Government Executive - Authors - Graeme Browning

Hack Attack

Graeme Browning — Fri, 01 Aug 1997 00:00:00 -0400

he computer sitting on your desk can do many things. It can calculate long tables of numbers in a flash, call up electronic libraries of information for a report, keep track of meetings for years to come and connect you with millions of people via that web of computer networks called the Internet. It can send messages across the hall or around the world and provide the latest news 24 hours a day. It can even check spelling.

But increasingly, that computer and thousands of others like it throughout the federal government are also becoming the tools of possible catastrophe. Since 1990, hackers--computer-savvy individuals with malicious intent-have used the same chips and bytes that help executives work more efficiently to alter government data files, install pornographic pictures on government computer systems, collect security passwords and disrupt military research operations.

Computer attacks are becoming costly as well as dangerous. In March, the Computer Security Institute, a San Francisco-based association of information security professionals, reported that three-quarters of the 563 U.S. corporations, government agencies, financial institutions and universities it surveyed lost a total of $100 million last year because of computer break-ins. Defense Department computer systems may have experienced as many as 250,000 attacks in 1995, the most recent year for which figures are available, according to the Defense Information Systems Agency (DISA). Those attacks were successful 65 percent of the time, DISA estimates.

Guided Weapons

Federal officials are so concerned about the threat hacker attacks pose to both government and private computer systems that former CIA Director John M. Deutch told the Senate Governmental Affairs permanent subcommittee on investigations last year that "the electron is the ultimate precision-guided weapon." If that characterization sounds a little far-fetched, consider the following incidents:

In December 1994, hackers attacking the U.S. Naval Academy's computer systems deleted the master back-up file from one system, blocked access for authorized users to another system, tampered with 12,000 passwords and compromised a main router, the electronic equivalent of computer system's arteries. "At a minimum," the General Accounting Office reported in May 1996, "the attacks caused considerable disruptions to the Academy's ability to process and store sensitive information."
During 1995 and 1996, a hacker from Argentina used Internet connections to break into computers at the Naval Research Laboratory, NASA and Los Alamos National Laboratory, as well as other Defense Department sites. According to the GAO, the systems contained "sensitive research information, such as aircraft design, radar technology, and satellite engineering, that is ultimately used in wea-pons and command and control systems."
Dutch hackers who pillaged computer files at 34 U.S. military sites in the months leading up to the Gulf War offered the information to Iraqi leaders, a former Energy Department official said in March. The hackers not only learned the exact locations of U.S. troops and the types of weapons they had, but also gained information about the capability of the Patriot missile and the movement of American warships, Eugene Schultz, the former head of computer security at Energy, told a London newspaper.
A hacker who broke into and defaced the Air Force site on the World Wide Web, the multimedia corner of the Internet, late in December forced the temporary closure of 80 Web sites that carried, among other things, information on Gulf War illnesses.

Malicious hackers don't just target the DoD, however. They've also broken into sites belonging to the Justice Department and the CIA. The attack on the CIA site occurred in late September, just hours after the Senate passed a bill aimed at hindering computer crime. Secure files were never in danger, the agency said, because the Web site isn't connected to any internal CIA files. But the hackers caused more than a little disturbance by adding obscenities, changing the name of the agency to the "Central Stupidity Agency" and reworking electronic links so readers who clicked on them would be whisked off to hackers' Web sites and the Playboy magazine site.

NASA's home page has also been become a favorite site for hackers, who've attacked it at least three times in the last 18 months. The culprits in the first two attacks left pornographic pictures, radical political screeds and a statement decrying the commercialization of the Internet. The most recent NASA hack occurred only two months ago, when a Delaware teen-ager altered the Web site for the agency's Marshall Space Flight Center in Huntsville, Ala., and left this message: "We own you. Oh, what a tangled web we weave, when we practice to deceive." The hacker added that the site's managers were "extremely stupid." He is under investigation by the computer crimes division of NASA's Office of the Inspector General.

Security Worsens

Not everyone who's unusually adept at computer programming is a hacker. Many computer users who like to spend time roaming the Internet would never consider doing electronic harm to a government agency or private corporation, technology experts say. In a new book, however, David H. Freedman and Charles C. Mann explain how, over a period of five years, "Phantomd," an emotionally disturbed teen-ager from Portland, Ore., hacked several hundred-and possibly several thousand-of the most secure computer systems in the nation, including those of nuclear weapons laboratories, Fortune 100 companies and classified military sites.

"Most computer experts agree that during this decade, Internet security has gotten worse," Freedman and Mann write in At Large, published in June by Simon & Schuster. "Much of society seems to be rushing onto the Internet, but the long-secret escapade of Phantomd demonstrates how easily people can roam unconstrained on the information superhighway and, if they have a mind to, do overwhelming damage."

Most of that damage can be done with tools that are ridiculously simple to use, in technological terms. In fact, many of the weapons in the malicious hacker's arsenal are everyday devices used on the Internet.

Take passwords, for example. Lots of people use the same password for all their computerized accounts, from their office computer to the ATM account at their bank to their home security systems. It's not unusual for office workers to use the word "password" to enter their office networks, computer security experts say. A hacker who's patient enough to try several hundred obvious passwords is bound to get lucky on most large systems. And if he's not patient, a password-guessing software program will automatically try every word in its dictionary-like database until it chances upon the right code.

If the hacker is adept at computer programming, he can construct a "sniffer" program that will monitor all the traffic on a particular network and record the first few keystrokes of each log-on session, where the user types in an account name and a password. By installing sniffers on the major arteries of the Internet in fall 1992, for example, Phantomd accumulated hundreds of thousands of passwords for military and government networks and commercial systems, Freedman and Mann say.

"IP spoofing" is also a popular way of gaining unauthorized access into a computer system. The hacker forges the address-called the IP for "Internet Protocol"-of a message sent over the Internet so it appears to come from a computer attached to an internal network. If the main network computer is persuaded that the hacker's computer belongs to the network, and there is no internal network security system, the main computer will send the hacker data without further question.

And if none of these methods works, there's always the tried-and-true ploy called "hijacking" a password. The hacker simply waits for someone at a computer station to get up and leave-for a cup of coffee, say-without exiting the program he's working on and turning off his machine. This trick is a favorite among college students who share huge multi-user university systems.

Getting into a computer system is the hard part, technology experts say. Once inside, a skilled hacker can rifle through data files, establish a phony account that will give him instant access on return visits, and set up an electronic tool kit that can tinker with the system's inner workings even if he is not around.

The hacker might infect the system with a computer virus that will replicate itself and erase important files. He could install a "logic bomb," a program hidden deep in the main computer and set to activate at some point in the future, destroying data. He could even replace entire software programs with a "Trojan horse," a set of files that look just like the real software but are empty.

And if the hacker isn't a programming wizard? He could log on to the Internet and download a software program called Security Administrator Tool for Analyzing Networks, or Satan, that probes computer systems for weaknesses and holes. If Satan is not available, there's always a set of programs called RootKit that automatically takes over a computer and installs a sniffer.

Information Warfare

The danger of hacker attacks is being taken seriously, even at the highest levels of the federal government. In January, a task force of the Defense Science Board, a high-powered Pentagon advisory group, warned that that "an electronic Pearl Harbor" is just around the corner unless "extraordinary action" is taken immediately to improve computer security in both government and private sector networks. The report recommended that the Defense Department spend $3 billion over the next five years to strengthen the Pentagon's telecommunications and computer systems, and establish centers at the National Security Agency and DISA to study the potential causes of and responses to all-out hacker attacks the Defense Department terms "information warfare." The board also suggested creating a team of electronic security experts to stage attacks on critical government information systems to test their security.

A high-level government-industry group called the President's Commission on Critical Infrastructure Protection is also studying the gamut of computer-attack scenarios. It's scheduled to make a report to the White House in early October.

"Technology has created a wonderful interconnected world, but each connection creates new exposures and risks," Robert T. Marsh, a retired Air Force general and former chairman of Thiokol Corp. who heads the commission, said in a speech this spring. Government and private computer networks "are becoming increasingly vulnerable to vandalism, theft, malicious hackers, criminals and unscrupulous competitors. The Internet contains hacker sites with instructions on how to do the job. Our [computer] infrastructures are constantly in danger from people intent on penetrating and disrupting them-and all they need is a PC and a modem."

]]>

Dragnet

National Journal and Graeme Browning — Wed, 21 May 1997 00:00:00 -0400

Island Casino is every gambler's dream. One of a thriving new breed of gambling enterprises launched in the last year, it offers roulette, craps, video poker, slot machines, sports betting--on football, baseball, basketball, hockey and boxing--and a bingo game billed as "one of the world's largest." It's quick, it's open round the clock and, best of all, it's available on any computer screen.

That's right. Island Casino operates through the Internet.

The computers that create it are located on Curacao, in the Netherlands Antilles, a group of Caribbean islands almost 1,200 miles south of Miami. The company that runs it is licensed under Dutch law, which permits gambling. And its games take place in the borderless world of cyberspace, where anyone armed with a computer, an Internet hookup and a credit card can play--for real money.

For gambling opponents and state law enforcement officials, that's a nightmare. They want Uncle Sam to police the likes of Island Casino. Although states have always decided whether to allow gambling--and how to regulate it--only federal law enforcement agencies can operate across state lines, as the Net does.

On-line gambling isn't the only Internet-based activity that officials want to regulate.

Fifteen states and the District of Columbia have considered cyberspace taxes, which could hit home computer users and big corporations that do business on line. And some federal agencies are looking to extend 19th-century laws that regulate banking and commerce to cover the financial scams that threaten to flourish in the Information Age.

Every time a new technology has arrived on the American scene, policy makers have wrung their hands about regulation. Universal access to telephones, dividing up the radio spectrum, television licensing--each of these principles, now taken for granted, first required lengthy discussion in Washington. Now that's happening with the Internet.

But there's a sense of urgency in this debate that didn't exist before. The Internet is growing faster than anyone expected: 57 million people worldwide are now connected, compared with 1.1 million in 1991. And the Net's financial clout is growing apace. In the year 2000, more than $70 billion in sales will be transacted over the Net worldwide, the Commerce Department predicts. Estimates from other sources range widely and are unscientific; some suggest sales in the $150 billion-$600 billion range by decade's end.

Regulators, lawmakers and the on-line industry may differ over how much this new electronic universe really needs to be regulated, but with the Internet mushrooming as it is, advocacy groups say, there's not much time left to search for the answers.

Controlling the Card Sharps

Take Internet gambling, a growth industry if there ever was one. About 25 "wagering sites" now exist on the World Wide Web, and at least 100 more are in the works, according to Sue Schneider, who chairs the Interactive Gaming Council, a group of on-line gambling companies that was created late last year by the Interactive Services Association, a Silver Spring (Md.)-based trade group.

"In the last 18 months, the on-line segment of the gaming industry has reached critical mass," said Schneider, who also publishes Rolling Good Times, an electronic magazine about on-line gambling. She said the number of gambling sites that are under construction "could easily double by the end of the year."

These "virtual" casinos last year captured $3.4 billion of the almost $25 billion that Americans spent on casino-based gambling, according to financial analyst Sebastian Sinclair of Christiansen/Cummings Associates Inc., a New York City management consulting firm.

By the end of next year, annual on-line gambling expenditures will reach nearly $16 billion, predicted Dennis Mills, a member of Parliament in Canada who's championing a bill to legalize Internet gambling. On-line gambling "appears to be the first Internet application that has the potential to make other investments pale by comparison," Mills wrote in a statement on the subject.

If Island Casino and other popular Internet gambling services are any indication, however, the technology may first need a big upgrade. Most of these graphics-heavy sites load up so slowly onto a computer screen that one bettor recently complained he could catch a cab to a nearby racetrack in the time it takes to place an Internet bet. Also, most of the sites are now set up to be played only "for fun," not for real money. And those that do take money wagers have complicated registration procedures that can involve delays lasting days.

While the gambling industry eagerly anticipates the prospect of making big bucks from the Internet, anti-gambling groups and state law enforcement officials fear that virtual casinos will create a host of problems.

Incidents of gambling addiction increase as casinos become accessible to a larger share of the population, according to Bernard P. Horn, communications director of the National Coalition Against Legalized Gambling, a Washington-based organization that represents state and local anti-gambling groups.

