Policy change makes it harder to track hackers, NASA official says

A late-term change in the Clinton administration's approach to prosecuting cybercrime has made it much more difficult for NASA to track and prosecute hackers who attempt to penetrate its computer networks, a NASA network-protection office official said Monday.

"NASA lost 90 percent of its ability to track and pursue [suspected computer] intruders because of changes in policy" by the Justice Department, said Stephen Nesbitt, director of operations in the computer-crimes division of NASA's network and advanced technologies protection office.

According to Nesbitt, over the last year-and-a-half, the Justice Department's Computer Crime and Intellectual Property section began prohibiting federal agencies from electronically monitoring the actions of hackers who break into their systems. Under federal wiretapping statutes, system administrators of private computer networks may do such monitoring, but law enforcement officials are normally prohibited from doing so without a warrant.

An official in the computer-crime section denied that there had been any change in policy. "We have always urged caution in terms of accepting the fruits of system monitoring" by federal agencies, said Phil Reitinger, deputy chief of the section. But he conceded that the agency's advice to federal agencies has changed with advances in "hacker tradecraft."

Nesbitt said that NASA was barred from posting "banners" on their computer networks as a virtual "no trespassing" sign. Courts generally have ruled that such banners provide federal agencies with the consent they need to engage in electronic monitoring. But the Justice Department said NASA could no longer do that unless it posted a banner on every one of its 65,000 computer network connections.

Nesbitt attributed the changes to the late-1999 departure of Scott Charney, former section chief, and his replacement by Marty Stansell-Gamm.

Speaking at a conference called the "International Summit on Cyber Crime" sponsored by the National Institute for Government Innovation, Nesbitt called on participants--largely local law enforcement officials dealing with cyber crime--to urge support for legislation against cyber crime that would restore such self-defensive capabilities to Web site operators and government officials.

"Law enforcement's job is to remove the threat," said Nesbitt. He said that NASA had worked for many years to cultivate a reputation as an agency that aggressively goes after hackers, and was worried that the policy change would undermine its tough-on-computer-intruders reputation.

Speaking about the change in policy by the Justice Department, Nesbitt said that "different people do things different ways" and that "no one wants to make bad case law" or to force a lawsuit that could result in a negative ruling for the Justice Department.

The policy change came at the same time that the Clinton administration was trying to balance privacy and security concerns in its anti-cyber crime legislative proposal. Some elements of the proposal were incorporated into legislation introduced by Sen. Orrin Hatch, R-Utah, and Sen. Charles Schumer, D-N.Y., but it never passed the House.