In the argot of computer experts, the verb "to hack" means to manipulate complex things-software, people, organizations-so that they will do your bidding. The term is typically applied to software, often in lurid press accounts of straggly-haired hackers taking control of government computers.
But when the U.S. government got hacked, on July 28, it wasn't by a Twinkie-eating teenager or a Chinese policeman diverted from crashing the Falun Gong's Web sites. The hackers were Washington civil libertarians who used The New York Times to help frame an impending high-tech debate in their own terms-individual civil liberties vs. Big Brother.
The impact of the hack was immediate and impressive: a rash of newspaper and television stories and complaints from major politicians, such as House Majority Leader Dick Armey, R-Texas, which raised the specter of a government surveillance infrastructure with the potential for widespread abuse.
The civil liberties group-it is not entirely clear which one-gave The Times a draft of a White House plan intended to create a Federal Intrusion Detection Network (dubbed Fidnet) to boost the anti-hacker defenses of the nation's critical computers. Government officials say hackers, if they were to be employed by, say, Iraq or China in a future war, could disable the computers that control the nation's telephone system, banks, and stock exchanges, as well as the power grid or the pipes that pump gas, oil, and water around the country.
The draft plan, now available on many Web sites of news organizations and civil liberties groups, calls on the national security agencies to erect their own specialized defense. It directs the General Services Administration, which manages the government's real estate, to collect data from civil agencies such as the Internal Revenue Service and the Department of Health and Human Services whenever they are hit by computer-security problems, whether hacker attacks, software flaws, or human error. This GSA-managed data-collection system would forward evidence of criminal activities to the FBI for investigation.
The plan also suggests-with little detail-that critical industries create their own cooperative anti-hacker defenses and forward information about hacker attacks to the government. The plan, which is still being debated within the Administration, is expected to be released in September.
The New York Times article about the plan was the lead story in the July 28 edition. It emphasized the concerns of civil liberties groups and highlighted the role of the FBI in the computer monitoring system. The article was reprinted in many papers around the country, and its focus on privacy was echoed in reports on CNN and ABC, where it was the lead item on evening newscasts the day the Times article appeared. A similar article appeared in the Aug. 19 issue of Rolling Stone magazine, which accused the White House of creating "a far-flung and fiendishly complicated bureaucratic apparatus. . . . Now are you scared?"
The reports immediately sparked protests from privacy proponents, such as Sen. Ron Wyden, D-Ore., and Republicans Armey and Sen. Conrad Burns, R-Mont., who chairs the Communications Subcommittee of the Senate Commerce, Science, and Transportation Committee.
For the civil liberties group that gave the document to The Times, the article's focus on civil liberties and privacy was a boon, not least because it touched a nerve by raising questions about the White House's trustworthiness.
Republicans haven't forgotten the White House's accumulation of some 900 FBI files on Republicans. "I would suggest that what you are seeing is Republican concern about the White House's ability to handle anything," said Sen. Robert Bennett, R-Utah, who supports the development of anti-hacker defenses and said the media have given short shrift to the potential benefits of Fidnet.
Indeed, congressional opposition this summer, led by such stalwart Republicans as Rep. Bob Barr, R-Ga., pressured the Treasury Department to drop its "Know Your Customer" plan, which would have directed banks to track customers' accounts for evidence of laundering drug money. Democrats, too, are suspicious of the White House, but mostly of the FBI, which conducted illegal surveillance of left-wing groups in the 1960s.
In the context of this suspicion, repeated pro-privacy statements by White House officials lack clout. For example, the draft plan included this passage prepared for approval by President Clinton: "All Americans should know that increasing our computer defenses cannot and will not come at the expense of our civil liberties."
Also falling on stony ground were statements by National Security Adviser Samuel R. "Sandy" Berger and others who warned that weak defenses could enable hackers to steal private data about citizens from government computers at the Internal Revenue Service.
Such statements are of little comfort to civil libertarian groups on the right, such as the Free Congress Research and Education Foundation, or those on the left, such as the Washington-based Center for Democracy and Technology. The CDT posted a copy of the plan on its Web site on July 27, shortly before the Times article appeared.