"Also, how do you know whether someone playing casino games on the Internet is an adult or not?" Horn asked. "If you put casinos on the Net, you have to understand that you are making gambling accessible to millions of people, and creating millions of addicts and underage gamblers." Think of the potential for a 16-year-old to swipe his parents' credit card and run up huge gambling debts on the Net before Mom and Dad notice.

Fraud is also inherent in on-line gambling, opponents say. How would a bettor sitting at a computer terminal in Idaho know that the roulette wheel being "spun" by a computer in Antigua isn't fixed? "On the Internet, if people get hold of your Social Security number or your credit card number, away they go" to make fraudulent purchases, said Sen. Jon L. Kyl, R-Ariz. "There's an extra potential for fraud here that doesn't exist as much in a regulated environment."

Kyl is pushing a bill that amends the 1934 Wire Communications Act to make on-line gambling a crime. Similar legislation he sponsored during the 104th Congress died in committee, but Kyl believes the bill has better chances this time around because the National Association of Attorneys General backs it, as does the National Coalition Against Legalized Gambling. "Our only opposition comes from those people who have spent a lot of money to create these casinos," he said. "They see a huge source of revenue going out the window."

Faced with criticism like Kyl's, Schneider of the Interactive Gaming Council counters that strict betting limits will help control compulsive gamblers, while "filtering" software designed to protect children from Internet pornography will also screen out underage players. "The whole argument here really boils down to the fact that the Internet is a global medium that defies legislation by one particular country," she said.

Kyl's bill attempts to address that problem by adding a clause expressing the "sense of the Senate" that the federal government should have jurisdiction over any company, no matter where it's located, that transmits wagers via the Net into or out of the United States. "But if a casino company is legally licensed in one country, it's hard for another country to come in and say, `You can't do that,'" Schneider contended.

In the long run, the make-or-break issue for on-line gambling will be whether consumers find the games trustworthy, both supporters and opponents say. Americans wagered $80 billion-$85 billion last year on sports, according to gambling industry estimates. Because they have confidence in the underlying bookmaking system, gamblers are also flocking to sports betting on the Internet, even though it's specifically illegal under U.S. law, Schneider said.

The Justice Department could prosecute on-line "sportsbook" operators now, but chooses not to, said Horn of the anti-gambling coalition. "That's a shame because on-line gambling operations are in such a fragile state. You could go after all the gambling sites that exist today and knock them down," he said. "And what we're seeing now is just a fraction of the problem we'll see if we don't take action soon. The more that people become accustomed to gambling this way, the more demand there will be for it down the road."

Taxing Questions

If casino operators are enthusiastic about their potential take from the Internet, state and local taxing authorities are even more raring for a windfall. Colorado, Connecticut, the District of Columbia, Louisiana, Massachusetts, Ohio, Pennsylvania, Tennessee, Texas, Washington and Wisconsin now tax some Internet services, while California, Illinois, Iowa, Maryland and West Virginia are considering similar taxes.

Most of these taxes are based on a percentage--from 2.5 per cent to 6 per cent--of the monthly fee that a computer owner pays a company for an Internet hookup. The taxes are added to the computer owner's monthly bill, just as telephone access charges are added to telephone bills. But there are also proposals to tax electronic purchases of computer software programs, books, magazines and other items popular among on-line shoppers.

The states argue that they are simply extending existing tax laws to a new technology, as they have a sovereign right to do. "As more and more sales take place on the Net, that will eventually have an impact on sales tax collections in a number of states. And the sales tax does finance a lot of state programs," said Neal M. Osten, director for commerce and communications in the Washington office of the Denver (Colo.)-based National Conference of State Legislatures. "That's the way the system was supposed to work, and it's working."

Computer users and the on-line industry haven't taken kindly to their tax-inflated bills, however. In August 1996, shortly after the city of Tacoma, Wash., imposed a 6 per cent tax on the fees that people pay to an Internet service provider, angry citizens forced the city to repeal it. Buoyed by widespread public support, a bill to exempt all Internet uses from state taxation passed both houses of the Florida Legislature and is awaiting Gov. Lawton Chiles's signature. Earlier this year, New York Gov. George E. Pataki announced that his state will also exempt Internet service providers from state taxes.

Many state tax officials are chafing over such policies because they create a burden on businesses that aren't operating on the Internet, Osten said. "This hits small independent businesses, the ones that are the backbone of a lot of state revenue, especially hard," he added. "They're the people who have a physical location, like a store, that's generating sales taxes. We know where they are, and we can tax them. But if a business that exists primarily on somebody's computer and operates on the Internet isn't paying sales tax, then you really have unfair competition."

Nevertheless, the regulators could be outvoted on this issue. The Treasury Department last November issued a policy paper rejecting new federal taxes on the Net. Early this year, an executive branch interagency working group--chaired by Ira C. Magaziner, senior adviser to President Clinton for policy development--issued a draft proposal to "establish cyberspace as a duty-free zone."

"The Administration believes that widespread competition and increased consumer participation in marketplace choices, not government regulation, should be the defining features of the new digital age," the draft paper concluded.

Congress seems to agree. Rep. Dave Weldon, R-Fla., introduced a bill in early March to exempt the Internet and on-line services from federal taxes. Soon after, Rep. C. Christopher Cox, R-Calif., and Sen. Ron Wyden, D-Ore., introduced the Internet Tax Freedom Act, which would impose a moratorium on new state and local taxes, including sales taxes, aimed at the Net.

In any business transaction--whether on the Internet or through more old-fashioned means--a state can tax out-of-state sellers of goods or services only if the sellers have "sufficient physical contact" with the taxing state, the U.S. Supreme Court has ruled. But applying that standard to business that's conducted on the Net poses problems.

Wyden suggests that because the Internet is so decentralized, and Net-based transactions could be routed through hundreds of different computers, as many as 30,000 state and local taxing authorities could argue that they have the right to place levies on electronic commerce.

If a California company sells a computer software program manufactured in Oregon to a computer owner in Florida, who downloads the program onto his hard disk using an Internet service provider located in Virginia, Wyden said, then who has the right to tax what? "It's no longer just a matter of one state taxing the manufacturer and another the reseller," he added. "Electronic commerce via the Internet doesn't fit into those neat little categories any more."

State tax authorities themselves appear to be struggling with the question of how and where to apply levies to the Net. Alone among the states, Minnesota taxes digital information services such as Lexis-Nexis, for example. The state of Utah has decided not to tax the Internet, but some cities within the state are considering doing just that. Louisiana and Colorado tax only Internet users located within the state, while Washington taxes out-of-state users as long as their Internet service provider has a Washington address.

The only way to bring fairness to the current hodgepodge is for the states to decide on a single set of laws and a uniform tax rate to apply to the Internet, the Interactive Services Association argued in a recent white paper. "We're not fighting taxation, but we are asking for uniformity of language," said Brian A. O'Shaughnessy, director of public policy for the association, which represents some 350 computer software and hardware manufacturers, Internet service providers and on-line companies. "If we're going to have taxation in this new environment, let's not have patchwork."

One proposed solution, the Cox-Wyden bill, would maintain the tax moratorium for two years while a panel composed of representatives from the Treasury, Commerce and State Departments, state and local governments, and consumer and business groups studies the issue of taxing the Net and prepares a report for Congress. The states point out that they're already working with the on-line industry to develop uniform tax standards. "Wyden's office says the moratorium is a way to get us to the table, but we've been at the table for a year," Osten said.

Meanwhile, the technology of the Internet is changing so quickly that state officials worry that new tax laws will be outdated before they even pass. "When we're trying to define various aspects of the Net, the question always is, will that technology still be there in a few years?" Osten said. "But it's important that we sit down with industry anyway. Whatever's going to happen in the future will be based on what happens now."

Cops in Cyberspace

How and when to tax the Internet is a perplexing question, but federal regulators consider the Net's potential for money-laundering, consumer and banking fraud, invasions of privacy and forgery a far more pressing issue.

"Electronic commerce is probably inevitable, [but] it's not without its risks and dangers," Peter J. Toren, deputy assistant attorney general in the Justice Department's Computer Crimes and Intellectual Property division, warned at a conference on regulating electronic cash, sponsored by American University's law school in mid-April. "History has taught us that as soon as any technology arrives, some individuals will try to misuse and abuse it."

Internet users were convinced that Reed Elsevier Inc.'s Lexis-Nexis subsidiary was doing just that last year, when it added Social Security numbers to "P-Trak," the database it sells to lawyers. After thousands of computer owners complained, the numbers were deleted from the database. More recently, the Social Security Administration itself was forced to back down hurriedly from its plan to put taxpayers' Social Security numbers in its interactive database.

"Consumers are becoming increasingly concerned about the power of technology to collect and distribute information about them," Lucy Morris, assistant director for credit practices at the Federal Trade Commission (FTC), said at the American University conference.

The FTC has also been homing in on Internet-based business frauds. Late last year, the commission's Bureau of Consumer Protection coordinated a daylong surveillance of the Internet by federal, state and local law enforcement officials and unearthed more than 500 Web sites promoting pyramid schemes, which are illegal.

In a similar "Business Opportunity Surf Day" that the FTC organized on April 24, officials from the commission, from the North American Securities Administrators Association, from the U.S. Postal Service, Canada and Norway, as well as attorneys general from 24 states, discovered more than 215 Web sites offering outrageous earnings from business opportunities that amounted to little more than scams.

The Treasury Department is so concerned about the potential for financial fraud related to the Internet and computer-based currency that it established the Financial Crimes Enforcement Network (FinCEN) three years ago to bolster the anti-money-laundering efforts of the Justice Department and the Federal Bureau of Investigation.

The Internet's speed, efficiency and global nature, which allow businesses to do billions of dollars' worth of sales worldwide, also help criminals launder money in the blink of an eye, Stephen Kroll, FinCEN's legal counsel, said at the American University conference. "The problem is that everything that's good about these [computer] systems for everyone else is bad for financial-crime enforcement," he noted.

AT&T, for example, recently announced that it would begin testing a system this summer in which consumers can download funds from their bank accounts, via the Internet, to a "smart card," a device that resembles a credit card and contains a computer chip.

Once the funds are stored on the smart card, the consumer could purchase goods over the Internet by clicking on the item at a merchant's Web site and running the smart card through a "reader" attached to the consumer's computer. Prompted by the magnetic strip on the smart card, the "reader" subtracts funds from the card and transmits them, in the 0s and 1s of computer language, over the Net to a smart card owned by the merchant. At the end of the day, the merchant uploads his or her proceeds to the bank, using the same devices.

While smart cards could revolutionize electronic commerce, they also offer the threat of the "perfect counterfeit," Kroll and Toren warned. "Smart cards are only a string of computer bits that someone, somewhere, can make a perfect copy of," Toren said.

Regulation of the Internet is imperative if law enforcement is going to get a handle on financial crime, Kroll added. "We've been trying to end bank secrecy for the last 50 years, but we will have lost the fight if the Internet bypasses the banks and renders them no longer key to financial transactions," he contended.

Several other federal regulatory agencies, however, oppose loading the Net up with a host of rules. In a significant speech given last October, William J. McDonough, president of the Federal Reserve Bank of New York, urged that regulators "monitor" development on the Net but not attempt to restrain it.

The U.S. Office of the Comptroller of the Currency (OCC) takes the position that "supervision, not regulation, is the key word," James Gillespie, assistant chief counsel in the Comptroller's office, said at the American University conference. And last year, the Office of Thrift Supervision chartered the Security First Network Bank, the first "thoroughly Internet bank in the country," according to OTS special counsel Paul Glenn.

For all their concerns about crime, the banking and financial industries support this hands-off approach. "The majority of the new technologies we're talking about are essentially new configurations of established financial products. And powerful models already exist to guide policy makers as they deal with these issues," said Brian W. Smith, a partner in the Washington offices of Mayer, Brown & Platt, a Chicago-based law firm, and formerly chief counsel at the OCC. "I advocate taking a deep breath, and letting the system function on its own."

Debates about regulating cyberspace are sure to balloon along with the Internet's popularity. Trouble is, the technology is changing so rapidly that decisions made this year could turn out to be ill-advised only a few years down the road. Perhaps that's why many policy makers, at least for now, are choosing the easy way out: They're calling for "moratoriums," as the on-line world races past them toward the 21st century.

