Keepers of the Gate

						Tuesday, March 25, 1997
Alexander Shaw
PAC 405 Computers and Society
Spring 1997
Paper #2

	Be afraid, be very afraid.  Several articles and a book have let me 

know, under no uncertain terms, that computer security is not a major issue 

with most U.S. companies.  In the February 1997 issue of Fortune Magazine, 

an article about Internet security opened my eyes.  One can only hope it will 

also open the eyes of chief information officers around the world.  According 

to a survey done by the American Society for Industrial Security, the techno-

logical masses seem to operate with a false sense of security.  The survey 

indicated 24% of American companies do not have procedures for safeguarding 

proprietary data.  A second industry survey, stated that about half of all U.S. 

companies do not even have a basic security policy for their computer systems.

I went out and bought a copy of "Secrets of a Super Hacker", by The Knightmare

a year ago.  When I first read it, the advice on hacking really made no sense 

to me.  My lack of knowledge on Internet issues prevented me from taking full 

advantage of the information in the book.  I read the book again this week.  

Only a year later, and I could take full advantage of The Knightmare's 

technical advice.  Most of the technics described in the text were foreign to 

me because of lack of experience using Internet tools like e-mail, FTP and 

other UNIX commands.  Now I can use these tools to do serious damage if I wish,

so can most serious computer users.  There are three very serious problems 

preventing hacking from being stopped.  The first problem is detection.  

According to Fortune, about 95% of all computer system invasions go undetected.

One reason for this is that more than 30% of all Internet based break-ins took

place despite a computer firewall.  Most CIOs do not check the login records

 because they have a firewall in place.  The second problem is lack of notifi-

cation to the proper authorities.  Of the 5% of the detected computer invasions,

only 15% were reported.  The fear of the bad media coverage scares most 

companies into quietly dealing with the losses in private.  Approximately 

$10 billion was lost to computer crimes in 1996.  The frightening aspect of 

this figure is that the monetary figure is based on the detected crime only.  

The third and the most troubling aspect of hacking is that hackers are cult 

heroes and heroines.  Most hackers are in it for the fun.  As The Knightmare 

explains in "Secrets of a Super Hacker", most hackers hack for the challenge of 

breaking into a system, not for the money they could gain.  If you build it, a 

secure system, that is, they will come.  Most hackers are not under the age of

20 years old as most people think.  Most Americans have a view of a pimple-

faced nerd with a computer as his only friend being the quintessential hack.  

This is not the case at all.  Hackers come in all shapes, sizes, colors, ages,

genders and nationalities.  No one wants to send young kids to jail for a 

crime where no one supposedly gets hurt, so laws have been very relaxed.

	The major stakeholders in this dilemma are as numerous as the hackers 

themselves.  The first stakeholders are law enforcement officials.  Dennis 

Hughes of the FBI stated in the Fortune article, "The hackers are driving us 

nuts."  If this problem of hacking is not solved soon, many new, vague and 

restricting laws will be passed to curtail it.  Everyday surfers will have to 

suffer because of a few bad apples.  The Communications Decency Act comes to 

mind when I think about what could happen if the Federal government tries to 

stop hacking cold.  The CDA was written in a very vague way.  Some D.H. 

Lawrence novels could not be published or even discussed on-line if the CDA 

is interpreted the wrong way.  If the problem persists, laws will be written 

and enforced that will mirror the CDA.  Laws that are broad and vague to 

canvass the entire Internet.  Another set of stakeholders are the corporations

with direct Internet connections.  If a hacker uses your company's computer to

crack another, your company may be responsible for damages to the second 

computer.  Your company may suffer catastrophic physical and financial damage 

because of a hack.  But because you are a gate-keeper to the Internet, you are

responsible for the damage in your cyberneighbor's virtual backyard.  If your 

relaxed security allows a hack to cause another company's money to be stolen, 

you may owe that company some cash.  This liability may make some companies 

think twice about having a T1 connection that is open all the time.  As a 

result of the damage, companies may charge higher fees for Internet services, 

or services in general.  The cost will go up, and the competition will 

decrease.  The third set of stakeholders are the hackers themselves.  With the

relaxed security, and relaxed laws, the hackers have it easy for the moment.  

Some hackers are getting very rich very fast right now.  The question is, for 

how long?  The fourth and most important stakeholder is the customer of the 

damaged corporation.  Because of a hack you may suffer; higher fees for 

services, lost or inaccurate information about you, or a financial loss.

	One solution is to make a minimum security level for all companies with

Internet access.  A combined effort from big business and big government might

slow down hacking.  There is no way to stop all computer crime, but a minimum 

security level is a way to stop the amateurs from causing trouble.  When 

thinking of a campaign for the security systems, the old "The Club" commercials

come to mind.  The systems would have to be inexpensive and just enough 

security to make it tough on "baby" hackers.  Once the mass majority of the 

hacking pack has been trimmed off, the various law enforcement agencies can 

catch the expert hackers.  The stakeholders in this situation would have very 

different problems arising from this proposal.  For the law enforcement people,

the questions are what agency will make the businesses get security and how 

much will it cost to make them get security?  There are millions of laws on the 

books that have no enforcement agency to deal with making the laws stick.  For

the companies, it is just another law to deal with.  It will also be another 

expense to deal with.  The hackers will still hack, but the bad hackers will 

have a very difficult time, and hopefully quit.  The customers will incur more

fees from the companies that do business on the net.  The customers always foot 

the bill in the end.  Another solution is to make the penalty for hacking so 

great that most people would not dream of trying.  The new forfeiture laws, 

concerning hacking, that President Clinton has put in place is a step in that 

direction.  If you are suspected of hacking, anything you own that uses 

electricity can be confiscated.  All computer books, CDs, cassettes, LP 

records, even computer paper is fair game to be confiscated and used against a

hacker.  The stakeholders have very different problems with this solution as 

well.  For the law enforcement community, the problem still remains, who will 

enforce the law?  Right now several agencies are separately trying to stop 

hacking.  Sometimes the agencies can work together in harmony. Sometimes 

agencies working together is more like a train crash.  Some of the problems 

are; multiple warrants on the same address, too many combined man-hours for the

same criminal in different agencies, and lack of information sharing.  The 

companies are afraid that their systems will be hauled away as evidence if a 

hacker is caught hacking them.  Another problem is the government will make a 

spectacle of the hacker, in the process scare off the company's customers 

because of bad media coverage.  Hackers will stop most of the hacking, but 

there is always someone with nothing to lose.  These are the hackers that will

not be scared off.  The hard-core hackers will not be as well hidden because of

the lowered hack traffic, making them easier to catch.  The big losers will 

again be the customers.  Higher taxes and company fees will make them feel the

 pinch the way the hackers will.

	I feel the best method is to first force the businesses to get the 

minimum security systems.  Since the companies stand to make the most money on

a safe system, allow them to foot the bill for the rest of the stakeholders.  

The utilitarian argument "the greatest good for the greatest many" is my motto

here.  The government has enough power now to stop hacking.  There is no need 

to give it more power unnecessarily.  The baby hacks will be thwarted, exposing

the real hackers to the government.  Government agencies can concentrate work 

hours on the real problems, not on shadow hackers on the net.  The customers 

will suffer at first, but hopefully the cost will be minimal.

Behar, Richard.  "Who's reading your e-mail?" Fortune  3 Feb.  1997:  56-62.
Quittner, Joshua  "@The Supreme Court."  Time  31 Mar.  1997:  74.
Knightmare, The.  Secrets of a Super Hacker.  Port Townsend:  Loompanics 
        Unlimited, 1994.