September 5, 1997

U.S. Infrastructure Could Easily Be Disrupted by Hackers!

BY RORY J. O'CONNOR

San Jose Mercury News

WASHINGTON  --  Crucial transportation, communications, financial 
and  electric-power  networks  could  easily  be   disrupted   by 
attackers  using  computers,  and  the  nation  should double its 
spending to develop anti-hacker tools, a presidential  commission 
said Friday.

Just  as  important  as increasing the taxpayer outlay -- to $500 
million in fiscal 1988 and to $1 billion a year by  2004  --  the 
commission said that government and industry must develop ways to 
quickly share information about computer crimes.

If the nation doesn't move quickly to protect such vital networks 
as  the  telephone  system,  the  electric  power  grid,  or  the 
Internet, the "various  components  of  our  nation's  lifeblood" 
could  be  attacked  by  organized criminals or terrorist states, 
said former Georgia Sen. Sam Nunn.  Nunn is  co-chairman  of  the 
commission's advisory board.

But  he  cautioned  that  the  nation's  infrastructure is not in 
imminent danger of being demolished. The most difficult  job  for 
the Presidential Commission on Critical Infrastructure Protection 
may be  how  to  "convey  a  sense  of  urgency  without  causing 
despair," Nunn said.

Getting  from  recommendations  to  reality  might  not  be easy, 
though, for the  Industry  may  be  reluctant  to  cooperate  too 
closely with the government, fearing regulation and disclosure of 
sensitive information. And getting Congress to spend billions  on 
a problem that is not an immediate crisis could prove nettlesome.

The  head of the commission, Robert T. Marsh, a retired Air Force 
general turned aerospace executive, said  industry's  cooperation 
is crucial.

"Any  recommended strategy will fail unless it is embraced by the 
private sector," he said.

The 18-member  commission,  along  with  its  10-member  advisory 
board,  was  created  in  July  1996  under an executive order of 
President Clinton.   Friday's  recommendations  were  part  of  a 
preliminary  report;  the  final  one  is due to the president in 
mid-October.

While physical threats are greater for a few  areas  --  such  as 
water supplies, which could be contaminated by chemical spills or 
biological agents -- the  computer-based  threat  is  potentially 
more  damaging  in  most  cases,  according to Philip E. Lacombe, 
staff director of the commission.

"What in 1940 required an invasion (by troops) to do can  now  be 
done  by  someone with a 486 (personal computer) and a modem," he 
said.

That's   because   the   nation's   embrace   of   computer   and 
communications  technology  in  the past decade makes many of its 
key systems utterly  dependent  on  the  reliable,  uninterrupted 
operation  of  that technology. The United States uses 42 percent 
of the world's computing power, and contains 60  percent  of  the 
world's   Internet  assets,  said  Nancy  J.   Wong,  manager  of 
information  assets  and  risk  management  with  Pacific  Gas  & 
Electric in San Francisco, and a member of the commission.

The  most  repeated  recommendation during eight presentations to 
the advisory committee: the country must  develop  public-private 
partnerships  to  share  data  about the risks, provide immediate 
word of intrusions or other attacks, and share information on how 
to guard against or eradicate an attack.

Yet   private   industry   is   reluctant  to  share  proprietary 
information with the government, for fear it could become public. 
Such disclosure could let competitors pry into corporate secrets, 
or expose a company to liability  suits  for  even  acknowledging 
that  its networks are vulnerable to attack.  Business also fears 
the commission's work could lead to more government regulation to 
force compliance with an infrastructure security regime.

The  government,  for its part, faces the problem of how to share 
classified information from  defense  and  intelligence  agencies 
with  the  private  sector.   Nunn  suggested  the whole national 
system for classifying information would have to be reexamined.

Another issue is cost. The commissioners  are  recommending  that 
government would perform the basic research, while industry would 
be responsible for the development of new technology.

John C. Davis, director of the National Computer Security  Center 
at the National Security Agency, said the federal budget for such 
research is now $150 million a year, with  another  $100  million 
spent  on  other  aspects of securing national infrastructure. He 
said those figures should double in 1998 and rise  20  percent  a 
year thereafter, reaching a total of $1 billion in seven years.

Getting industry to put up that much money will be tricky.

"The  private  sector is going to respond to its customer needs," 
said advisory panel Co-Chair  Jamie  Gorelick,  a  former  deputy 
attorney general who is now vice chairman of the Federal National 
Mortgage Association. "We have to provide incentive of  one  sort 
or another for industry to make the investment."

COPYRIGHT 1997  San Jose Mercury News