]]>

Infowar

National Journal and Graeme Browning — Tue, 22 Apr 1997 00:00:00 -0400

A bell marking the opening of business sounds on the cavernous trading floor of the New York Stock Exchange. It is Feb. 4, 2006, a decade after the White House sent the aircraft carrier Nimitz into the Strait of Taiwan, infuriating China, which had been firing missiles at Taipei.

As traders reach for their phones, all of the computer screens in the Exchange suddenly go blank. Simultaneously, in Detroit, a mysterious power outage brings auto assembly lines to a halt. On the West Coast, a chartered jet carrying the Labor Secretary and several hundred American business executives back from a trip to Taiwan smashes into a 737 on the runway at Los Angeles Airport; landing coordinates the pilot had received from computers in the LAX control tower had been tampered with.

Meanwhile, the commander of a Marine Corps base in Japan hears angry voices outside his office. Once again, trouble is brewing over Taiwan. Washington has just ordered him to put his troops on alert because Chinese army troops are massing across the Strait. A few hours earlier, electronic thieves cleaned out the U.S. bank accounts of all the marines in Japan, and now the troops are frantically taking calls from spouses back home.

Sound improbable? Sure it does. But to a growing number of Pentagon strategists and other federal security experts, a cyberspace-based scenario like this may be the face of battle in the 21st century. Many of the combatants in this potentially deadly new form of guerrilla warfare would be armed with no more than personal computers and modems. And they could be two continents away from their intended targets.

Waging the domestic version of what security experts call "infowar" means applying computer viruses, hidden codes, data-destroying software programs and other electronic mechanisms that could, among other things, halt the operations of electric power grids, natural gas pipelines, railroad switching facilities and air traffic control systems. Infowarriors could also scramble the software used by banks, hospitals and emergency services, and break down telephone and other telecommunications networks.

In January, a high-powered Pentagon advisory group--a task force of the Defense Science Board--issued an urgent report warning that the nation's computer systems are so vulnerable to malicious assaults that the country may one day face "an electronic Pearl Harbor."

The report recommends that the Defense Department spend $3 billion over the next five years to strengthen its telecommunications and computer systems, and establish centers at the National Security Agency (NSA) and the Defense Information Systems Agency to study the potential causes of and responses to information warfare.

Another report is being prepared by a government-industry group called the President's Commission on Critical Infrastructure Protection. Created last fall, the commission--which is headed by Robert T. Marsh, a retired Air Force general and former chairman of the board of Thiokol Corp.--was supposed to issue its findings by midyear. Ten federal agencies with potential interests in the subject were entitled to have two members each on the commission. But because some agencies picked only one person and because so many private experts declined to participate--they didn't want to leave their businesses for a year, as required--the panel will finish its work with 15 members, instead of the 22 envisioned in the executive order. The panel's deadline was recently extended to early October.

A THREAT THAT'S VERY REAL

Launching a cyberspace-based assault doesn't necessarily mean using nefarious techniques to "hack," or penetrate without permission, a computer system. In fact, many of the digital tools in a cyber-terrorist's arsenal are simply everyday devices, expressed in the 0's and 1's of computer language, that make a computer network like the Internet such a marvel of communications.

In the hypothetical assault described at the beginning of this article, for example, the Stock Exchange's computers might be put out of action by an "electronic-mail bomb." First the attacker would break into the system of a company--an Internet service provider--that manages the links between the Exchange and the Internet. The attacker would tinker with the service provider's computers so that they routed millions of E-mail messages--which the attacker would generate from his own computer--to the Exchange. If the flood of false E-mail is large enough, the Exchange's Internet connection--and possibly its own computer--would become overloaded and shut itself down.

Shutting off Detroit's power might be a simple matter of guessing (with a little electronic help) the password needed to enter the local electric company's computer system and then commanding it to flip the city's "off" switch. Password "dictionaries," which generate hundreds of possible words or combinations of letters, are easily obtainable; the attacker would simply dial in the power company's system and run the dictionary program until it chanced upon the right code.

Infowarriors might also break into the air traffic control system by "hijacking" a password. How? Maybe by waiting for someone who's manning a computer station to, say, get up for a cup of coffee without exiting the program he's working on and turning off his machine. This is a favorite among students at colleges that operate huge, multiuser systems. Once inside a system, a skilled hacker can control it.

And the cleaning out of bank accounts? A "logic bomb"--a program hidden within a computer and set to activate at some point in the future, destroying designated files--might do the trick. So might a "data-service" attack. That involves convincing a computer network to share its information with an intruder's computer. If the network isn't protected by some form of computer security, there is no way to prevent a machine outside the network from requesting and receiving data.

Some infowar specialists would include other forms of digitized assault under the rubric "information warfare." In addition to attacking the inner workings of computers, for example, infowar could also mean the use of information technology on the battlefield or the use of microwaves to block wireless data transmissions, some experts say.

The NSA, the federal agency that concentrates on (among other hyperclassified matters) the use of information technology, focuses more on the danger that renegades with computers pose to America's national security apparatus. The agency estimates that more than 120 countries now have "computer attack capabilities" for attempting to seize control of Pentagon computers in a way that would "seriously degrade the nation's ability to deploy and sustain military forces," the General Accounting Office noted in a 1996 report.

According to the gloomiest of infowar theories, all computer systems are vulnerable to attack. And a challenge facing the people in charge of potential targets is deciding whether a glitch in a computer system means that somebody somewhere innocently pushed the wrong button or that the first shot has been fired in a cyberspace attack, Clinton D. Brooks, an adviser to NSA director Kenneth A. Minihan, said in a rare interview.

"We certainly don't want to defend at the national federal level against something that's just an accident," he said. "What we need is some sort of national centralized recording, monitoring and assessment center. . . . We need to know what's normal behavior [in cyberspace]. How many real accidents happen out there? How many different incidents [that resemble infowar] normally occur?"

Such a statement, coming from the top level of the highly secretive NSA, indicates the alarm with which the U.S. defense and intelligence communities view the prospect of electronic warfare.

In an appendix to its January report, the Defense Science Board task force cites a variety of computer-related incidents occurring since the late 1980s that, some members of the task force maintain, prove that the threat of infowar is very real. These incidents include the 1989 placement of logic bombs in public telephone network switches in Atlanta, Denver and Newark, the 1995 theft of 60,000 telephone calling card numbers by a technician and the attack an organized crime ring based in Russia made against Citibank's computers in 1994 that resulted in the theft of almost $12 million.

Other attacks have targeted U.S. research and defense facilities. In the months leading up to the Persian Gulf war, for example, a group of teenagers from the Netherlands "hacked" computer files at 34 American military sites on the Internet and electronically siphoned off such information as the exact locations of U.S. troops and the types of weapons they had, according to the task force report.

By browsing through the sites' computerized directories, reading E-mail and copying data, the teenagers also gleaned information about the capabilities of the Patriot missile and the movement of American warships in the Gulf region. When they were done, they modified the computer systems' logs to cover their traces. Late last month, Eugene Schultz, former head of computer security at the Energy Department, told the BBC that during the Gulf conflict the hackers tried to sell their pilfered information to Iraq. The generals in Baghdad backed off, fearing a trap, Schultz said.

More recently, a 19-year-old Londoner named Richard Pryce broke into the computer files of an Air Force research facility in Rome, N.Y., more than 150 times in 1994. Pryce, who American intelligence officers said had caused "more harm than the KGB," was convicted of making an unauthorized entry in a London court and fined the equivalent of $2,400.

The Science Board unit's report also lists 10 countries--Russia, China, North Korea, Iraq, Iran, India, Egypt, Cuba, Libya and Syria--ranked according to their progress in developing 15 categories of technologies to support infowar, including such fields as "psychological operations," "deception," "electronic warfare" and "lethal destruction."

Russia, for example, is said to have technology equal to the best the United States has to offer in seven categories, and "average or good" capabilities in four others. In only four categories, the report says, does Russia fail to measure up to the United States.

China and North Korea are reported to be on a par with the United States in three categories, but Iran, Egypt, Cuba, Libya and Syria appear to be out of the game for the time being.

TARGETING PUBLIC SERVICES

It's more difficult to pin down the threat to the private sector and to the U.S. economy in general, security experts acknowledge.

The United States has more computer expertise within its borders than any other country in the world. And so on any given day, the wires are humming with data being passed back and forth not only between corporations or organizations within a given industry, but also along the Internet, which uses telephone lines.

So far, even the cleverest of hackers have yet to successfully target an electric power grid for disruption or lob E-mail bombs at a regional telephone network. But just because a full-scale domestic cyberspace attack hasn't happened yet doesn't mean that it can't happen, some security experts say.

Because so many computer systems are so interconnected, well-timed assaults on only a few of these systems could disrupt the lives of millions of Americans, suggests Ross Stapleton-Grey, a former CIA analyst who is now president of Tele-Diplomacy Inc., an Arlington (Va.)-based consulting firm.

"In a non-hyper-wired world, technological failures are OK," he said in an interview. "But if we have a string of calamities such as the 1991 AT&T switch failure that caused traffic control systems at airports all along the East Coast to go down, that can lead to a major disaster."

The President's commission was formed to head off just such disasters. The executive order that established the panel warns that "certain national infrastructures are so vital that their incapacity or destruction would have a debilitating impact on the defense or economic security of the United States."

Marsh isn't persuaded by the argument that cyberattacks won't happen in the future because they haven't happened in the past. "In this tough world, if we have exposed vulnerabilities in any of our vital systems . . . any prudent person would conclude that we ought to plug up the holes and not invite outsiders in to cause harm," he said.

Recent events overseas show that some terrorists already have plans for targeting basic public services, Marsh and other security experts say. Last July, for example, Scotland Yard said it had foiled an Irish Republican Army plot to bomb natural gas, water and power installations in London.

American businesses have become dependent on information technology, and some industries couldn't operate without using computers. With terrorism, hacker mischief and computer attacks by organized crime all on the rise, Marsh said, "we face a looming problem of serious proportions that needs to be addressed."

Infowar specialists who concentrate on the home front, however, also have trouble distinguishing between hacking activities that merely annoy and cyber- attacks intended to do serious harm.

Winn Schwartau, a Seminole (Fla.)-based security consultant, applies the term primarily to electronic attacks on computer networks. He has labeled as infowar everything from recent defacing of Web sites operated by the National Aeronautics and Space Administration and the Justice Department to three incidents in January 1993 involving hackers who reportedly extorted huge ransoms from British banks and brokerage houses in return for not crashing the financial institutions' computer systems.

"I don't like to use the term `infowar,' but it gets the executives' attention," Ron Skelton, an engineer with the Palo Alto (Calif.)-headquartered Electronic Power Research Institute, said at a mid-March conference of computer programmers in San Francisco. "The bottom line is this: The American public really wants hot showers, warm bedrooms and cold beer. And if they don't get it, the government will hear about it."

Marsh reiterated this point later in the conference. "As you know, the Internet contains hacker sites with complete instructions on how to do the job [of launching cyber-attacks]," he said. "Our infrastructures are constantly in danger from people intent on penetrating and disrupting them. And all these people need are a personal computer and a modem."

WHEN "SATAN" CAUSED A PANIC

Not everybody buys the notion that cyberwar is just around the corner. True, the report by the Defense Science Board task force notes that "there really is a smoking gun." But not everybody who looked saw the gun or the smoke; the report notes that the opinions in the document don't reflect the views of all participants in the study.

And many specialists--often quick to bristle whenever the government weighs the need for controls on the uses and occasional misuses of computers--don't believe Washington's warnings.

"It's nothing more than a make-work project for the NSA now that the Cold War is over," said Jim Warren, a San Francisco-based computer expert.

Another skeptic, Ohio State University law professor Peter Swire, asserted at the San Francisco conference that national computer networks are less threatened today than they were just a few years ago.

Most corporations, he said, now rely on internal networks, composed of linked desktop computers, for data processing. These local networks--or LANs--are far less vulnerable to unauthorized penetration than the big mainframe computers corporations used a decade ago. That's because electronic files can be broken up into discreet sections and stored on different computers. With mainframes, data were usually stored in one location; an intruder needed only one password to reach everything he was after.

But other specialists note that most private-sector networks aren't adequately protected because most corporate executives either don't understand computer security or don't want to spend the money on safeguards.

