Keepers of the Gate
Tuesday, March 25, 1997
PAC 405 Computers and Society
Be afraid, be very afraid. Several articles and a book have let me
know, under no uncertain terms, that computer security is not a major issue
with most U.S. companies. In the February 1997 issue of Fortune Magazine,
an article about Internet security opened my eyes. One can only hope it will
also open the eyes of chief information officers around the world. According
to a survey done by the American Society for Industrial Security, the techno-
logical masses seem to operate with a false sense of security. The survey
indicated 24% of American companies do not have procedures for safeguarding
proprietary data. A second industry survey, stated that about half of all U.S.
companies do not even have a basic security policy for their computer systems.
I went out and bought a copy of "Secrets of a Super Hacker", by The Knightmare
a year ago. When I first read it, the advice on hacking really made no sense
to me. My lack of knowledge on Internet issues prevented me from taking full
advantage of the information in the book. I read the book again this week.
Only a year later, and I could take full advantage of The Knightmare's
technical advice. Most of the technics described in the text were foreign to
me because of lack of experience using Internet tools like e-mail, FTP and
other UNIX commands. Now I can use these tools to do serious damage if I wish,
so can most serious computer users. There are three very serious problems
preventing hacking from being stopped. The first problem is detection.
According to Fortune, about 95% of all computer system invasions go undetected.
One reason for this is that more than 30% of all Internet based break-ins took
place despite a computer firewall. Most CIOs do not check the login records
because they have a firewall in place. The second problem is lack of notifi-
cation to the proper authorities. Of the 5% of the detected computer invasions,
only 15% were reported. The fear of the bad media coverage scares most
companies into quietly dealing with the losses in private. Approximately
$10 billion was lost to computer crimes in 1996. The frightening aspect of
this figure is that the monetary figure is based on the detected crime only.
The third and the most troubling aspect of hacking is that hackers are cult
heroes and heroines. Most hackers are in it for the fun. As The Knightmare
explains in "Secrets of a Super Hacker", most hackers hack for the challenge of
breaking into a system, not for the money they could gain. If you build it, a
secure system, that is, they will come. Most hackers are not under the age of
20 years old as most people think. Most Americans have a view of a pimple-
faced nerd with a computer as his only friend being the quintessential hack.
This is not the case at all. Hackers come in all shapes, sizes, colors, ages,
genders and nationalities. No one wants to send young kids to jail for a
crime where no one supposedly gets hurt, so laws have been very relaxed.
The major stakeholders in this dilemma are as numerous as the hackers
themselves. The first stakeholders are law enforcement officials. Dennis
Hughes of the FBI stated in the Fortune article, "The hackers are driving us
nuts." If this problem of hacking is not solved soon, many new, vague and
restricting laws will be passed to curtail it. Everyday surfers will have to
suffer because of a few bad apples. The Communications Decency Act comes to
mind when I think about what could happen if the Federal government tries to
stop hacking cold. The CDA was written in a very vague way. Some D.H.
Lawrence novels could not be published or even discussed on-line if the CDA
is interpreted the wrong way. If the problem persists, laws will be written
and enforced that will mirror the CDA. Laws that are broad and vague to
canvass the entire Internet. Another set of stakeholders are the corporations
with direct Internet connections. If a hacker uses your company's computer to
crack another, your company may be responsible for damages to the second
computer. Your company may suffer catastrophic physical and financial damage
because of a hack. But because you are a gate-keeper to the Internet, you are
responsible for the damage in your cyberneighbor's virtual backyard. If your
relaxed security allows a hack to cause another company's money to be stolen,
you may owe that company some cash. This liability may make some companies
think twice about having a T1 connection that is open all the time. As a
result of the damage, companies may charge higher fees for Internet services,
or services in general. The cost will go up, and the competition will
decrease. The third set of stakeholders are the hackers themselves. With the
relaxed security, and relaxed laws, the hackers have it easy for the moment.
Some hackers are getting very rich very fast right now. The question is, for
how long? The fourth and most important stakeholder is the customer of the
damaged corporation. Because of a hack you may suffer; higher fees for
services, lost or inaccurate information about you, or a financial loss.
One solution is to make a minimum security level for all companies with
Internet access. A combined effort from big business and big government might
slow down hacking. There is no way to stop all computer crime, but a minimum
security level is a way to stop the amateurs from causing trouble. When
thinking of a campaign for the security systems, the old "The Club" commercials
come to mind. The systems would have to be inexpensive and just enough
security to make it tough on "baby" hackers. Once the mass majority of the
hacking pack has been trimmed off, the various law enforcement agencies can
catch the expert hackers. The stakeholders in this situation would have very
different problems arising from this proposal. For the law enforcement people,
the questions are what agency will make the businesses get security and how
much will it cost to make them get security? There are millions of laws on the
books that have no enforcement agency to deal with making the laws stick. For
the companies, it is just another law to deal with. It will also be another
expense to deal with. The hackers will still hack, but the bad hackers will
have a very difficult time, and hopefully quit. The customers will incur more
fees from the companies that do business on the net. The customers always foot
the bill in the end. Another solution is to make the penalty for hacking so
great that most people would not dream of trying. The new forfeiture laws,
concerning hacking, that President Clinton has put in place is a step in that
direction. If you are suspected of hacking, anything you own that uses
electricity can be confiscated. All computer books, CDs, cassettes, LP
records, even computer paper is fair game to be confiscated and used against a
hacker. The stakeholders have very different problems with this solution as
well. For the law enforcement community, the problem still remains, who will
enforce the law? Right now several agencies are separately trying to stop
hacking. Sometimes the agencies can work together in harmony. Sometimes
agencies working together is more like a train crash. Some of the problems
are; multiple warrants on the same address, too many combined man-hours for the
same criminal in different agencies, and lack of information sharing. The
companies are afraid that their systems will be hauled away as evidence if a
hacker is caught hacking them. Another problem is the government will make a
spectacle of the hacker, in the process scare off the company's customers
because of bad media coverage. Hackers will stop most of the hacking, but
there is always someone with nothing to lose. These are the hackers that will
not be scared off. The hard-core hackers will not be as well hidden because of
the lowered hack traffic, making them easier to catch. The big losers will
again be the customers. Higher taxes and company fees will make them feel the
pinch the way the hackers will.
I feel the best method is to first force the businesses to get the
minimum security systems. Since the companies stand to make the most money on
a safe system, allow them to foot the bill for the rest of the stakeholders.
The utilitarian argument "the greatest good for the greatest many" is my motto
here. The government has enough power now to stop hacking. There is no need
to give it more power unnecessarily. The baby hacks will be thwarted, exposing
the real hackers to the government. Government agencies can concentrate work
hours on the real problems, not on shadow hackers on the net. The customers
will suffer at first, but hopefully the cost will be minimal.
Behar, Richard. "Who's reading your e-mail?" Fortune 3 Feb. 1997: 56-62.
Quittner, Joshua "@The Supreme Court." Time 31 Mar. 1997: 74.
Knightmare, The. Secrets of a Super Hacker. Port Townsend: Loompanics