WASHINGTON -- The ground rules were simple: Use laptop computers purchased at local stores and software downloaded from the Internet; target only unclassified government computer systems, and see how far you can get.
The "Red Team" hackers hit the jackpot. In less than three months, a team of about 30 computer specialists from the National Security Agency secretly penetrated computers that control electrical grids in Los Angeles, Washington and other major cities. They broke into networks that direct 911 emergency response systems. They got access to the Pentagon's National Military Command Center, the heart of America's war-fighting operation.
The Pentagon's mid-1997 "Eligible Receiver" exercise showed the vulnerability of America's civilian and military logistics and infrastructure to cyber attack.
Now, "Moonlight Maze" has proved the case. The FBI-led inquiry found that real hackers apparently based in Russia have used the Internet to download defense technical research, including missile guidance programs, and other data from unclassified Defense Department and other government computers for more than a year. The FBI's inability to identify the intruders highlights the danger in an increasingly wired world.
The United States has become "extraordinarily vulnerable" to cyber-skilled foes who seek to penetrate or sabotage critical computer systems, said Richard Clark, President Clinton's national coordinator for security, infrastructure protection and counterterrorism.
"An enemy could systematically disrupt banking, transportation, utilities, finance, government functions and defense," Clark said. "We know other countries that are developing information technology and are doing reconnaissance of our computer networks."
Experts say the United States leads the way in cyber-warfare technology. But Russia, Israel, France, England and India are also seeking to develop cyber-weapons, U.S. officials say. China is further behind, but has demonstrated increasing sophistication.
"It's cheaper and easier than building a nuclear weapon," Clark said. "It takes fewer people and far less money."
In May 1998, Clinton issued a presidential directive setting a five-year goal to protect "those physical and cyber-based systems essential to the minimum operations of the economy and government."
Last week, the Pentagon made computer security a component of military strategy, giving the U.S. Space Command control of an interim joint task force that was formed to monitor and defend the Pentagon's global information networks.
In addition, the Treasury Department opened the first Information Sharing and Assessment Center with a consortium of private banks, finance houses and insurance companies. The center, based in Reston, Va., will work as a clearinghouse for computer threats and will pass high-tech fixes to members.
Similar government-backed high-tech centers will be opened for electric utilities and oil companies, railroad and aviation companies, and the telecommunications industry.
'No 100 percent guarantees'
The more immediate problem is the stunning pace of technological change. Government and corporate computer network administrators play a cat-and-mouse game with those who see every new defense as a challenge to be overcome.
"The state of the art is such that while we are putting up protective barriers and fire walls and such, there is general agreement that there are no 100 percent guarantees," said John Gilligan, who directs information technology and information systems at the Energy Department, one of the Moonlight Maze targets.
"They're fine for [protecting against] the less experienced and even more sophisticated hackers," he added. "But the technology does not allow us to guarantee that we can withstand a very sophisticated attack against our systems. That's one of the vulnerabilities we face."
Pub Date: 10/10/99