"You have to make distinctions between computer sites," A. Michael Froomkin, a law professor at the University of Miami (Florida), said in an interview during the conference. Most of the Internet sites that have been tampered with are open to the public. "The serious stuff, the classified top-secret data, is always stored on isolated systems with protection developed by the NSA," he said.

A software program called Security Administrator Tool for Analyzing Networks (SATAN) caused a panic among corporate security experts when it was distributed free on the Internet a few years ago because it could probe computer systems for weaknesses and holes, Froomkin said. "SATAN was useless with the military networks. But the fact that it worked so well elsewhere is a sign that the civilian networks still aren't well maintained."

Some federal computer security experts like the NSA's Brooks acknowledge that the threats are sometimes overstated. "We have a lot of people who talk rather simplistically, as though all it takes is a group of super-hackers somewhere to bring the United States to its knees," Brooks said.

But it's irresponsible, he continued, not to prepare for cyberwarfare. "The message in all of this is: Do we really understand what we're facing? Can you take the existing charters and lethal responses of an industrial age and apply them directly to the Information Age? We really don't know, and we need to know."

]]>

Crashing Computers

National Journal and Graeme Browning — Mon, 03 Mar 1997 00:00:00 -0500

In the mid-1980s, officials at the Internal Revenue Service (IRS), prompted by the need to handle an ever-growing mountain of tax returns more efficiently, decided to overhaul the agency's aging computers. Give us enough money, they told Congress, and we'll not only bring in $40 billion in extra tax revenues a year but we'll also make it possible for taxpayers to file their returns and get their tax problems solved with little more than the flip of a switch.

Almost 10 years and some $3.4 billion later, an ambitious scanning machine prototype and upgraded telephone systems are in place in many IRS locations, but not much else has changed.

Of the more than 200 million tax forms that will flood the agency before this year's filing season is over, 95 per cent of them will be processed on keyboards connected to computers that in some locations chug along on 1940s-style vacuum tubes.

The billion-dollar computer modernization program clearly hasn't lived up to the high expectations the IRS had for it--a failure that Arthur A. Gross, the agency's head of computer services, described in testimony in January before the National Commission on Restructuring the Internal Revenue Service, a bipartisan congressional panel.

Two new systems that together cost more than $300 million have been scrapped in the past two years. An attempt to collaborate with the Commerce Department on a system that would let taxpayers file via the Internet disintegrated recently in the midst of interagency recriminations.

What's more, despite its statutory obligation to protect taxpayer data from the prying eyes of outsiders, the IRS lacks "the critical mass of intellectual capital" to fix its computer problems without help from private experts, Gross said.

How could this have happened? Where did all that money go? "It hasn't been wasted," deputy IRS commissioner Michael P. Dolan, the agency's top-ranking career employee insisted in an interview. Individual taxpayers now have the option of filing returns via touch-tone phone or from their tax preparer's or accountant's computer. Businesses can make their tax deposits electronically, he continued, and over the past three years, the IRS has been able to answer an increasing number of taxpayer calls because of wiring and equipment upgrades at its 29 service centers. "There are a lot of things currently on the ground and operating that are giving the taxpayer a real, live, in-the-flesh benefit," he said.

The IRS has spent at least $1 billion replacing aging mainframes, data storage systems and wiring for the telephone hotlines at its service centers, according to an agency spokesman. Some $400 million was spent to consolidate the agency's service centers, while another $400 million has gone toward developing new computer programs for IRS field agents involved in collection efforts, the spokesman said.

The IRS experience with computers mirrors many of the problems other federal agencies have had managing technological change.

As recently as 1994, for example, the Federal Aviation Administration (FAA) was trolling Radio Shack stores for spare parts to keep its air traffic computers running, the General Accounting Office (GAO), Congress's investigative arm, reported. Meanwhile, the FAA's plan to upgrade its computer system faced so many delays that the agency would "spend twice as much as originally planned for a system that will meet few of its original requirements," the GAO said. The National Weather Service's plans to improve its weather prediction system and the Defense Department's Corporation Information Management initiative have come in for similar criticism.

Some of the IRS's difficulties can be blamed on turf wars, bureaucratic snafus and congressional micromanagement, congressional aides and technology analysts in tax reform groups say. But former IRS employees and private technology experts familiar with the inner workings of the agency say the IRS's culture of secrecy and its tradition of stubborn self-reliance in managing massive technical projects have caused many of the problems.

Cutting Edge No More

By any measure, the tale of the agency's inability to make its modernization dreams come true isn't for the fiscally faint of heart.

And the IRS's failure is all the more striking because it was once regarded as one of the federal government's technology pioneers. In the mid-1950s, it became the first civilian agency to install keypunch computers. Those machines, the era's state-of-the-electronic-art, so revolutionized the processing of tax information that historians have labeled the '50s and '60s the IRS's Golden Days.

By the late 1970s, however, the mini-computer revolution was gaining steam; the advent of silicon chips and integrated circuitry quickly made the IRS's equipment seem clunky. In 1985, an attempt was made to replace the agency's aging computers with the sort of streamlined, high-speed technology that was by then in use at the Defense Department and the government's intelligence-gathering agencies. That plan flew apart at the seams.

Despite inadequate testing and IRS field administrators' warnings that more than a thousand software programs designed for the new service center replacement system needed to be rewritten, the agency's top brass put the system into use nationwide just before that year's filing season. The system worked so poorly that harassed IRS employees took to stuffing unprocessed returns--some of them still containing checks--"into wastebaskets and ceiling ducts," Shelley L. Davis, the IRS's official historian from 1988-95, reports in her recently published Unbridled Power: Inside the Secret Culture of the IRS.

In the wake of what Davis calls "the Filing Season From Hell," Congress began pumping money into two dozen projects that fell under the rubric of Tax Systems Redesign, all aimed at upgrading or replacing faltering equipment.

In 1989, the IRS announced that it had yet another plan for overhauling its computers, this one called Tax Systems Modernization. This blueprint involved the same 24 computer projects along with six similar ones.

Three years later the projected price tag for the decade-long modernization program had swollen from $4 billion to $8 billion, the GAO has reported. At the same time, the carefully contrived, centrally administered plan that Congress believed it was buying didn't really exist.

"In order to make a credible pitch to Congress, the IRS had to couch what it was doing in terms of a massive central effort to provide a unified, common system," said Thomas P. Giammo, a retired information technology consultant. As assistant commissioner for information systems at the U.S. Patent and Trademark Office from 1988-93, he overhauled a similarly aging computer system to manage the modern-day flow of paper. Giammo continued: "But [the IRS] could never organize itself internally to accomplish that because the group of people put in charge of the effort didn't then, and don't now, have enough clout to force people on the periphery of the organization to follow their lead."

Hello, Give Me Martinsburg

It may not win kudos for management, but the IRS is still capable of efficiently processing tax returns and mailing out refunds, agency officials maintain. Much of the "hardware"--the computer terminals, keyboards, hard drives, modems and such--the IRS uses daily are less than 10 years old and unlikely to fail altogether. The software programs, or mathematical operating instructions, that tell the machines what to do are much older, but they still work well enough to get through many more tax seasons, the officials said.

But these older software programs can make the IRS computer system play havoc on the taxpayer who hits a snag.

Ever wonder, for example, why when you call the IRS with a question about a tax-due notice you'll get one answer and then, when you call back for clarification, you often get an entirely different answer to the same question?

That's because the agency's customer service representatives are working with nine databases. While all nine databases, or collections of digitized data, may reside in one or more of the same huge mainframe computers at a central IRS location, few of the them can communicate with one another. Employees at 15 of the IRS's 29 customer service centers can't even call up all nine databases on the same computer screen.

Even if you're lucky enough to reach an IRS customer service rep who can call up information from more than one database at a time, you're not guaranteed an answer based on the most current information about your case. Only one database, called the master files, located in Martinsburg, W.Va., contains all the information for each individual taxpayer. No one but IRS employees at that center can update the master files. Because the Martinsburg center adds data to its records only once a week, on Saturday, new information can take as long as 10 days to show up on the rest of the IRS's screens, Gross told the commission.

Dolan, the IRS deputy commissioner, argues that the nine databases don't present a problem for the agency because the odds are slim that taxpayers will need information from all nine at the same time. "A particular call might take [a customer service representative] to one or two of the databases in order to get an answer, but not all nine," he said. "The image that has been drawn recently of our people running around the office to nine different terminals isn't correct."

Linking all the databases so that information can be passed back and forth between them and stored in more than one location, also wasn't a top priority in the IRS's modernization scheme, he said. "The first thing we worried about was did we even have the [telephone] answering capability, the telecommunications infrastructure, the whole suite of [communications tools] that would help that taxpayer with a question," he said. "One of the things we had not been able to do prior to a year ago was respond well [by phone] to a taxpayer who was remote from one of our service centers.

Investments in telecommunications upgrades were investments we thought we needed most. If a taxpayer can't get to you, then you're not serving them." The IRS applies a similar reasoning to the millions that it has spent in recent years on computer systems that don't work as planned, or that don't work at all.

In August 1995, the IRS paid the Commerce Department's National Technical Information Service (NTIS) $10 million to build Cyberfile, a computer system that would let taxpayers file their returns via the Internet. IRS officials believed NTIS could deliver the system in time for the 1996 tax season.

Despite warnings from the IRS acquisitions staff that the agency had failed to perform a thorough enough procurement analysis of NTIS, the IRS top management wrote NTIS an additional $7.1 million check for the project in December 1995, according to the GAO. Meanwhile, major U.S. software companies such as Intuit Inc., the Menlo Park (Calif.)-based maker of Turbo Tax, built a dormant connection to the IRS Internet site into their tax programs; with special instructions from the IRS, the connection could be activated in minutes. Five months later the IRS ditched the Cyberfile project.

Cyberfile failed because "the project was hastily initiated. Development and acquisition were undisciplined, and Cyberfile was poorly managed and overseen," the GAO reported. "Only after NTIS informed IRS in April 1996 that the $17.1 million had been obligated and that the system still was not finished, did IRS stop to reconsider the project."

The Document Processing System (DPS), a massive project that would allow IRS employees to scan tax returns into their computers rather than entering the data by hand, went through four contractors before the agency canceled it last year. Total cost: around $298 million, including $13 million-$14 million paid to the last contractor, Bethesda (Md.)-based Lockheed Martin Corp., to shut the system down, an IRS spokeswoman said.

The IRS decided to cancel the DPS project because it was going to require an investment of more than $1 billion more before it became truly usable, Dolan said. "Some people will say, `Well, that's an investment you walked away from.' But we learned a lot from DPS," he said. The IRS is using some of the techniques developed during the DPS project to speed up the initial processing of tax forms, he said. "For us to have spent $1 billion on something that would have consumed so much of our discretionary capital wouldn't have been nearly as prudent as calling a halt to it early," he added.

Another huge scanner project, the Service Center Recognition/Image Processing System (SCRIPS), is still being used at the IRS's processing centers in Austin, Texas; Cincinnati; Kansas City, Mo.; Memphis; and Ogden, Utah. Five years ago, the IRS predicted that the system would save $17 million in labor costs and increase employee productivity 20 per cent. Two years ago, the agency lowered its savings estimate to nearer $5 million. Last year, the IRS predicted that SCRIPS would actually cost more than it saved. In January, the GAO pegged the eventual cost of the system, which it said has "critical weaknesses," at $288 million over its 10-year life-cycle.

Another IRS Shopping List

The primary value of scanner systems such as DPS and SCRIPS lies in their ability to turn notations on paper forms into digital images, thus eliminating the drudgery and cost of typing tax return data into computer databases by hand. Some computer experts maintain that the technology doesn't exist that can outdo the human eye. "The truth is that while computers are very good at doing certain menial tasks, they are still not able to perform many tasks that humans find simple, like reading numbers on a paper tax form," Jaron Lanier, a visiting scholar at Columbia University's computer science department, wrote recently in The New York Times.

Those sentiments aren't universal, however. Many insurance, financial services and credit card companies have replaced banks of keypunch operators with one or both of two types of imaging technology. The first type of technology, which takes a picture of a document and reproduces it in exact detail on the computer screen, is practically foolproof, computer experts say.

The second type, called optical character recognition (OCR), requires the computer to scan the document and translate what it sees into the same digitized characters that a human would type in on a keyboard.

