America's increasingly computerized society will become dangerously vulnerable to attacks by criminals and high-tech terrorists unless new nationwide computer security precautions are taken soon, a National Research Council committee announced yesterday.

"So far, the nation has been remarkably lucky in escaping any successful attempts to subvert critical computing systems," said Massachusetts Institute of Technology computer scientist David Clark, chairman of the panel of 16 industry and academic experts. "Unfortunately, there is reason to believe that our luck may soon run out unless we take action now."

The committee's 18-month study, released yesterday, calls for adoption of broad new national standards for hardware and software safety, reliability and security measures. It also urges the creation of a nonprofit foundation to oversee and monitor compliance.

These steps are necessary, committee members warned, because more individual personal computers are "networked" into nationwide systems, because a "quantum leap in computer literacy" has enabled more people to create computer weapons such as "viruses" and "worms," and because crucial social functions such as banking, transportation, voting and medicine have grown ever more dependent on centralized computer hardware.

As a result, America's computing and communications systems are threatened by "potentially catastrophic security breaches and accidental failures," Clark said.

"The modern thief can steal more with a computer than with a gun," the report said. "Tomorrow's terrorist may be able to do more damage with a keyboard than with a bomb."

In 1987, for example, insiders at Volkswagen managed to pocket millions of dollars by manipulating computers to disguise the company's foreign currency transactions, the report noted.

Such highly publicized crises as the "Internet worm" that eventually penetrated thousands of computers after it was let loose by a Cornell University hacker, or the software bug that shut down AT&T's long distance service last January, merely are a "leading indicator of security problems in the next decade," Clark said.

This situation, coupled with "a very blase' attitude" in the business community, he said, threatens not only data systems but also human life: "It is as if a small town were to wake up one day to find that it had turned into a metropolis -- yet everyone continued to leave their houses and cars unlocked based on the blind faith of a past reality."

The report recommends six immediate "key actions," including the adoption of "generally accepted system security principles" analogous to the national standards now used in accounting and building construction. These principles would assure quality control of software as well as set minimum criteria for security procedures such as password protection, file encoding and internal auditing procedures for policing user activities.

Some de facto standards exist, the panel noted. But they are split between the National Security Agency, which sets parameters for military and intelligence systems, and the National Institute of Standards and Technology, which provides a few guidelines for civilian networks.

To rectify that situation, the panel proposed the creation of a federally sanctioned Information Security Foundation to set standards, evaluate system conformity and maintain a national "tracking system" for cases of computer crime and security threats. The foundation would be funded by fees paid by member groups, including hardware and software vendors.

The committee's proposal came under attack from the Association of Data Processing Service Organizations (ADAPSO), which warned that any set of fixed guidelines soon could become obsolete.

"We feel that technology develops so quickly that you develop such standards and they fall out of effectiveness pretty quickly," ADAPSO spokesman Bob Cohen said. "The person you're trying to bar from your system is going to be able to develop a countermeasure, {while} you're trying to comply with a standard that's been defeated. The best solution is the one that zeros in on behavioral problems as the true way to correct the problem."

Already, a movement is underway in Europe to create a single continent-wide set of computer security guidelines that would give a seal of approval to systems that achieve certain levels of data protection. That has concerned some U.S. manufacturers who worry about having to develop special versions of their machines for Europe, hurting their competitiveness. The fear is that "if the U.S. doesn't get in on the ballgame then we're going to be closed out," said Richard Kemmerer, a panel member and University of California computer science professor.

The vulnerability of military systems was illustrated in 1988 when a group of West German hackers, using telephone lines, infiltrated a wide assortment of computers at U.S. military intallations and corporations. Three men were convicted in February of selling some of that information -- reportedly none of it classified -- to the Soviet Union.

The National Research Council committee, said member John Guttag of MIT, does not want to see "our society avoid dealing with the problem until there's a crisis. We have to begin now while there's still time."