahoo, EBay, Amazon.com and other sites.

“There were warnings that denial-of-service attacks were possible,” said Harris Miller, president of the Information Technology Assn. of America and one of more than 20 participants in the White House meeting.

But Miller, explaining why an industry-run information network is needed, said: “You didn’t have widespread attention to the fact that the warning was out there, and you didn’t have widespread action that would have prevented [attacks] from occurring.”

He added: “It was noise in the background.”

Meanwhile, the FBI widened its investigation, continuing to interview companies hit by hackers and trying to identify suspects in the hacker attacks, in which Web sites were deliberately bombarded with so much information that they simply shut down.

In Los Angeles, James V. DeSarno Jr. of the FBI’s local field office, said his computer squad and technical investigators want to determine how hackers gained access to a UC Santa Barbara computer system to use it as a “host” to send disruptive messages.

“That’s where we’re focusing our attentions,” he said. “We are looking at the records from UC Santa Barbara and trying to develop where that information came from.”

FBI Seeks Suspects

Investigators also are looking at records for Buy.com, a Southern California company whose Web site was infiltrated during the attacks, DeSarno said. But there have been no leads directly linking any suspects in the case to Southern California, he said.

The FBI is trying to interview possible suspects in the United States and Canada, some of them known only by Internet names such as “Coolio.”

But investigators suspect that some of those who have taken credit for the disruptions in online chat sessions might simply be bragging. “Until we talk to these people and corroborate what we hear with the data we’ve collected from forensics, we can’t say if Person A or Person B is really involved,” said a federal law enforcement official.

Though government sleuths are viewed by many in the tech industry as guns-and-badges gumshoes from another era, it turns out that the FBI, the National Infrastructure Protection Center and the federally funded Computer Emergency Response Team at Carnegie Mellon University in Pittsburgh sent out detailed public warnings last year about the possibility of denial-of-service attacks.

The infrastructure center offered software to help detect the computer “tools” used to launch the attacks.

While some industries--like banks--took advantage of the warnings and of their own detective work, others apparently were unprepared.

“The FBI had certain information that [it] made broadly available,” Clinton said as he gathered with the executives. “The banks were in better shape to take advantage of that information than others were. And I think one of the purposes of this meeting is to figure out what we do from here forward to make sure that everybody is in the same position.”

Added a White House official: “We knew in December that if someone wanted to deploy this, they could cause a lot of trouble. We didn’t know who. And we didn’t know when they were going to pull the trigger.”

Peter Solvik, chief information officer for Cisco Systems, said after the meeting that such warnings and alerts can easily escape the attention of busy executives. “We are talking about a new system for broader and faster dissemination,” he told reporters.

Joining in the broad-based group that met with Clinton in the Cabinet Room was “Mudge,” a reformed hacker also known as Peiter Zatko. For his part, Clinton tried to put things in perspective.

“Look,” he said, “it’s a source of concern. But I don’t think we should leave here with this vast sense of insecurity. . . . I wouldn’t analogize it to Pearl Harbor.”

Attacks Dampen Public Confidence

The Internet is a prime force in the economy, and a loss of public confidence could have far-reaching repercussions. A new survey by PC Data Inc., a market research firm, has found that about 45% of Internet users said they are less likely to transmit credit-card numbers over the Web because of the recent attacks.

The administration has asked Congress for $2 billion for government-wide computer security efforts in the 2001 fiscal year, an increase of 16%. The request includes additional money for research that also could benefit the private industry and for educating a corps of computer security professionals who would receive scholarships in return for government service.

Industry representatives said that Internet businesses should take the lead in resolving security problems that affect them--and that government should police its own computer networks, share information and support research and development.

“There is no silver bullet for what we are going after,” said Maynard Webb, president of EBay.

The agreement among the industry representatives called for the creation of a “mechanism”--which could be anything from a membership organization to a Web site--to coordinate information on security for Internet businesses.

According to Miller, of the technology association, the system would distribute information on computer attacks, vulnerabilities, counter measures and “best practices” among its members.

The financial services industry already has such a consortium, a nonprofit corporation created in response to recommendations from an earlier White House commission on computer security.

For example, Global Integrity, a Virginia firm that provides cyber-security for the financial services industry, had issued warnings to clients as early as August of possible denial-of-service attacks.

William Marlow, a vice president of the company, said that e-commerce firms now will have to consider more extensive and expensive security measures. “It’s a business problem, not a government problem,” he said. “Private industry has to be proactive on computer security issues. It’s just going to have to be part of the business model for doing e-commerce.”

Times staff writer Christine Frey contributed to this story.