Optical character recognition isn't 100 per cent accurate. "In some cases, you need a great deal of manual intervention in order to validate that what the computer interpreted is what was intended" by the author of the document, said Gerard H. Barloco, vice president for information services at USAA, a worldwide insurance company based in San Antonio. Still, he said, "it's true that the optical character recognition technology is in many cases very good."

Other computer experts are blunter. "The hard part every company has to deal with is having to scan and index documents they don't design. The IRS designs the damn documents, and they should be able to scan them," said the chief of computer services for one of the largest investment houses in the world, who asked not to be identified.

The IRS had hoped to find a way to combine both the picture taking and optical character recognition capabilities of advanced computer systems in its aborted document processing system, Dolan said. Eliminating both paper handling and keyboarding costs "is really the solution we've been after," he added.

The most important goal, however, is to cull tax return data reliably, accurately and as cheaply as possible. "Today that means using seasonal workers who can enter the data manually," because IRS officials have become convinced, after considerable consultation with government experts, that optical character recognition technology hasn't advanced far enough to read handwritten information with the degree of reliability the agency demands, Dolan added. "The notion that everybody files a clean, two-sided form that can glibly be read by OCR is not the experience we've had," he said.

Ensuring that tax forms are taken out of envelopes and sorted correctly is also a major IRS concern, Dolan said. "You realize the kinds of overhead that are required to take tax documents from the mail and make them computer-ready. . . when you look at the fallout we've experienced when a return gets lost," he added, referring to the foul-ups that occurred in 1985.

The $64,000 question is why, if reliable imaging technology is widely used in industry, the IRS didn't call in a top consulting firm from the private sector to design its scanner systems. It's a question that has been asked about many facets of the tax systems modernization project.

Dolan said the IRS wanted to call in outside consultants to help modernize its computers as far back as the early 1980s, but they were overruled by Treasury Department and Office of Management and Budget officials in the Reagan Administration. Some Members of Congress aren't buying that excuse, however.

"Traditionally the IRS has had an insular culture," said Rep. Rob Portman, R-Ohio, who heads the National Commission on Restructuring the IRS with Sen. Robert Kerrey, D-Neb. "The second problem is the agency's inability to properly define its mission or its strategic direction. . . . Having nine different computer databases, for example, is clearly unacceptable. It's not only terribly inconvenient for the taxpayer, but it's also a waste of taxpayer money."

In early February, after the GAO ranked the IRS near the top of its list of federal programs at "high risk" for waste, fraud and abuse, Rep. Steve Horn, R-Calif., went even further, calling the IRS "a basket-case agency."

"The entire agency seems to have this mind-set that makes them hunker down, think of excuses and resist change, rather than trying to improve," Horn, chairman of the House Government Reform and Oversight Subcommittee on Government Management, Information and Technology, said twice in separate hearings.

The IRS is sworn to protect the confidentiality of tax data, but too often the agency clings to its code of secrecy to sweep less-than-useful projects under the rug, historian Davis argues. "The IRS mind-set is `Either we can, or we must, do everything inside the agency,' " she said in an interview. "The reasoning is `If we hire competent outsiders from the technology world, heavens forbid but they might learn how the IRS processes tax returns, and they might learn how we select which returns for audit. And if people knew how we choose returns for audit, they'd all start to scam us.' "

In the IRS's defense, many technology experts say it faces a tough challenge in trying to create a computer system for the 1990s and beyond that can draw on information stored by technology designed almost 40 years ago.

"Building a brand-new computer system in an environment where the old system has to keep functioning smoothly until the new system works, in an era where the technology changes from month to month, has been a major problem for lots of organizations, especially in the federal government," said Bob Gellman, who was formerly chief counsel to the House Government Operations Subcommittee on Information, Justice, Transportation and Agriculture, and is now a private consultant.

"We can't close the place down for a year while we boot up a new system," Dolan said. "Someone likened our problem to flying a 747 and trying to remake it in the air, and I think that's just about the truth."

The National Commission on Restructuring the IRS, now holding another round of hearings on the IRS's modernization efforts, expects to issue a report on its findings by June.

That's just about the time that the IRS hopes to present to Congress a pared-down list of priorities in the technology arena, Dolan said. The agency has been working for a year to redesign its computer modernization plans, and "I feel very confident that in the late spring or early summer designs of a more incremental, more focused, more disciplined approach will take shape," he said.

So will his agency ask Congress for even more money for yet another attempt to devise and install 21st-century technology? "Oh," Dolan said with a sigh, "it's way too early for me to predict that."

]]>

Keeping the Revolution Alive

National Journal and Graeme Browning — Mon, 10 Feb 1997 00:00:00 -0500

Did someone say the Republican fervor for revolution is fading in Congress? That's certainly not happening in the Senate, where members of the classes of 1994 and 1996 continue to storm the barricades.

On Jan. 29, Rod Grams of Minnesota reintroduced a bill to eliminate the Energy Department. The next day, Sam Brownback of Kansas and James M. Inhofe of Oklahoma cast the only two ballots against the confirmation of Chicago attorney William M. Daley as the new Commerce Secretary. Grams and Inhofe were elected to the Senate in 1994, and Brownback, who won a seat in the House that year, was elected to the Senate last fall.

Now an aide to Spencer Abraham of Michigan -- another 1994 Senate newcomer -- says that Abraham and Brownback will reintroduce a bill this month to "eliminate or reorganize" the Commerce Department. The two Senators will push the measure along a dual track in the Governmental Affairs Committee, where Brownback is a member, and in the Commerce, Science and Transportation Committee, where both Abraham and Brownback are members.

The two Senators want both committees to schedule hearings on the bill and to focus on the activities of Democratic National Committee fundraiser John Huang while he was employed at Commerce, says Joe McMonigle, Abraham's press secretary.

"The lack of mission in the Commerce Department, as evidenced by a guy like Huang 'freelancing' [for political contributions] the way he did, will have a lot to do with it," McMonigle added.

]]>

Rare Reports on the Web

National Journal and Graeme Browning — Mon, 13 Jan 1997 00:00:00 -0500

If anyone other than a Member of Congress asked the Congressional Research Service (CRS) for copies of the reports the agency writes, the answer would be an emphatic "no." But a Washington-based science interest group called the Committee for the National Institute for the Environment somehow has managed to make more than 200 of the closely held CRS reports available on the Internet.

Access to CRS reports has been a bone of contention recently between on-line activists and members of the House Oversight Committee. While Congress has been making a concerted effort to put most of the documents it generates on the Internet, the CRS reports remain off-limits. Activists argue that electronic access to the reports is critical because the reports often serve as a basis for committee action.

CRS officials say that they won't put the reports on the Internet because the documents belong only to the Members who request them. The agency never releases its work to the public, a CRS spokeswoman said recently.

But the CRS reports on the committee's Web site are the real thing. So how'd the committee do it? "We asked lots of people on Capitol Hill to pass the reports along to us, and they do," Peter D. Saundry, the committee's executive director said.

Who, for example? "I'm not going to name any names," he responded, "but we have good relationships with many congressional offices."

]]>

Another Federal Code to Crack

Graeme Browning — Sat, 11 Jan 1997 00:00:00 -0500

NATIONAL JOURNAL, Vol. 29, No. 02

he debate over how--and whether--the overseas sales of devices that can turn computer transmissions into eavesdropper- proof gibberish should be regulated has never been short of complications. And now, thanks to new export regulations published by the Commerce Department, it's about to become positively byzantine. What's more, some analysts assert that the controversy may result in still another face-off between the White House and Congress over the limits, and proper uses, of presidential authority.

In simple terms, the debate centers on the question of whether American companies will be allowed to sell ``strong''-- that is, military-grade--data-scrambling computer programs beyond the borders of the United States. For years the answer has been a straightforward (and, by and large, unchallenged) ``no.'' Federal export regulations devised during the Cold War barred the sale of these programs overseas on the ground that they are weapons.

In the wrong hands, encryption programs could be as deadly as a missile or a tank, the drafters of the old export rules argued. Modern computers can indeed scramble messages into codes so complex that deciphering the data the messages contain is impossible without a ``key'' that has also been generated by computer. If American software companies--long the acknowledged international leaders in the encryption game--were allowed to sell their strong encryption programs throughout the world, the argument went, then rogues of all stripes would be able to communicate freely, shielded by an electronic barrier no law enforcement or national security force could penetrate.

Technological advances have overtaken that argument, however, according to the computer industry. As the Internet expands, computer users can use electronic mail, or ``e-mail,'' to zip encryption programs across borders in seconds, the industry contends. A military-grade encryption program called Pretty Good Privacy, or PGP--developed by Phil Zimmerman, a Denver-based programmer--has been freely available on the Internet for years. Last year Hitachi Ltd., a Japanese firm, produced an encryption program that is reportedly five times more powerful than anything American firms are allowed to sell in international markets.

For two years or so, U.S. software companies and computer equipment makers have been negotiating with the Clinton Administration over proposals to ease the export restrictions on encryption software. Early last month, it seemed that an agreement had finally been reached that everybody could live with. But the new regulations, which were published by Commerce on Dec. 30, shocked much of the industry. Among other stipulations, the rules require software makers to entrust to a government-approved third party--an individual with a government- issued security clearance, for instance--the key to any encryption program sold abroad.

The Business Software Alliance, a Washington-based trade association that represents most of the big U.S. computer software and hardware firms, has vigorously fought similar ``key escrow'' proposals. With the publication of the new regulations, ``our worst fears have been confirmed,'' said Robert W. Holleyman II, the group's executive director. ``This is a top-down, government-designed industrial policy, and it's bad.''

Here's where the issue gets complicated, however. A few of the major players in the computer industry aren't all that unhappy with the regulations. Take International Business Machines Corp. (IBM), which last fall organized an alliance of companies to support its proposal for a two-step process that would allow law enforcement officials to recover and unscramble encrypted data without using a key.

The European Commission is currently considering a similar ``key recovery'' scheme that, if implemented, would make the placing of code keys in the hands of trusted third parties the industry standard in Europe, some American companies believe. If that happens, the federal government is likely to impose a similar standard.

IBM supports the new regulations because ``we had to have something we thought would be consistent with where the U.S. government is going,'' said Aaron W. Cross, IBM's Washington- based public policy director. As for those U.S. firms that oppose the new regulations, Cross added, ``we would prefer they take a more global focus.''

Industry opponents of the new regulations plan to appeal to Congress for help, as they have in the past. Bills designed to override the government's encryption policy never reached the floor last year, but this time the opponents may have extra ammunition.

On Nov. 15, President Clinton issued an executive order that transferred oversight of encryption software exports from the State Department to the Commerce Department. The order was part of Administration efforts to strike a compromise on encryption policy with the computer industry, which views Commerce as more sympathetic to its interests than State.

The order, however, gives the Justice Department authority to consult with Commerce officials over the issuance of encryption export licenses on a case-by-case basis. This is an entirely new--and unwelcome--role for law enforcement in the encryption controversy, many industry executives and some privacy activists maintain. (A further complication is a Dec. 18 ruling by a U.S. District Court judge in California that struck down parts of the old regulations.)

``This executive order ups the stakes in Congress because it involves the assertion of presidential authority to make law,'' said Marc Rotenberg, executive director of the Washington- based Electronic Privacy Information Center. ``A lot of people on Capitol Hill will oppose it just on principle, even if they're sympathetic to law enforcement's concerns. I don't believe Congress will be satisfied that this is an adequate way to make policy.''

]]>

The House's Net Dilemma

National Journal and Graeme Browning — Mon, 09 Dec 1996 00:00:00 -0500

When the House Republican Conference late last month approved a new House rule that requires committees to put their documents on the Internet, it created a quandary that only lawyers could love.

The proposed rule directs each House committee to "make its publications available in electronic form." But online activists are fretting over the definition of "publication." Several committees already put final verisons of their bills on the Net. Does that fulfill the rule's mandate, or does the rule extend to other documents, including the discussion drafts of bills and the chairman's mark, both of which are eagerly sought after by lobbyists and others because they often indicate which way the committee will vote?

The new rule "would be more clear" if it were amended to include all the documents a committee produces, including rough drafts and corrected versions of hearing and markup transcripts, the Congressional Accountability Project, a Washington-based online advocacy group, wrote in a letter to House Rules Committee Chairman Gerald B.H. Solomon, R-N.Y., on Dec. 3.

