May 20, 1998
Hackers and Security Experts Warn Senate Panel
By JERI CLAUSING
ASHINGTON -- They call themselves LOpht Heavy Industries, a band of seven with names like Mudge, Space Rogue and Brian Oblivion.
The latest hit rock group? Not quite. But they've been called cyberspace's equivalent.
They are an elite group of hackers who came to Capitol Hill on Tuesday to warn Congress that computer security is so lax that they could cut the entire nation off from the Internet in less than 30 minutes.
And they could keep the global network disabled for so long "it would definitely take a few days for people to figure out what was going on," Mudge said.
Looking a bit out place in their suits with a mix of long hair and pony tails, the group told the Senate Governmental Affairs Committee that their goal as hackers was "to raise the bar," to get companies to develop more secure products.
The committee praised the group, all of whom hold real jobs by day, for their efforts, and pushed for answers on what they could do to make the country less vulnerable to terrorist attacks as the world becomes more and more reliant on computers.
Underscoring the concern was the release of new two reports from the General Accounting Office, Congress's investigative arm, on computer security at both the Federal Aviation Administration and the State Department.
Related Article
Computers at 2 Agencies Found Vulnerable
(May 20, 1998)
"Significant computer security weaknesses at both these organizations threaten the integrity of their operations," Gene L. Dodaro, Assistant Comptroller General for the Accounting and Information Management Division of the GAO, told the committee. "Unfortunately, such weaknesses are typical at most federal agencies we evaluate."
And both LOpht Heavy Industries and Peter G. Neumann, a noted computer security expert with SRI International, said there is essentially no security today on the Internet or any network that connects through public telecommunications systems.
"The existing national infrastructures and the underlying information infrastructures are riddled with vulnerabilities, representing security, reliability and system survivability flaws as well as potential attacks that can affect hardware, software, communications, media and peoples lives," Neumann said.
The committee's chairman, Fred Thompson, a Republican from Tennessee, asked the hackers what would happen if a foreign government hired a group such as themselves to attack the United States' computer infrastructure.
"We'd be in trouble," Mudge said.
The group painted a scenario where everything from satellite systems to financial markets could be felled quickly and easily disrupted.
Neumann agreed.
"The situation may be even worse that I have indicated, but basically, we will never know unless attacks occur. Massive coordinated attacks are possible," he said. "However, until the high-visibility occurs, few people are willing to admit that something drastic needs to be done."
While the free use of stronger encryption technology has been touted as the answer to more secure public networks, Neumann and the group of seven both said that is only one piece of the complex puzzle. After all, the Internet is based on 20-year-old technology, and every computer connected to it becomes a weak link, they said.
Neumann said the government must get its own house in order. The fact that two teen-agers recently hacked their way into the Department of Defense, he said, is "absolutely ridiculous."
The GAO's Dodado agreed that the government systems need work, reminding Congress that in 1997 it identified information security at all government agencies as high-risk. Earlier this year, it emphasized that pervasive computer control weaknesses were placing enormous amounts of federal assets at risk of fraud and misuse.
Mudge and his group said one way to increase security is to force development of better software by making companies like Microsoft be accountable if they claim their products are difficult to penetrate when they aren't.
"If you configure NT properly and someone still breaks in and disrupts your online commerce sites, Microsoft just says 'sorry' " said Weld Pond.
Neumann agreed there is no good security software available now.
"Anyone who tries to sell you an easy answer is a huckster," he said.
Related Sites
Following are links to the external Web sites mentioned in this article. These sites are not part of The New York Times on the Web, and The Times has no control over their content or availability. When you have finished visiting any of these sites, you will be able to return to this page by clicking on your Web browser's "Back" button or icon until this page reappears.
Jeri Clausing at jeri@nytimes.com welcomes your comments and suggestions.