Hackers in the United States and abroad have gained access to hundreds of sensitive but unclassified government and military computer networks on the global Internet network, computer security experts said yesterday.
While most of the intruders appear to be out for the computer equivalent of a joy ride, federal investigators say that some of them have been able to take control of several military computer systems, allowing them to steal, alter or erase computer records, even to shut the computer systems down.
While there is no evidence that command and control systems were affected by the intrusions, a spokeswoman for the Defense Information Systems Agency said, the compromised computer systems include those used for ballistic weapons research, aircraft and ship design, military payroll, personnel records, procurement, electronic mail, super-computer modeling of battlefield environments, and even computer security research.
Classified government and military data, such as those that control nuclear weapons, intelligence and other critical functions, are not connected to the Internet and are believed to be safe from the types of attacks reported recently.
"The problem is a very significant one," said Michael Higgins, deputy director for information security at Defense Information Systems Agency's Center for Information Systems Security. "The solution to this problem is not a trivial one, and such intrusions are bound to continue because such information will be passed along to other intruders."
The apparent ease with which hackers are entering military and government systems suggests that similar if not greater intrusions are under way on corporate, academic and commercial networks connected to the Internet.
It also raises troubling questions about privacy and data security on what the Clinton administration calls the information superhighway.
Several sources said it was likely that only a small percentage of intrusions, perhaps fewer than 5 percent, have been detected.
Of those that have been discovered, some are using advanced data encryption techniques that prevent or hinder the military from discovering the nature of the data that are being stolen.
"We've got real problems, and the problems have not been confined to government and military sites," said Eugene Spafford, an associate professor of computer science at Purdue University who directs a national computer security program.
In a private but unclassified briefing to a corporation recently, Mr. Higgins of the Defense Information Systems Agency informed executives of a defense contractor that "major portions" of the Defense Department's unclassified networks had been penetrated by hackers, hampering the department's military readiness.
Mr. Higgins' remarks were initially reported in the newspaper Federal Computer Week and were confirmed by his office yesterday. Mr. Higgins added that "a major portion" of the international commercial computer network infrastructure, including the National Information Infrastructure, had also been compromised.
The break-ins have increased significantly since February, when the Computer Emergency Response Team, a quasi-government organization financed by the Defense Department and based at Carnegie Mellon University in Pittsburgh, issued an alarm that unknown intruders were gathering tens of thousands of supposedly secret computer passwords that were being transmitted from computer to computer on the global Internet.
Since then, security experts said, the number of captured passwords has probably exceeded 1 million. While the initial attacks may have been part of a coordinated effort, the widespread availability of hacking tools has turned the assault into a free-for-all, the experts said.
According to military investigators, "dozens of regional network service providers" -- the main Internet hubs that service the majority of U.S. companies and individuals that use the Internet -- have been successfully attacked.
"There are probably no secure systems on the Internet," said Peter G. Neumann, principal scientist at SRI International, a think tank in Menlo Park, Calif., formerly known as the Stanford Research Institute. "Some are just administered better than others and are harder to break into."
There are an estimated 2.2 million "host" computers on the Internet, a worldwide network of computer networks used by more than 20 million people.
"I don't want to sound alarmist, but there is legitimate cause for concern," said Scott C. Charney, chief of the computer crime unit in the Justice Department's Criminal Division. "As we go toward greater connectivity, and as more information is stored on the networks, the risks go up proportionately."
Most of the attacks appear to use a "sniffer" program that is surreptitiously inserted into a computer.
Each message passing through the computer on its way around the global network contains the sender's user identification, secret password and other information needed to gain access to the destination computer.
The sniffer program captures virtually every authorized password and user ID passing through the computer -- sometimes thousands a day -- and stores them for retrieval.
Later, using the pilfered IDs and passwords, the hackers can easily gain access to government, military, corporate and private computer systems, where they plant more sniffers and continue the incursion.
If the captured passwords belong to system administrators, the hacker can take control of the "root" of the system and modify it for easier penetration later, similar to entering a house through a back window and turning off the alarm system.