http://www.nytimes.com/library/tech/99/04/cyber/articles/16virus.html April 16, 1999 Hearing on Viruses Becomes Debate on Privacy By JERI CLAUSING WASHINGTON - A congressional hearing called to explore potential solutions to computer viruses like the fast-spreading Melissa strain on Thursday turned into a debate about online privacy and the investigative methods used to track the computer programmer accused of writing it. "While I am a little bit concerned about the pernicious effect of viruses, I am more than a little bit disquieted about the way this investigation was pursued," Representative Anthony Weiner, a New York Democrat, said during the two-hour hearing of the House Science Committee's technology subcommittee. "We are so wrapped up with idea of hunting down cyberterrorists that the walls are chipped out and our privacy rights are steadily eroded," he said. Weiner said he was particularly troubled by reports that investigators tracked the Melissa suspect with help from both America Online and a unique identifying number attached to Microsoft software. David L. Smith, a 30-year-old computer programmer from Aberdeen, N.J, was arrested on state charges on April 1, just a week after the Melissa virus was detected by the Federal Bureau of Investigation. Although the virus has infected an estimated 100,000 computers, experts say it does not do permanent damage or erase files. Michael A. Vatis, director of the FBI's National Infrastructure Protection Center, assured Wiener at the hearing that no information leading to Smith, or others, was gathered without the proper authority or court orders. But he declined to give specifics on how Smith was caught, citing the ongoing investigation. Weiner continued to press the subject, however, getting visibly irritated when other committee members turned talk to different scenarios under which terrorists could use viruses to launch quieter, much more serious computer attacks against the country. "Let's cool down here," Weiner said, referring to the Melissa virus as a mere "annoyance" - and one from which software companies will turn hefty profits by making products to protect against it. The Melissa virus taught computer users not just how vulnerable their machines are, Weiner said, "but how vulnerable we are to information about us." Weiner said he feared that that advancements like unique identifying numbers on hardware and software "could in the blink of an eye allow an investigation to veer off" into otherwise protected private files. Vatis agreed that a balance needs to be struck between privacy and law enforcement in the digital age. However, he said, "There's been a tendency in the advancement of the information age to focus almost exclusively on the privacy side," adding, "but there's not as much attention until we face events like Melissa what the consequences of that can cause." The chairwoman of the subcommittee, Constance A. Morella, a Maryland Republican, said she called the meeting to find out what Congress could do to help protect the nation's computer networks from viruses and other attacks. Experts from Carnegie Mellon University, the Commerce Department's National Institute of Standards and Technology (NIST) and the General Accounting Office offered varying opinions on the severity of the Melissa attack. "It was vandalism conducted by someone with a mistaken view of achievement," said Raymond Kammer, director of NIST. "It is no different from people painting graffiti on walls." But Keith Rhodes, technical director for the chief scientist at the General Accounting Office, said that the Pentagon needs to adopt a "red-hot alert" in response to such acts. They all agreed, however, that Melissa was an important warning that more serious attacks could easily be launched against crucial government and private sector computer systems. "The Melissa virus represents a new level of sophistication in the progression of computer viruses," said Richard Pethia, director of a federally financed center at Carnegie Mellon that studies and helps develop responses to computer security emergencies. "Future mutations, or entire new strains, could easily be much harder to detect, spread even more quickly and cause significantly more damage," he said. "Even worse, network attackers focused on doing damage to some critical infrastructure could launch multiple variants of Melissa-like viruses as a diversion to disguise their real attack. "Melissa demonstrates that these scenarios are both possible and likely." Pethia said that regardless of any government action, "real solutions long term can only come from technology." He said software developers have opted for flexibility over security, making it easy for viruses like Melissa to be spread around the world in "Internet speed." "If the only defense is to react to a problem as it occurs, we're always going to be behind," he said. "We need to a do a better job." Kammer said NIST is currently working with other countries to develop standards for certifying safer software products. Vatis told the committee that cooperation between governments and private companies, such as Internet service providers, is crucial in being able to track and stop criminals. He said that while America Online is helpful, most other Internet service providers are not. Rhodes, of the GAO, said government computers need both increased security and coordination, particularly creation of a reporting system that would allow for the quick identification and analysis of potential problems before they spread. For instance, he said, no one really knows how many government computers were hit by the virus, including officials at the Department of Defense. "Some areas of defense are very strong," Rhodes said. "Some areas are extraordinarily weak. Some areas may still be infected and fighting it." -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:22:30 PDT