The Tampa Tribune August 9, 2002
Experts Fault Government Ability To Protect Computers
By BRAD SMITH
TAMPA - The government's record of protecting its thousands of computers from theft and intrusion is confused, weak and not likely to improve anytime soon, experts say.
Indeed, little if anything will change until a major cyber catastrophe - for example, a terrorist attack on the nation's computer-controlled businesses and networks, computer watchdogs agree.
"The government is not doing nearly as much as it's going to have to do," said John Pike, a defense consultant and director of Virginia-based GlobalSecurity.org, which studies computer security issues.
Computer hardware theft and possible breaches of military secrecy have become news this week amid a massive investigation involving two missing laptop computers at U.S. Central Command, Gen. Tommy Frank's headquarters at MacDill Air Force Base where the military's war on terror is directed. Investigators aren't saying whether they suspect espionage, theft or some other circumstance. Nor are they detailing what was on the computers, although officials have said one contained highly classified material.
Allan Holmes, editor in chief of Federal Computer Week magazine, said tightening security of the government's thousands of laptops is a major strategic issue that government managers have yet to master.
Request Turned Down
"It's been a continuing problem," Holmes said.
One key problem is money, experts say. The Clinton administration requested $1 billion for computer security, but Congress balked.
"The federal government has rarely given [the issue] the money it needs or put in the management practices that it requires," said Holmes, whose publication tracks government computing policies. "Year after year, we cover what's spent on it, and security always gets cut."
Besides the widespread problem of hardware theft, the government's security fire walls - which are supposed to block hackers from gaining access to computerized data - have been breached time and again.
"You'd be surprised how easy it is to crack," Holmes said, mentioning one recent government test that easily broke through security barriers to U.S. Veterans Affairs databases.
A bogus veteran's mailing address was set up that soon began receiving veterans' financial benefits. Even after the VA was notified of the breach, the test was successfully repeated.
Although civilian software developers have created stealth programs and monitoring systems that make stealing hardware difficult, government procurement rules discourage vendors from selling protection to the military or civilian branches of government.
Several major government departments were interested in security packages manufactured by Loss Prevention Services Inc., a Clemmons, N.C., firm that markets computer antitheft systems.
But the government wanted access to the firm's trade secrets first, said Corky McClellan, a company manager.
"One department we had conversations with required that we provide them our source code," which effectively gave the government the means to reproduce its system for free, McClellan said.
"And they put a restraint on the deal that we can't sue for any monetary compensation," he added. "That tells me I'll just move along."
Dan Verton, a former military intelligence officer and Computer World magazine reporter who covers government computer security, said the military loses laptop computers all the time.
"In the military environment, you're sending people all over the world with this stuff," Verton said. "It's out of your sight, but yet you're still responsible for it."
Verton said new technologies are available that disable stolen laptops. New biometric technology restricts equipment to certain users, limiting the value of the hardware if stolen.
Priority, Or Not Really?
The government's new Homeland Security Department is expected to make computer security a priority. But Verton is skeptical.
"I don't see the government adopting these things," Verton said. "There's no uniformity, not by a long shot."
A cyber-terrorist attack on telecommunications, Wall Street or the nation's power grid could be what galvanizes public concern to pressure government to tighten its computer safety nets. The government has run simulations of such attacks.
"It could lead to failures of power grids for more than a week," Verton said. "Then you've got mass chaos. Businesses go out of business."
Steven Aftergood, a government secrecy analyst at the Federation of American Scientists, said MacDill's loss of the two laptops is "unfortunately, par for the course."
And he sees few solutions to prevent it from happening again. Yet he doubts Saddam Hussein has spies scouring Florida for military laptops.
"All that really can be done is to encourage personnel to practice vigilance and to make sure they keep track of their property," Aftergood said.
But he's seen one government computer loss after another, including a major embarrassment in the State Department under former Secretary of State Madeline Albright when laptops with classified state secrets were lost.
"There's hemming and hawing, and a commitment to do better, and then everyone moves on," Aftergood said. "I doubt the government would want to cut back on its laptops because they're too useful."
© Copyright 2002 The Tribune Co. Publishes The Tampa Tribune
