[ISN] Hearing on Viruses Becomes Debate on Privacy

From: cult hero (jerichoat_private)
Date: Fri Apr 16 1999 - 14:25:37 PDT

  • Next message: cult hero: "[ISN] REVIEW: Ethical and Social Issues in the Information Age"

    http://www.nytimes.com/library/tech/99/04/cyber/articles/16virus.html
    
    April 16, 1999
    Hearing on Viruses Becomes Debate on Privacy
    By JERI CLAUSING 
    
    WASHINGTON - A congressional hearing called to explore potential solutions
    to computer viruses like the fast-spreading Melissa strain on Thursday
    turned into a debate about online privacy and the investigative methods
    used to track the computer programmer accused of writing it. 
    
    "While I am a little bit concerned about the pernicious effect of viruses,
    I am more than a little bit disquieted about the way this investigation
    was pursued," Representative Anthony Weiner, a New York Democrat, said
    during the two-hour hearing of the House Science Committee's technology
    subcommittee. 
    
    "We are so wrapped up with idea of hunting down cyberterrorists that the
    walls are chipped out and our privacy rights are steadily eroded," he
    said. 
    
    Weiner said he was particularly troubled by reports that investigators
    tracked the Melissa suspect with help from both America Online and a
    unique identifying number attached to Microsoft software. 
    
    David L. Smith, a 30-year-old computer programmer from Aberdeen, N.J, was
    arrested on state charges on April 1, just a week after the Melissa virus
    was detected by the Federal Bureau of Investigation. Although the virus
    has infected an estimated 100,000 computers, experts say it does not do
    permanent damage or erase files. 
    
    Michael A. Vatis, director of the FBI's National Infrastructure Protection
    Center, assured Wiener at the hearing that no information leading to
    Smith, or others, was gathered without the proper authority or court
    orders. But he declined to give specifics on how Smith was caught, citing
    the ongoing investigation. 
    
    Weiner continued to press the subject, however, getting visibly irritated
    when other committee members turned talk to different scenarios under
    which terrorists could use viruses to launch quieter, much more serious
    computer attacks against the country. 
    
    "Let's cool down here," Weiner said, referring to the Melissa virus as a
    mere "annoyance" - and one from which software companies will turn hefty
    profits by making products to protect against it. 
    
    The Melissa virus taught computer users not just how vulnerable their
    machines are, Weiner said, "but how vulnerable we are to information about
    us." 
    
    Weiner said he feared that that advancements like unique identifying
    numbers on hardware and software "could in the blink of an eye allow an
    investigation to veer off" into otherwise protected private files. 
    
    Vatis agreed that a balance needs to be struck between privacy and law
    enforcement in the digital age. However, he said, "There's been a tendency
    in the advancement of the information age to focus almost exclusively on
    the privacy side," adding, "but there's not as much attention until we
    face events like Melissa what the consequences of that can cause." 
    
    The chairwoman of the subcommittee, Constance A. Morella, a Maryland
    Republican, said she called the meeting to find out what Congress could do
    to help protect the nation's computer networks from viruses and other
    attacks. 
    
    Experts from Carnegie Mellon University, the Commerce Department's
    National Institute of Standards and Technology (NIST) and the General
    Accounting Office offered varying opinions on the severity of the Melissa
    attack. 
    
    "It was vandalism conducted by someone with a mistaken view of
    achievement," said Raymond Kammer, director of NIST. "It is no different
    from people painting graffiti on walls." 
    
    But Keith Rhodes, technical director for the chief scientist at the
    General Accounting Office, said that the Pentagon needs to adopt a
    "red-hot alert" in response to such acts. 
    
    They all agreed, however, that Melissa was an important warning that more
    serious attacks could easily be launched against crucial government and
    private sector computer systems. 
    
    "The Melissa virus represents a new level of sophistication in the
    progression of computer viruses," said Richard Pethia, director of a
    federally financed center at Carnegie Mellon that studies and helps
    develop responses to computer security emergencies. 
    
    "Future mutations, or entire new strains, could easily be much harder to
    detect, spread even more quickly and cause significantly more damage," he
    said. "Even worse, network attackers focused on doing damage to some
    critical infrastructure could launch multiple variants of Melissa-like
    viruses as a diversion to disguise their real attack. 
    
    "Melissa demonstrates that these scenarios are both possible and likely." 
    
    Pethia said that regardless of any government action, "real solutions long
    term can only come from technology." 
    
    He said software developers have opted for flexibility over security,
    making it easy for viruses like Melissa to be spread around the world in
    "Internet speed." 
    
    "If the only defense is to react to a problem as it occurs, we're always
    going to be behind," he said. "We need to a do a better job." 
    
    Kammer said NIST is currently working with other countries to develop
    standards for certifying safer software products. 
    
    Vatis told the committee that cooperation between governments and private
    companies, such as Internet service providers, is crucial in being able to
    track and stop criminals. He said that while America Online is helpful,
    most other Internet service providers are not. 
    
    Rhodes, of the GAO, said government computers need both increased security
    and coordination, particularly creation of a reporting system that would
    allow for the quick identification and analysis of potential problems
    before they spread. For instance, he said, no one really knows how many
    government computers were hit by the virus, including officials at the
    Department of Defense. 
    
    "Some areas of defense are very strong," Rhodes said. "Some areas are
    extraordinarily weak. Some areas may still be infected and fighting it." 
    
    
    
    
    
    
    
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:22:30 PDT