[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] Hearing on Viruses Becomes Debate on Privacy
From:       cult hero <jericho () dimensional ! com>
Date:       1999-04-16 21:25:37
[Download RAW message or body]



http://www.nytimes.com/library/tech/99/04/cyber/articles/16virus.html

April 16, 1999
Hearing on Viruses Becomes Debate on Privacy
By JERI CLAUSING 

WASHINGTON - A congressional hearing called to explore potential solutions
to computer viruses like the fast-spreading Melissa strain on Thursday
turned into a debate about online privacy and the investigative methods
used to track the computer programmer accused of writing it. 

"While I am a little bit concerned about the pernicious effect of viruses,
I am more than a little bit disquieted about the way this investigation
was pursued," Representative Anthony Weiner, a New York Democrat, said
during the two-hour hearing of the House Science Committee's technology
subcommittee. 

"We are so wrapped up with idea of hunting down cyberterrorists that the
walls are chipped out and our privacy rights are steadily eroded," he
said. 

Weiner said he was particularly troubled by reports that investigators
tracked the Melissa suspect with help from both America Online and a
unique identifying number attached to Microsoft software. 

David L. Smith, a 30-year-old computer programmer from Aberdeen, N.J, was
arrested on state charges on April 1, just a week after the Melissa virus
was detected by the Federal Bureau of Investigation. Although the virus
has infected an estimated 100,000 computers, experts say it does not do
permanent damage or erase files. 

Michael A. Vatis, director of the FBI's National Infrastructure Protection
Center, assured Wiener at the hearing that no information leading to
Smith, or others, was gathered without the proper authority or court
orders. But he declined to give specifics on how Smith was caught, citing
the ongoing investigation. 

Weiner continued to press the subject, however, getting visibly irritated
when other committee members turned talk to different scenarios under
which terrorists could use viruses to launch quieter, much more serious
computer attacks against the country. 

"Let's cool down here," Weiner said, referring to the Melissa virus as a
mere "annoyance" - and one from which software companies will turn hefty
profits by making products to protect against it. 

The Melissa virus taught computer users not just how vulnerable their
machines are, Weiner said, "but how vulnerable we are to information about
us." 

Weiner said he feared that that advancements like unique identifying
numbers on hardware and software "could in the blink of an eye allow an
investigation to veer off" into otherwise protected private files. 

Vatis agreed that a balance needs to be struck between privacy and law
enforcement in the digital age. However, he said, "There's been a tendency
in the advancement of the information age to focus almost exclusively on
the privacy side," adding, "but there's not as much attention until we
face events like Melissa what the consequences of that can cause." 

The chairwoman of the subcommittee, Constance A. Morella, a Maryland
Republican, said she called the meeting to find out what Congress could do
to help protect the nation's computer networks from viruses and other
attacks. 

Experts from Carnegie Mellon University, the Commerce Department's
National Institute of Standards and Technology (NIST) and the General
Accounting Office offered varying opinions on the severity of the Melissa
attack. 

"It was vandalism conducted by someone with a mistaken view of
achievement," said Raymond Kammer, director of NIST. "It is no different
from people painting graffiti on walls." 

But Keith Rhodes, technical director for the chief scientist at the
General Accounting Office, said that the Pentagon needs to adopt a
"red-hot alert" in response to such acts. 

They all agreed, however, that Melissa was an important warning that more
serious attacks could easily be launched against crucial government and
private sector computer systems. 

"The Melissa virus represents a new level of sophistication in the
progression of computer viruses," said Richard Pethia, director of a
federally financed center at Carnegie Mellon that studies and helps
develop responses to computer security emergencies. 

"Future mutations, or entire new strains, could easily be much harder to
detect, spread even more quickly and cause significantly more damage," he
said. "Even worse, network attackers focused on doing damage to some
critical infrastructure could launch multiple variants of Melissa-like
viruses as a diversion to disguise their real attack. 

"Melissa demonstrates that these scenarios are both possible and likely." 

Pethia said that regardless of any government action, "real solutions long
term can only come from technology." 

He said software developers have opted for flexibility over security,
making it easy for viruses like Melissa to be spread around the world in
"Internet speed." 

"If the only defense is to react to a problem as it occurs, we're always
going to be behind," he said. "We need to a do a better job." 

Kammer said NIST is currently working with other countries to develop
standards for certifying safer software products. 

Vatis told the committee that cooperation between governments and private
companies, such as Internet service providers, is crucial in being able to
track and stop criminals. He said that while America Online is helpful,
most other Internet service providers are not. 

Rhodes, of the GAO, said government computers need both increased security
and coordination, particularly creation of a reporting system that would
allow for the quick identification and analysis of potential problems
before they spread. For instance, he said, no one really knows how many
government computers were hit by the virus, including officials at the
Department of Defense. 

"Some areas of defense are very strong," Rhodes said. "Some areas are
extraordinarily weak. Some areas may still be infected and fighting it." 









-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]

[prev in list] [next in list] [prev in thread] [next in thread]