Solomon's response: the subject is still under review.

]]>

Congress on the Net

National Journal and Graeme Browning — Wed, 27 Nov 1996 00:00:00 -0500

The thousands of reports, transcripts and draft texts of legislation that Congress generates could become available to the public on the Internet after the House convenes in January, Hill aides say. But nobody's willing to be more specific about what will be posted, or when.

Rep. Rick A. White, R-Wash., has been lobbying the House Republican leadership to change House rules and provide for more public access to congressional documents on line as part of the administrative reform package the leadership traditionally introduces on the opening day of the session, Connie J. Correll, an aide to White, said.

White introduced legislation earlier this year that listed a dozen types of documents--including copies of prepared testimony and texts of proposed bills--that could be made available to the public electronically; the bill didn't make it out of committee, however.

As for the on-line provision in the opening-day reform package, "We'll ask for everything, and we probably won't get it. But we're hoping for something," Correll said.

In a related development, Rep. William M. Thomas, R-Calif., the chairman of the House Oversight Committee, has requested that the Congressional Research Service (CRS) report to him by the end of January on the feasibility of making its documents available to the public on line. CRS documents are available electronically, but only Members of Congress have access to them, an agency spokeswoman said.

Internet access to the CRS's issue briefings and legislative reports is critical, on-line activists say, because the documents often serve as the basis for committee action. "CRS does generic research on pending legislation. That research would be very useful to citizens so they can figure out what these bills mean and whether or not they as citizens ought to support the bills," said Gary Ruskin, director of the Congressional Accountability Project, a Washington-based on-line advocacy group.

If Congress wants to make CRS reports available to the public, both the House and the Senate, which share oversight of the CRS, would have to change the agency's legal mandate. "We have to wait to see what CRS says," William A. Pierce, Thomas's press secretary, said. "But clearly this is an issue that we have to work on with the Senate."

]]>

National Security: A Dramatic Makeover

James Kitfield, National Journal, and Graeme Browning — Sat, 16 Nov 1996 00:00:00 -0500

erhaps not surprisingly, the calls began even before the debris was swept from the victory party. Secretary of State Christopher traveled to Little Rock, Ark., for a private meeting with Clinton the day after the election, one last errand after four years and nearly 700,000 miles of frequent flying. Defense Secretary Perry called Arkansas to say that he, too, was through.

Senior-level shake-ups are traditional at the beginning of second terms. Given a series of resignations and likely reshufflings, however, Clinton's foreign policy and national security team will undergo a dramatic makeover.

CIA director John M. Deutch, for instance, is considered a primary contender for the top Pentagon post. Former Senate Majority Leader George J. Mitchell, D-Maine, is a possibility at State. National security adviser Anthony Lake and deputy secretary of State Strobe Talbott could switch positions.

As the principals leave the stage or continue to circle in what amounts to a Cabinet-level game of musical chairs, knowledgeable analysts are already assessing the legacies of the recently departed, and speculating about the challenges that await their successors.

``I think President Clinton and his new foreign policy team will face some difficult challenges very early,'' said Robert B. Zoellick, former undersecretary of State for economic and agricultural affairs, and now a senior associate at the Center for Strategic and International Studies, a Washington think tank.

STATE DEPARTMENT

After an admittedly rocky first two years of setbacks in Haiti, China and Somalia--which prompted Christopher to offer his resignation in 1994--the Secretary of State's team is generally viewed as having found its bearings.

That turnaround began with the successful intervention in Haiti, and was solidified by effective coercive diplomacy to end the war in the former Yugoslavia. Christopher remained a dogged pursuer of peace in the Middle East throughout. However, when Christopher admitted in a recent interview that it had taken the Administration some time to appreciate the importance of vigorous ``U.S. leadership,'' he once again became a lightning rod for critics who say he lacked vision and failed to adequately defend his department from congressional budget cutters.

Besides Mitchell, the most-oft-mentioned replacements at State are about-to-retire Sen. Sam Nunn, D-Ga., and U.N. representative Madeleine K. Albright. Dark-horse candidates include former assistant secretary of State Richard C. Holbrooke, who brokered the Dayton Peace Accords for Bosnia, and former Vice President Walter F. Mondale, who'll be leaving his post as ambassador to Japan.

According to sources on the Senate Foreign Relations Committee, most of the candidates would be assured speedy Senate confirmation. ``The only candidate that might catch even some peripheral flak would be Albright, because some people fault her for so aggressively promoting multilateralism early in her term,'' a committee aide said. ``I still think, however, that she would be given the benefit of the doubt. Of the names that have been mentioned in the press, the only one that could cause serious trouble would be Strobe Talbott.''

Should the next Secretary of State last a full term, he or she is likely to confront the dangerous disintegration of North Korea, destabilizing leadership transitions in China and Russia, NATO expansion, a Middle East peace process in disarray, the difficult withdrawal of American troops from Bosnia and stumbles on the path to democracy in Haiti.

DEFENSE DEPARTMENT

When Perry takes a planned trip to Bosnia to spend Thanksgiving with the troops, it will probably mark the end of what by nearly all accounts is one of the most remarkable relationships ever between a civilian Defense Secretary and the men and women in uniform under his command. The mutual respect was noted recently when Air Force enlisted personnel awarded Perry the prestigious ``Order of the Sword.''

That relationship goes a long way toward explaining why many experts view Perry as the standout of Clinton's first Cabinet. When then-deputy secretary Perry took over for Les Aspin in the wake of the 1993 Somalia debacle, a chasm was growing between the White House and the military.

Senior military officers widely credit Perry for successfully straddling and closing that chasm. Besides quality-of-life improvements, Perry's legacy includes major acquisition reforms, marked progress in dismantling the Russian nuclear stockpile and managing a major postwar drawdown without eviscerating the military.

Above all, however, uniformed leaders point to Perry's steady hand at the Defense Department's rudder during turbulent times as perhaps his most enduring legacy. ``Perry represented the only person in the Clinton Administration who was able to articulate a rationale for using military forces in pursuit of national security,'' said retired Gen. Edward (Shy) Meyer, the former Army Chief of Staff.

The leading candidates for the job are generally believed to be CIA director Deutch, who was deputy Defense secretary under Perry, and Nunn, the former chairman of the Armed Services Committee. Both represent known and respected quantities in defense and military circles.

While the next Defense Secretary will have to address the issues of a troop withdrawal from Bosnia and NATO expansion almost immediately, the biggest challenge remains a $50 billion-$150 billion gap between the Administration's future-years defense plans and the projected costs of sustaining and modernizing the current force.

INTELLIGENCE

Deutch last year assumed control of a CIA struggling to define its role in the post-Cold War world even while it coped with a series of scandals.

Crises included the Aldrich H. Ames spying case, revelations of CIA involvement with a Guatemalan military officer implicated in the murder of an American, an embarrassing breakdown in tradecraft that led to the exposure of spy agency operations in France and discovery of a hidden $4 billion fund at the super-secret National Reconnaissance Office. More recently, the agency has been buffeted by unsubstantiated news reports of a CIA connection to Nicaraguan drug traffickers in America.

Not surprisingly, the no-nonsense reformer has endured a rocky tenure as head of U.S. intelligence. After firing two CIA officials over the Guatemalan incident and instituting restrictions on the recruitment of informers with shady or criminal backgrounds, Deutch has been vilified by many CIA insiders.

Despite attempts by the House and Senate Select Intelligence Committees to pass major reform legislation this year, very little of substance was actually enacted. Deutch attempted to push through a major consolidation of eight intelligence and defense imaging agencies into the National Imagery and Mapping Agency, but disparate turf concerns of the CIA and the Pentagon, and the intelligence and defense committees on Capitol Hill, stymied major changes.

Those most often mentioned as possible replacements at the CIA are deputy attorney general Jamie S. Gorelick, a former Pentagon general counsel; outgoing Sen. William S. Cohen, R-Maine; and deputy CIA director George J. Tenet.

Chief among the challenges facing the next director are such threats as terrorist organizations, global organized crime groups and arms proliferators. Dealing with those challenges is likely to prove doubly difficult given new restrictions on and increased attention to the recruiting and handling of ``dirty assets.''

To be successful, the director will also have to explain why its spies cannot all come in from the cold with the dissolution of the Soviet Union. ``The biggest challenge for the next [intelligence chief] will be clearly explaining what the mission of the CIA and national intelligence is in the post-Cold War world,'' said Richard Kerr, a former deputy director of the agency. ``It's hard to sustain support for intelligence when your longtime enemy has disappeared.''

UNITED NATIONS

A number of analysts maintain that Albright engineered one of the most dramatic turnarounds in Clinton's first Cabinet.

Early in her tenure, she was largely seen as promoting assertive multilateralism conducted largely through the United Nations. After United Nations-led peacekeeping debacles in Somalia and Bosnia, however, she worked to lower expectations.

Albright is credited with pushing a number of needed reforms at the United Nations. In internal Administration deliberations, she was also seen as a strong voice for establishing war crime tribunals in Bosnia. Some analysts maintain, however that her much-publicized efforts to oust U.N. Secretary General Boutros Boutros-Ghali at the end of his present term may leave many bitter feelings for a successor to smooth over. There's also the matter of the roughly $1 billion in unpaid dues that America owes the world body.

Because she is considered a long shot for Secretary of State and has privately stated her wish to continue at the United Nations, Albright may well prove a rare island of continuity on Clinton's foreign policy team. In that case, instituting further reforms and winning support for the United Nations on Capitol Hill may be her greatest challenge.

VETERANS AFFAIRS DEPARTMENT

Cabinet officers have checked out or are being urged to leave, but not VA Secretary Brown. The man The Wall Street Journal recently called ``the most powerful Clinton appointee never to appear on a Sunday morning talk show'' also appears to be the Cabinet member most secure in his job.

Brown, a former marine whose right arm was disabled in Vietnam, has turned his passion for veterans' rights and his intractability on budgetary matters (he once talked the White House Office of Management and Budget [OMB] into adding more than $1 billion to its budget proposal for the VA) into a powerful force within the Administration. While he has battled both fellow Cabinet members and Congress on a number of occasions, Brown has also presided over a hefty 9 per cent growth in the VA's budget during that time.

A former lobbyist for the Disabled American Veterans, Brown has the enthusiastic support of the veterans' lobby. ``He's one of the strongest advocates for our side that we've ever had,'' said an officer of a key veterans' organization who asked not to be identified. ``Most of us would prefer that he stay [in the Cabinet] because the alternative isn't that attractive.''

That ``alternative'' would be Hershel W. Gober, an old friend of Clinton's who currently serves as the VA's deputy secretary. While Brown has given no indication that he plans to resign, veterans' lobbyists say that Gober wouldn't be nearly as effective in the top post. Brown's partisan political skills would also be missed.

]]>

Top Secrets

National Journal and Graeme Browning — Sat, 14 Sep 1996 00:00:00 -0400

NATIONAL JOUNRAL, Vol. 28, No. 37

uying a pair of chinos from Lands' End Inc., the popular mail-order catalog business, couldn't be easier these days. The company has a site on the World Wide Web, the multimedia corner of the Internet, that offers an electronic order form. Punch in your request, provide your credit card number, click the send button and your new duds will soon be on their way.

But wait a minute. You're worried about the credit card number. What if some computer hacker steals it as the order zips through the ether of cyberspace? No problem. The Lands' End site automatically scrambles your information into an unreadable code. When the order reaches the company's Dodgeville (Wis.) headquarters, computers there unscramble the code.

Lands' End initiated its encoded order form last year after customers demanded it, William E. Doyle, the company's manager for advertising and electronic media, said. Electronic sales are ``still a relatively small number'' compared with the company's billion-dollar-a-year catalog sales, ``but increasingly more and more people are feeling comfortable with putting their credit card out on the Internet in a secure manner,'' he added.

``Secure'' is the operative word here. L.L. Bean Inc., the venerable sporting goods outfitter in Freeport, Maine, and Lands' End's chief competitor in the mail-order business, also advertises its wares on a Web site. But for now, if you want chinos from Bean, you must order them the old-fashioned way, by mail or telephone. The company put up the Web site almost a year ago, and ``we were concerned about security issues from the very beginning,'' Catharine A. Hartnett, the company's public relations manager, said.

