More than a year after President Clinton warned that criminals, terrorists and foreign foes could paralyze the nation's computer systems, federal officials acknowledged yesterday that hackers have broken into Defense Department networks from overseas while the FBI office in charge of America's cyber security is still more virtual than real.
One of the most serious threats seems to come from Russia. In the first official comment on a year-long investigation code-named Moonlight Maze, FBI agent Michael A. Vatis testified before Congress yesterday that intruders have penetrated computers belonging to the Defense Department, other government agencies and private contractors.
The unidentified hackers stole "unclassified but still sensitive information about essential defense technical research matters," Vatis told the Senate Judiciary subcommittee on technology and terrorism. After tracing the attack back through the Internet, he added, "the intrusions appear to originate in Russia." But he declined to say whether the attacks are continuing, or whether the Russian government is believed to be responsible.
Despite such threats, the FBI is still well short of its target of having 243 agents--out of a total force of 11,639--on the trail of digital desperadoes. So far only a handful of agents have been assigned full-time to computer squads in just 10 of the bureau's 56 field offices, and few are considered fully trained, despite aggressive hiring and education efforts, senior law enforcement officials said.
Moreover, the number of investigators assigned to the National Infrastructure Protection Center (NIPC), the FBI unit coordinating the federal response to computer threats, is declining. More than a dozen senior agents have been transferred to the recently expanded probe of alleged Chinese espionage at nuclear weapons laboratories, while the Clinton administration and Congress have rejected FBI requests to increase personnel for the cyber squad, the officials said.
"Our bench is thin, very thin," Vatis, who heads the NIPC, said in an interview. "We have put together a good starting lineup. But if we had several major incidents at the same time, we would be severely stretched, to put it mildly."
Two years ago the FBI had about 200 cases of computer-related crime under investigation. Now it is handling more than 800, ranging from vandalism of Web sites to potential theft of military secrets. "We could easily have double that number because intrusions are happening all the time, but we do not have the personnel or the resources to get to them," Vatis said.
Equipment is also a problem. "Unfortunately, the government procurement process is not the speediest thing in the world," he said.
The goal of providing the best possible protection for government computers "has not been realized, nor is it clear how this objective will be met," according to a report to Congress yesterday by the General Accounting Office. Recent audits show that 22 federal agencies have serious computer security weaknesses, said Jack L. Brock Jr., director of the GAO's government information systems unit.
Clinton made the FBI the lead agency for protecting the nation's computer systems when he signed Presidential Decision Directive 63 on May 22, 1998. That directive set the year 2003 as a goal for the creation of "a reliable, interconnected, and secure information system infrastructure."
Recognizing the government's limitations, Clinton also called for close cooperation between law enforcement agencies and private computer companies. But partnerships do not come easily between criminal investigators and digital wizards.
"There are two fundamental problems that the FBI has to overcome," said James Adams, chief executive of Infrastructure Defense Inc., which provides computer security services to large businesses. "The first is its internal culture, which is neither high-tech nor built on the concept of sharing information. The second is the widespread aversion in the private sector, which I don't happen to share, to entrusting sensitive corporate information to a law enforcement agency."
Contacts between the FBI and computer gurus "have been very strained at times, because these are two very different communities with different mind-sets and different goals, but the relationship has evolved gradually so they don't step on each other's toes quite as much," said Richard Pethia, manager of the Computer Emergency Response Team Coordination Center at Carnegie Mellon University, a federally funded rescue squad for computer disasters.
The Carnegie Mellon team, for example, promises to protect the confidentiality of anyone who provides information about computer security threats or solutions.
"We operate by interactive problem solving," said Pethia, who argues that a free flow of information on hackers' techniques and computer viruses is the best way to build defenses against them. Once word of a virus or an intrusion reaches the team, it mobilizes experts at universities, research labs and corporations for long-distance brainstorming. Yet victims often insist on remaining anonymous so as not to reveal an embarrassing business loss.
"Investigators naturally want to know everything, and they want to control all the information. But if we disclosed everything to the authorities, our phones would stop ringing within weeks," said Pethia.
The FBI, like the Pentagon before it, has grudgingly accepted this aspect of cyber culture.
"We realize that when a computer network suffers an intrusion, we can't just move in and surround it with yellow tape," Vatis said. "The way we approach a crime scene in cyberspace is radically different from the physical world because it is a living, constantly changing scene, not a static environment that we can just pick apart for evidence."
More recently, investigators have concluded that the best way to nab cyber criminals is to catch them in the act by letting an intrusion proceed while it is monitored and traced. As with information sharing, there is a fundamental difference in priorities.
"What matters to a business is ensuring continuity of operations, and catching the bad guys is a very long second," said Adams. "But catching the bad guy is all that the FBI cares about."
Yet prosecutions are still rare, making deterrence elusive.
"I would like to see the FBI track down enough virus writers and hackers to put some fear out there, but it hasn't happened so far and I don't see it happening anytime soon, because they don't have the resources," said Dan Schrader, vice president of new technologies at Trend Micro Inc., a producer of antivirus software. "While law enforcement gets up to speed, the private sector will have to ensure it has the means to protect itself."