Anti-Hacker Center Fights for Respect

Facing a sharp rise in serious Internet hacking episodes, the federal government two years ago launched its biggest counterattack on cyber-criminals, creating the National Infrastructure Protection Center to protect the nation’s multibillion-dollar investment in computer networks.

But with funding this year of just $18.5 million--far less than the cost of a single combat jet or the venture capital raised by many dot-com start-ups--Internet security experts doubt that the center can provide much of a bulwark against cyber-sabotage.

And as the center struggles to solve the latest wave of attacks that blocked access to major Web sites last month, it faces an even greater long-term challenge: The NIPC badly needs the cooperation of the industry, but many technology leaders deeply distrust the center and its approach to network security.

The center, an agency led by the FBI, was assigned the gargantuan task of providing early warning to network managers and hunting down malicious hackers. Its efforts so far have left a bitter taste in the fast-moving culture of technology.

“The FBI has really alienated most of the people in the Internet world, and now all of a sudden they want to be our friends,” said Phil Karn, a top Internet security expert at Qualcomm Corp., a thriving telecommunications company in San Diego. “There’s definitely a perception that the government . . . has only one tool--criminal law--and that they see that as a solution to everything.”

Security experts value law enforcement, although they also see prevention--particularly stronger computer encryption--as the more effective solution to computer crime. But that solution flies squarely in the face of the FBI’s long-held position that encryption must not erode its domestic and foreign espionage and criminal surveillance abilities.

Leading outside security experts also consider the center’s charge overly broad, a result of the catchall approach taken when the agency was created by the Clinton administration. The Commerce Department also has a computer security agency, but without law enforcement powers. Industry security experts doubt the NIPC’s ability to track down cyber-criminals while coordinating, educating and alerting the industry and government agencies about security threats during a nationwide pandemic of computer hacking and high-tech espionage.

The fears that prompted the creation of the center have been confirmed by the rapid increase in computer crime.

The Computer Emergency Response Team at Carnegie Mellon University said that it handled more than 8,000 incidents last year--more than double the 1998 figure. Those ranged from broad attacks like those that caused the recent spate of Web site failures to destructive computer viruses and small-scale hacking episodes.

Last year, 57% of large corporations and public agencies reported computer attacks over the Internet, up from 37% in 1996, according to a survey by the Computer Security Institute, a San Francisco group funded by individuals who work for major technology companies and government agencies.

Estimates of financial losses associated with all types of computer crime range into the billions of dollars annually, according to the institute. Some analysts say that the recent attacks on Yahoo and other Web sites cost the companies upward of $100 million in sales and ad revenues.

The NIPC caseload has also exploded--from 200 in 1996 to more than 800 last year--in part, experts say, because technology that allows invasions of computer networks has advanced more rapidly than the capacity to block those attacks or to track down criminals.

As a result of the large computer crime caseload and overly broad mission, the “NIPC seems pretty unorganized and unprepared,” said Amit Yoran, president of RipTech, a security firm in Alexandria, Va., and former head of computer vulnerability assessment for the Department of Defense Information Systems Agency.

“The place is just a little bit overwhelmed” as it faces tasks better suited to an industry consortium or nongovernmental group, he said.

The FBI dominates the NIPC’s staff of about 200, but the center includes representatives from the Department of Defense, the Central Intelligence Agency, state and local law enforcement and even private industry.

In addition to conducting criminal investigations, the center--through its analysis and warning section--tries to determine whether a particular attack was launched by a foreign espionage agency, an organized crime syndicate or a teenage vandal. It alerts private companies and public agencies to current hacking episodes and threats. The center also provides training on how to detect and repel hacking attacks.

Michael Vatis, the FBI official and Harvard Law School graduate who heads the center, declined to comment for this article, as did other agency officials. They have previously noted a shortage of both funds and computer-forensic experts. Moreover, the NIPC is unable to pay its computer specialists what they would earn in the private sector, starving the agency for talent, experts say.

To be sure, the center has attained some notable successes, including the April 1999 apprehension of David Smith, who unleashed the Melissa computer virus that caused tens of millions of dollars in damage. But with crime traveling on Internet time, high-profile victories are the exception.