Slacks are just slacks, but the difference in the approaches Lands' End and L.L. Bean take to electronic ordering is a microcosm of a much larger debate over computer encryption technology that's been building this summer in Congress and the White House. The Commerce Department is scheduled to release a report on the controversy later this month, and no less than the futures of American law enforcement and the U.S. software industry may be at stake.

Blocking the Message

The debate over encryption, or coding, arises from a complex set of technical issues. But the question that policy makers must decide is fairly straightforward. Federal law currently prohibits American software companies from selling ``strong,'' or military-grade, encryption programs overseas on the ground that such programs can be used as weapons. The world encryption market is growing rapidly, however, and computer experts expect it to generate billions of dollars in annual sales by the end of the decade. American software makers want the federal government to ease its export restrictions on encryption technology, or drop them altogether, because foreign software companies--several of which face no restrictions--are cornering the market outside the United States.

The Justice Department and the FBI, on the other hand, are adamantly opposed to easing or dropping limits on foreign encryption sales unless U.S. software makers agree to surrender the keys to their codes so that they are available to law enforcement agencies armed with search warrants. Without this system, popularly called key escrow, law enforcement agencies don't have the technical ability to break the computer codes that criminals are bound to use in the future, Justice officials say.

``If [strong] encryption proliferates internationally, in the absence of the development of a key recovery system we will find ourselves increasingly shut out of the traditional means we have utilized to combat organized crime, terrorism and narcotics trafficking,'' deputy attorney general Jamie S. Gorelick said in a recent interview.

For several years, the Clinton Administration has tacitly supported the law enforcement perspective on encryption by proposing a series of regulations that would give the federal government ready access to computer codes. The first of these proposals--to add a ``Clipper'' chip to new computers that would give law enforcement a technological back door into encryption programs--raised such a furor among industry representatives and civil libertarians that Vice President Albert Gore Jr. recalled it in early 1994.

A series of recent events, however, has brought the encryption debate from its simmer to a rolling boil. In May, Sens. Conrad Burns, R-Mont., and Patrick J. Leahy, D-Vt., introduced a bill that would abandon the encryption export restrictions entirely. Then-Senate Majority Leader Robert Dole of Kansas, now the Republican candidate for President, publicly gave the measure his blessing--an unusual step, in that technology bills rarely attract this much attention from congressional leaders.

The Burns-Leahy encryption bill has since gained bipartisan steam. Four of the 13 co-sponsors are Democrats, and lobbyists for the software industry say that the Commerce, Science and Transportation Committee is on the verge of reporting the bill to the floor. Some congressional aides even speculate that because of Dole's support, passage of the Burns-Leahy bill could become an issue in the presidential campaign.

The bill got a crucial boost on May 30, when a blue-ribbon commission of the National Research Council, an arm of three quasi-federal science agencies--the National Academy of Sciences, the National Academy of Engineering and the Institute of Medicine--released a report recommending that export controls on encryption be greatly relaxed.

On July 12, however, the White House issued an official statement opposing congressional attempts to eliminate the encryption export controls and affirming the Clinton Administration's support for a key escrow scheme. In the wake of that statement, the Commerce Department began holding urgent meetings with software makers in an effort to persuade them to go along with the key escrow proposal.

Meanwhile, opposition to the Burns-Leahy bill has begun to surface in the Senate. Earlier this summer, Senate Banking, Housing and Urban Affairs Committee chairman Alfonse M. D'Amato, R-N.Y., filed a request to assert sequential jurisdiction over the bill, a move software industry representatives say could kill the measure.

On-line activists and civil libertarians also contend that the wave of sentiment against the Internet that marked last year's debate over the Communications Decency Act, a bill to prohibit the electronic transmission of pornography, is emerging again in the Senate. The bill, which became law in February, was recently overturned in federal court.

This spring, Sens. Dianne Feinstein, D-Calif., and Orrin G. Hatch, R-Utah, tried to attach a version of Feinstein's 1995 bill outlawing bomb-making information on the Net to both anti-terrorism legislation and the Defense Department appropriations bill. Those attempts failed. But after a pipe bomb exploded in Atlanta's Centennial Park during the 1996 Olympics, Feinstein redoubled her efforts. Sens. Joseph R. Biden Jr., D-Del., and Judd Gregg, R-N.H., have also argued that Feinstein's bill has merit.

``The Administration's looking for ways to shore up its anti-encryption strategy, which is to delay the Burns-Leahy bill and keep a finger in the dike'' holding back industry demand for loosening the export controls, said Jerry Berman, executive director of the Washington-based Center for Democracy and Technology, an on-line advocacy group. ``To do that, they're using the hysteria and fear created by terrorist incidents. That's the same argument they tried with the Communications Decency Act. They're saying that the Internet is a dangerous thing.''

Internet Dangers

Darn right it's dangerous, when terrorists, South American drug cartels and the like are using the Net to communicate, law enforcement and Administration officials respond.

Encrypted computer files have been used to hide child pornography on the Internet, and to shelter the financial records and illegal gun sales of militia groups, the White House said in its July 12 statement. Alleged CIA mole Aldrich Ames ``was instructed by his Soviet handlers to encrypt computer files that he passed to the Soviets,'' the statement added. ``Grave crimes, such as a plot to shoot down several airliners over Chicago, have been foiled by the use of wiretaps. Had the FBI been unable to read those transmissions, however, a major tragedy might have ensued.''

Encoded computer transmissions can be particularly destructive in circumstances where terrorists try to disrupt the operations of air traffic control systems, banks, utilities and other key elements of daily life, Gorelick said. ``We know terrorists use encryption. We know encryption is more dangerous when a person using it can connect to legitimate society. And we know if law-abiding citizens will, upon a court order, provide access to encoded computer communications, we will increase our ability to penetrate these groups,'' she said. ``So this issue is real. This is now.''

Computer experts and industry representatives insist that the encryption debate can't be stated in such black-and-white terms. If the federal government can easily get its hands on the software tools necessary to break a code--as would be possible under a key escrow system--then the notion of Internet security is a farce, many computer experts in private industry said.

In 1930, Germany's Weimar Republic conducted a census and stored the resulting information on punch cards, the storage devices for the machines that were the forerunners to the modern computer, said Barbara B. Simons, a computer researcher in San Jose, Calif., who is chairwoman of the public policy committee of the Association for Computing Machinery, a professional organization whose members include some of the country's foremost computer scientists.

``When the Nazis came to power they had all this information at their fingertips, and they used it to track down `undesirables.' Even though the Weimar Republic had done this survey in good faith, the technology was subsequently used against innocent people,'' she said. ``If the federal government insists on making it impossible for law-abiding citizens to communicate electronically without, in theory, the government being able to listen in, then an outlaw government becomes more and more possible.''

If the export restrictions on encryption technology aren't loosened or eliminated, the role of federal intelligence agencies in domestic matters may well expand, civil liberties advocates and industry representatives also said.

This argument centers on the economics of the computer software market in the United States. The highest encryption code length allowed under the federal export regulations is 40 units, or ``bits,'' of data. After a French graduate student broke a 40-bit code last year using borrowed computers, an increasing number of companies with international operations have switched to a 56-bit code.

Because it's too expensive for most American software makers to produce one 40-bit encryption program for overseas sales and another 56-bit program for sales within U.S. borders, many companies have stuck to the lower limit, according to the Business Software Alliance (BSA), a Washington-based lobbying group that represents most major players in the software industry. Meanwhile, foreign software makers are busily producing far stronger codes and selling them almost as fast as they make them.

Nippon Telegraph & Telephone Corp., the Japanese electronics giant, for example, recently announced that it would begin selling computer chips embedded with a 128-bit code. Mitsubishi Electric Corp. has also developed a 128-bit code, while Hitachi Ltd. has produced an encryption program that reportedly runs a 256-bit code.

``The Japanese see the lack of strong encryption programs as a big hole in the market. They're putting it into a lot of products, like [software programs for] virtual shopping, cybercast technology [for voice and video broadcasts through the Internet] and smart cards [with computer chips],'' said Rebecca M.J. Gould, the BSA's vice president for public policy.

With stronger and stronger encryption programs flowing into the U.S. market from foreign producers, law enforcement agencies such as the FBI will have to turn to the National Security Agency (NSA) for help, on-line activists argue.

As part of its mission to monitor potential threats to U.S. security, NSA has developed the most powerful computers and the most sophisticated code-breaking techniques in the world, according to computer experts. But ``a caution light has to go on when we talk about relying on the NSA'' to break down the codes shielding criminal communications within the United States, Berman of the Center for Democracy and Technology said. ``We don't want agencies that are in the business of foreign investigations to be subtly involved in domestic law enforcement, because they're not trained to balance security issues against constitutional issues.''

Internet Boom

Most of the fears the computer industry and civil libertarians have about law enforcement trampling electronic privacy rights will prove moot, however, because the boom in commerce on the Internet will make a key escrow system inevitable, Administration officials said.

``Companies are going to want to have ways to validate the information they're sending and receiving,'' said William A. Reinsch, Commerce undersecretary for export administration, who is conducting the meetings with the software industry. ``Over time, the industry will have to get together and develop systems that permit [data authentication] to take place. So we're trying to devise a key escrow system that will fit into a lot of what we think will happen anyway.''

On-line activists say that argument is bunk. The Administration ``is attempting to blur the line between a key certification system, where you confirm who you are by giving a public code to some kind of authority, like the Postal Service, and key escrow, which means giving the key to your program to a third party,'' said David Banisar, a policy analyst with the Electronic Privacy Information Center, a Washington advocacy organization. ``Reinsch testified before Congress that software won't be trustworthy without key escrow. Commercial transactions [over the Internet] may not be trustworthy without certification, but that problem has nothing to do with key escrow.''

The federal law enforcement community shows no sign of backing down from its demand for a key escrow system. But Reinsch shied away from the suggestion that the Administration is trying to strong-arm software producers into complying with the system.

``We're not trying to compel behavior but to influence the market in the direction we want,'' he said. ``If the great mass of the commercial community buys into [key escrow] and gets comfortable with it, what you'll have is a lot of other people wanting to buy this software. It will become a market standard without the government having to intrude. If the BSA and the computer software and hardware people say, `We don't want to do this,' it will be hard to get the market moving in that direction. That's why their skepticism about key escrow is important, and their cooperation is a serious matter.''

That cooperation, however, may be long in coming. Meetings between the Administration and the computer industry over the question of encryption controls ``have been going on for years, with no result. It's quite frustrating,'' the BSA's Gould said. Also, ``the Vice President's July 12 statement said nothing that we could count on, or hang our hats on.''

When President Clinton took office in January 1993, the Administration promised to review the feasibility of the 40-bit standard every 12 months, Gould said. That review has never taken place. When Gore canceled the Clipper chip proposal, the computer industry was also left with the impression that the key escrow concept was dead. Instead, the Administration has proposed revised key escrow plans twice since then.

``I think mid-September has the potential to be a very important time for us,'' Gould said. ``Unfortunately we have met that moment of potential several times in the last few years and have been beyond disappointed. But we keep hoping. The President or the Vice President could resolve this issue on their own, but Congress can also resolve it.''

]]>

A Tangled Web

National Journal and Graeme Browning — Sat, 07 Sep 1996 00:00:00 -0400

NATIONAL JOURNAL, Vol. 28, No. 36

he Web Review, an electronic magazine, debuted on the Internet in September 1995 to wild fanfare. Reviewers praised the magazine's content and the snappy way its designers incorporated the multimedia capabilities of that corner of the Internet known as the World Wide Web.

The on-line magazine investigated scandals in the computer industry, analyzed White House technology policies and reported the progress of the Net's anything-goes culture with wry insight.

Nine months later, it folded. Most of the estimated 40 million home pages, or sites, on the Web offer information free of charge, and Web Review was no different. But the magazine required ``a dedicated staff of editorial, design, production and technical resources [and it] is expensive to produce. In the end, we cannot keep giving it away,'' publisher Dale Dougherty wrote in a May letter to readers in the magazine's last electronic incarnation.

Web Review's speedy demise is the latest in a series of misfortunes that have plagued the Internet community recently. Two of the four major commercial on-line services have changed hands since January, several high-profile Internet-related stocks are selling far below their original prices and a leading Net pioneer has predicted that technical difficulties will cause the Internet to collapse by the end of December.

