The federal government's heavy focus on the year 2000 computer problem is leaving larger security issues unaddressed, computer security experts said Tuesday.
Testifying before the Senate Governmental Affairs Committee in the first of a series of hearings into the government's computer security practices, computer scientist Peter G. Neumann of SRI International, a Menlo Park, Calif.-based non-profit technology research and development company, said network security at government agencies is weak.
"The security problems are much more insidious" than the year 2000 problem, Neumann said. "The year 2000 problem is just the tip of the iceberg."
A group of hackers who call themselves "the L0pht" also testified, agreeing that computer security issues like network vulnerability, physical security and software security holes are just as important for managers to address as the year 2000 problem.
"I sometimes chuckle to myself that we're so worried about systems crashing in the year 2000, but today, systems are crashing left and right," said one of the hackers, all of whom used code names such as Mudge, Kingpin, and Space Rogue to identify themselves.
The L0pht hackers said that in under 30 minutes, they could make the Internet unusable for the entire nation. The hackers also described how a person could use a transceiver and a computer to pose as an air traffic controller and give false instructions to a pilot.
Both Neumann and the hackers stressed that managers cannot make computer networks completely hacker-proof, but said agencies could take steps to make security breaches much more difficult. Neumann chided Deputy Defense Secretary John Hamre for calling a hacker attack by two teenagers "the most organized and systematic attack" ever against the Pentagon's networks. If a couple teenagers can make Pentagon leaders tremble, imagine what real enemies could do, Neumann said.
The Defense Department was not the only agency whose computer security gives analysts cause for concern. The General Accounting Office released reports on the Federal Aviation Administration and the State Department at the hearing, noting serious security weaknesses in both those agencies' systems.
"FAA is ineffective in all critical areas included in our computer security review--facilities' physical security, operational systems information security, future systems modernization security, and management structure and policy implementation," GAO said in "Air Traffic Control: Weak Computer Security Practices Jeopardize Flight Safety" (GAO/AIMD-98-155). FAA has not reviewed physical security at 187 of its facilities since 1983, and has not analyzed security issues for 87 of its 90 air traffic control computer systems and eight of its nine air traffic control telecommunications networks.
"Without knowing the specific vulnerabilities of its ATC systems, FAA cannot adequately protect them," GAO warned.
During GAO's review of State Department computer security ("Computer Security: Pervasive, Serious Weaknesses Jeopardize State Department Operations," GAO/AIMD-98-145), auditors found that human problems are just as pervasive as technology problems. GAO investigators, posing as systems maintenance personnel, were able to persuade a State Department employee to tell them her password over the phone.
Many employees at State have passwords that are easily guessed, meaning that the department is not training its employees to use more complex passwords, like ones that include both upper- and lower-case letters and numerals and symbols. GAO investigators were also able to enter a State Department facility without identification and found user account information and active computer sessions in open areas.
"In an unlocked office, we found unattended personal computers logged onto a local area network. We also found a user identification and password taped to one of the computers. Using these terminals, we were able to download a file that contained a password list. This list could have been used later to help hack into State's systems," GAO said.
Sen. John Glenn, D-Ohio, said agencies should be more concerned with security issues, adding that information security breaches could be used as "a whole new way of making warfare" against the United States.
Also on Tuesday, GAO released an executive guide on information security management (GAO/AIMD-98-68) for government executives.
The 68-page guide lays out 16 practices executives should use to improve computer security at their agencies, including:
- Establishing a central management group to handle security issues. The group should make sure security issues are addressed when projects are being planned, advise managers on security techniques and keep top managers informed about security issues affecting the organization.
- Providing security training to employees. Employees should attend technical conferences and courses, and brief other employees on what they learn. Executives, GAO said, should encourage information security employees to obtain professional certifications.
NEXT STORY: Ex-FDA official favored to head agency