Broader success, security experts say, is hampered by divisions between the agency and the security industry--a rift so profound that only 32% of serious hacker attacks are even reported to law enforcement, according to the Computer Security Institute.

The low rate of reporting comes from a desire to avoid embarrassing disclosures and from doubts about the center’s ability to track down computer criminals.

That distrust derives partly from long-standing differences over such issues as the creation and export of powerful encryption software that scrambles computer files to protect them from prying eyes.

The FBI has long resisted strong encryption and has thwarted exports of the most advanced encryption methods to try to preserve its own surveillance capacity. But that has also scared many companies away from building into their products the most effective security techniques for blocking potential hackers.

“The problem is, the U.S. government has completely compromised itself on giving advice on security, because every time the FBI has weighed in on this issue it’s been to weaken it,” said Jeff Schiller, network manager for the Massachusetts Institute of Technology and a leading computer security expert.

One problem with the NIPC’s approach is its confidential Web site used to help corporate security officers. The government site uses a potentially intrusive system that corporations fear could unlock their proprietary information, Schiller said. After the recent spate of hacker attacks, the center offered a software program to computer network administrators to probe their own computers for evidence that they have been compromised by hackers.

But Schiller of MIT, Karn from Qualcomm and others rejected the software, fearing that the FBI could use it to snoop on their corporate networks. The FBI declined to release the tool’s source code--equivalent to a software blueprint--which could have allayed such concerns.

Jim Settle, a Springfield, Va., security consultant and former chief of the FBI’s national computer crime program, views such concerns as well-founded. He describes the center as inept and says it fails to pursue strong cases delivered to it after substantial private investigation.

In the agency’s defense, government officials recently pointed out that in December the center issued a warning about the very kind of attack, called “distributed denial of service,” that caused the recent major outages at Web sites. But the threat was already well known and nothing could be done about, it experts said.

Some Firms Refuse to Work With Agency

And though many companies affected by the most recent hacking case are cooperating with the NIPC, others have refused to, said Sen. Robert Bennett (R-Utah), chairman of the Senate panel on Y2K technology problems.

“There’s evidence to suggest that some private groups had some information on the hackers and that they were reluctant to share it with the government,” fearing that confidential data would be placed at risk, Bennett said.

The FBI’s culture of withholding information, meanwhile, is unsettling to other agencies involved in the NIPC, said Scott Charney, a partner at the PricewaterhouseCoopers accounting firm and, until recently, head of the Justice Department’s Computer Crime Section.

“Law enforcement agents are trained to keep information confidential, for a lot of good reasons,” Charney said. But the problem is that the FBI has to work with other security agencies and private companies that don’t operate in the same clandestine way, he added.

Bennett said lawmakers soon will examine whether the NIPC could be more effective if based in a different government department.

The Department of Defense may offer more expertise, he said, particularly when it can be difficult to determine whether a particular hacker attack was led by teenage mischief makers or a national government bent on sabotaging the U.S. economy.

Sen. Patrick Leahy (D-Vt.) is a sponsor of legislation to fund state efforts to fight cyber-crime. He views the FBI--with its responsibility for both domestic surveillance and foreign counterintelligence--as the logical agency to lead investigations of computer crimes, albeit with stronger congressional oversight. He advocates stringent rules for restricting Internet data taps, making them at least as restrictive as rules governing telephone wiretaps, which are a source of ongoing dispute between the FBI and telecommunications providers.

Karn said the slow-moving criminal justice approach is ill-suited to the pace of technological change. “The time can be better spent hardening our defenses,” he said, if the government permits the industry to develop stronger encryption methods to keep out criminals and even law enforcement.

The stakes for freeing the technology industry to protect itself may prove larger than the problem of criminals escaping detection, they argue.

“Yahoo is a high-profile target, but it doesn’t affect the national economy,” said Steven Bellovin, a leading security researcher at AT&T; Labs. But the convergence of technological sophistication and truly hostile intent is fast approaching--a combination that could, for example, take out all electronic stock trading for many hours or even days at a stretch.

Bellovin said: “These are the kinds of attacks you worry about a serious adversary doing--not a stunt like clogging Yahoo or CNN.”