But at the same time that technology gurus are predicting the ``death of the Net,'' Congress has suddenly begun to swoon over cyberspace like a teenager in the throes of a summer romance. Two bills on Internet issues are the subject of intense debate in both the House and Senate, three additional Internet- related bills have been introduced since mid-June, and the number of Members who have electronic mail and Web sites is at an all- time high. Even 93-year-old Sen. Strom Thurmond, R-S.C., introduced a reelection campaign site on the Internet in July.

What gives? Does Congress know something that the technical experts out there in computerland don't? Or is this yet another example of Capitol Hill catching up with the wave long after the private sector has moved on?

Maybe a little of both. ``My own view is that the Internet will have an immense personal effect on most Americans. But the jury is still out,'' said Rep. Rick A. White, R-Wash., who co-founded the Congressional Internet Caucus this spring in an effort to lead his nontechnical colleagues on the Hill into the Information Age. ``What we should be doing here in Congress is not trying to prejudice things one way or the other. We shouldn't be trying to kill the goose that's laid the golden egg.''

Internet Dollars

The economic value of that egg is a matter of much debate. Last year advertisers spent $32 billion to hawk their products on television, $22.5 billion to do the same in newspapers and $1.9 billion for radio spots. In comparison, companies spent a mere $43 million for advertising on the Web in 1995.

Morgan Stanley & Co., the New York City-based investment banking firm, recently predicted that the number of Internet users worldwide would grow from an estimated 10 million today to 170 million by 2000. Tempting as such a vast potential market may be, however, Madison Avenue isn't likely to embrace the Net right away because the sort of simplified ``brainwashing'' that works well on television and in print falls flat in cyberspace, Mark Stahlman, president of New Media Associates Inc., a media research company in New York City, argues.

TV and newspaper ads are ``psychologically manipulative. [Consumers are] supposed to buy something for essentially irrational reasons,'' Stahlman wrote in a recent on-line debate on the subject on Hotwired, the Web site of Wired magazine. Advertising on the Internet ``has to be information, not manipulation. This is because the medium doesn't permit the psychological games that `impact' a modern audience.''

Most of the information available on the Web also isn't unique or compelling enough to command a fee, Stahlman added in an interview. It's a matter of faith among market researchers that computer users won't buy subscriptions to Web sites because Internet information has traditionally been free. ``But what the market researchers don't add is that people also don't want to pay for that stuff because most of it's not worth paying for,'' he said.

A year ago, when the information superhighway was the hottest idea in town, only the foolhardy would have suggested that the chitchat on the Internet and the content of the Web might be less than awe-inspiring. But lately Net skeptics have become increasingly visible.

Washington Post reporter Richard Leiby's recent essay, headlined ``Farewell, Web Heads: I Used to Be One of You. Then I Took Out the Internet Trash and Found There Wasn't Much Left,'' is a case in point. ``After a few years of covering what I haughtily used to call `cyberculture,' I have come to believe that the Internet is little more than a glorified post office, copying machine and water cooler,'' Leiby, a member of the Post's Style section, wrote in early June. ``So far, much of the Web's offerings merely duplicate the crass commercialism and self- indulgent dross available in other mass media.''

Net skepticism also surfaced on July 9, when the John R. and Mary Markle Foundation and Crossover Technologies, both based in New York City, held a press conference on Capitol Hill to present a ``balanced budget bill'' created by computer users who had played an Internet game called Reinventing America.

Over the course of six months the game--financed by the foundation and designed by Crossover--presented players with detailed information on most major federal government programs and asked them to decide whether to cut or boost money for the programs during fiscal 1996. As players worked their way through the game, clicking a computer mouse to designate a choice in each category, the federal budget total would change accordingly.

AllPolitics, the politics-oriented Web site operated by CNN and Time magazine, hosted the game for the Markle Foundation. In May AllPolitics totaled the votes, and foundation staff members drafted a federal budget proposal based on recommendations from the 75,000-100,000 Net users who Crossover executive producer Eric Goldberg estimated played the game.

Had it been for real, the result would have knocked Congress on its ear. While the Reinventing America players devised a fiscal '96 budget that saved $172 billion more than the budget proposed by the Clinton Administration, they voted to legalize all recreational drugs, dismantle the Veterans Affairs Department and abolish foreign aid. Other proposals included canceling all federal poverty programs except food stamps, cutting defense spending by 27 per cent, slashing U.S. troop strength overseas in half and returning the District of Columbia to the state of Maryland.

Most of the policy experts who appeared on a panel at the press conference praised the game. American Civil Liberties Union executive director Nadine Strossen said it demonstrated ``the great potential of cyber-communications between individuals [for] developing an informed and involved citizenry.'' But a few experts weren't so sure. The demographics of Internet users are changing, but for the most part they are still primarily educated, young, white, technically proficient males who are either libertarians or independents, said Martha Phillips, executive director of the Concord Coalition, the anti-deficit advocacy group founded by former Sens. Paul E. Tsongas, D-Mass., and Warren Rudman, R-N.H. ``It's easy for this group to come to agreement. But add a bunch of disabled veterans to the mix and I bet you'd never hear anything about closing the VA hospitals,'' Phillips said.

``The Net is not yet ready to put Congress out of business,'' added Thomas E. Mann, director of governmental studies at the Brookings Institution who has started a campaign finance forum on the Internet. ``The danger in something like this is that it is simply an intellectual exercise. People are talking, not listening. But in a democracy you can't have an intellectual exercise. You're dealing with citizens' lives.''

Internet Legislation

The Internet-related bills piling up in the congressional hopper are certainly not intellectual exercises. Conflict between so-called content providers--artists, writers, publishers, movie companies and the like--and on-line companies such as CompuServe and Internet service providers--such as Erol's and AT&T Corp.-- over provisions of a bill to apply copyright laws to the Net has reached such levels of acrimony, for example, that the House Judiciary Committee's Subcommittee on Courts and Intellectual Property has postponed hearings on the measure three times.

One of the main areas of contention is a provision that would make on-line companies and Internet service providers liable for any copyright violations that occur through the use of their services. Book publishers, moviemakers and songwriters are determined to protect what they have created by keeping the provision in the bill. But providers on the electronic highway want to shield themselves from copyright liability. As a result, the bill is effectively ``dead for the year,'' said a knowledgeable lobbyist who asked not to be named.

Another major Internet-related bill, to loosen federal restrictions on the export of computer programs that encode data, is gathering public attention as well as political steam. The Senate Commerce, Science and Transportation Subcommittee on Science, Technology and Space held two hearings this summer on the bill, sponsored by Sens. Conrad Burns, R-Mont., and Patrick J. Leahy, D-Vt., that were broadcast live via the Internet.

In early July, Commerce Committee chairman Larry Pressler, R-S.D., Democratic Reps. Anna G. Eshoo and Zoe Lofgren, plus Republican Rep. Tom Campbell, all of California--as well as Burns and Leahy--participated in an industry forum on the bill held in San Francisco that also drew heavy public response when it was ``cybercast'' over the Net. (See NJ, 7/13/96, p. 1541.)

In mid-July the White House, which until then had steadfastly refused to comment on the bill, released a statement in which Vice President Albert Gore Jr. said that the Administration ``will continue discussions'' about computer encryption with Congress. Lobbyists say momentum within the Senate Commerce Committee in favor of the legislation is so strong that the bill may be reported to the Senate floor soon.

In the meantime, several new Internet-related bills have appeared in quick succession. Rep. White has introduced the 1996 Internet Election Information Act, which would allow on-line and service providers to offer free Internet access to all federal candidates without violating Federal Election Commission rules. Later he introduced a resolution calling for House committees to make reports, rule changes, roll-call votes, expense accounts, amendments, oversight plans and the final drafts of legislation commonly called ``chairman's marks'' available to the public electronically at the same time they are officially filed.

Edward J. Markey, D-Mass., ranking member of the House Commerce Subcommittee on Telecommunications and Finance, also introduced a bill in late June that would instruct the Federal Communications Commission and the Federal Trade Commission to begin investigating the use of secret software programs called ``cookies'' that automatically track the movements of computer users on the Internet. Information companies can use these programs to compile detailed and highly personal profiles of Net users' hobbies, buying habits and financial and health information, and to record the names of people with whom they converse electronically, when they do so and for how long.

``The same libertarian quality that has stimulated such rapid growth of the Internet gravely threatens to cripple its promise,'' Markey said at a press conference when he introduced the bill. The Net ``has spawned an exponential increase in commercial voyeurism that is tearing privacy rights asunder. . . . At risk is consumer confidence in the medium. When consumer confidence plummets, so will economic activity on the Internet.''

Losing Interest

Consumer confidence in the Net already appears to be wearing thin from other causes, however. On-line commerce is developing so slowly that by the end of this year 20 per cent of the Fortune 500 companies that maintain sites on the Web will either stop keeping them up to date or, as in the case of Web Review, close them, International Data Corp., a Framingham (Mass.)-based Internet market research company, reported in a recent study.

More than half the small and medium-sized firms in a survey of more than 1,000 U.S. companies have no Internet connection and no plans to develop one, O'Reilly & Associates' Online Research Group, a unit of Sebastopol (Calif.)-based O'Reilly & Associates Inc., a major publisher of Internet books and on-line information, stated in another recent study. That percentage is ``surprisingly high,'' the O'Reilly group concluded in a press release.

Technical experts also warn that consumers are likely to be much less enthusiastic about the Internet when network access providers start raising their prices to cover the costs of the high-speed computer links the Web demands.

So far, the telephone companies that build and maintain the wires on which the Net runs have simply swallowed the cost of new software to upgrade their systems to tempt reluctant consumers on line with low monthly access fees, Robert H. Schellman, an Arlington (Va.)-based telecommunications industry consultant, said. But ``the cost of developing the software [for these systems] has risen rapidly, and now it usually exceeds the cost of the hardware,'' he added. ``It cost Microsoft hundreds of millions of dollars to build Windows 95. Some day soon, there's going to be a recognition of that kind of software cost, and prices [for Net access] will have to reflect that.''

In addition, the Internet has been experiencing an increasing number of ``brownouts,'' or serious delays in data transmission caused by too many people trying to use too few connections. Computer pioneer Robert M. Metcalfe is so concerned about the number of Net brownouts in the past year that he's predicting a network ``collapse.'' Metcalfe, the inventor of Ethernet, the local-area networking technology that connects more than 50 million computers, has even called the Net ``a fad'' that will soon be over.

Don't try to convince Congress that the Net's a fad, however. Since March, for example, 40 Members of Congress have introduced Web sites, bringing the total number of congressional sites to a high of 214, according to figures compiled by Highway 1, a nonprofit organization in Washington formed by such major computer hardware and software makers as Apple Computer Inc. and Microsoft Corp.

Congress's interest in the Internet shows no sign of stopping. When the Congressional Internet Caucus hosted an Internet demonstration on June 25 at Highway 1, more than 200 Members and their aides showed up, Highway 1 executive director Kimberley Jenkins said. Sen. Charles S. Robb, D-Va., became so engrossed in a ``virtual reality chat room,'' where Netizens use animated characters to interact visually and aurally with each other, that ``he stayed a long time,'' Jenkins added.

Some Members of Congress are baffled by predictions that the Net is near collapse. ``We are definitely on the threshold of a new millennium. The Internet is a new and better way for our citizens to be informed,'' said Rep. Eshoo, who in late June introduced a two-way, interactive system on her congressional Web site that allows her to correspond with her constituents via electronic mail.

``Yes, maybe questions of profitability will creep in, and maybe Americans will start to demand other kinds of uses and information from the Internet,'' added Eshoo, who represents a district in California's Silicon Valley. ``But it's far too premature for a trial to be called, a jury to be selected and a verdict to be rendered.''

At any rate, Congress is rarely a leading indicator when it comes to technology advancements, cautioned Mann of the Brookings Institution. ``These developments tend to run ahead in the private sector. If there's a rethinking going on [about the Internet], there's bound to be a lag before those ideas get to Congress,'' he said.

No matter whether the Internet eventually expands or withers, it has made a difference in the way Capitol Hill conducts business simply by introducing E-mail and cybercasting, and by making a wide range of information available at the click of a computer mouse, Mann and other experts say. Changes such as these, small as they are, expand the lines of communication between Congress and the voters.

]]>