"What's really going on here is an effort to build an intelligence database for purposes that are not clear," said James X. Dempsey, senior staff counsel at the CDT. "I don't have any evidence that it will be misused, but what we do know, as a given, is that databases, once created for one purpose, frequently end up being used for other purposes." The risk that Fidnet will be abused is greater than its minimal contribution to the needed hacker defenses, he said. "We should put our priority into plugging those [computer-security] holes rather than establishing a huge monitoring system," Dempsey said.
But The Times' focus on privacy concerns left little room to explain two other critical factors in the debate-agency infighting and industry opposition.
Overseeing the Fidnet plan is Richard A. Clarke, the White House's national coordinator for security, infrastructure protection, and counterterrorism. Clarke is supported by a new division, the 35-person Critical Infrastructure Assurance Office. Under Clarke, this office is trying to coordinate government-wide anti-hacker efforts, as well as persuade established industries to share information about computer-hacking incidents, technologies, and vulnerabilities.
However, Clarke's efforts are widely opposed by other agencies. Officials at the Office of Management and Budget's Office of Information and Regulatory Affairs criticize Fidnet as a threat to the privacy of communications between citizens and government agencies, while Defense Department officials don't want their self-defense plans entangled in Clarke's growing operation.
The Commerce Department is leery of anything that interferes with the growth of high-tech business, but it lacks clout in this interagency fight; the Justice Department believes the White House plan is insufficient and wants companies to provide hard evidence that can be used to prosecute hackers in open court. "Clarke is the object of quite a bit of infighting these days," noted one government official.
This bureaucratic tussle has resulted in years of delay. Despite high-decibel alarms about an inevitable "Electronic Pearl Harbor" and the statement in July 1996 by then-Deputy Attorney General Jamie S. Gorelick calling on Congress to create an anti-hacker "Manhattan Project," government officials have made little progress.
For example, security officials sent a proposal to the White House in 1995, asking permission to draft an anti-hacker strategy, but Clinton did not give his approval until 1998. The delay reflected concerns about protecting privacy and minimizing business regulation, as well as the fear of a backlash for any plan that appears to promote government eavesdropping. "There's a lot of self-conscious inhibition here," said one official.
This uncertainty and infighting have also spread to Congress, where Senators such as Bennett, Christopher J. Dodd, D-Conn., and Jon Kyl, R-Ariz., are trying to build a consensus for some anti-hacker defenses. In early August, the House Appropriations Committee denied the White House request for $6.3 million to fund Clarke's CIAO office. "Rather than functioning as a coordinating body . . . [CIAO] is instead establishing and spending money on new programs that conflict with other programs," said committee spokeswoman Elizabeth Morra.
High-tech companies are also a major player in the debate because the government needs their cooperation. Thus far, these companies have largely refused to cooperate. If companies inform the government of hacker attacks against them, their pain could be doubled or tripled if the information is leaked or presented in court as evidence in lawsuits against them. Many executives argue that information sharing is unnecessary because, sooner or later, the marketplace will develop tough anti-hacker defenses.
The companies' antipathy to government regulation is reflected in their increasingly successful lobbying efforts against government controls on the export of hard-to-break data-scrambling technology. The companies, in alliance with civil liberties groups, say that the rules cripple exports and impede the adoption of anti-hacker defenses by U.S. companies and citizens. Partly backed by the White House, law enforcement and intelligence agencies oppose industry's demand, asserting that the export curbs help them read secret messages between criminals, terrorists, and foreign governments.
Fidnet could provide another rallying point for industry lobbyists, civil libertarians, and Republican opponents of government regulation. Armey highlighted the concerns in an Aug. 4 letter to the White House, stating that "it's simply frightening to think about the possibility of government bureaucrats snooping in our e-mail, particularly in light of the Administration's stance on encryption legislation."
Bennett, for one, hopes the debate will move beyond where it is now. "The threat will not go away. As more and more people discover the FBI is not running [Fidnet], that people's e-mail and private conversations [will be private], the furor will go away. I hope so."
NEXT STORY: Lockheed PAC donates to F-22 opponents