"Infoterrorists" tap into computer networks to cut off electricity supplies in New York and Los Angeles. Hackers disrupt communications among U.S. military bases. Tax and Social Security records are mysteriously changed, while electronic fund transfers between banks go astray.
These aren't scenarios from the script of a Hollywood cyber-flick. They are the basis of serious war game exercises conducted by Western military, law enforcement and intelligence officials as they explore the potential risks of "information warfare" and develop countermeasures.Twenty-six years after the Defense Department created the Internet as a communications system invulnerable even to a nuclear attack, the global web of computer networks is itself now viewed as a national security risk.
The increasing dependency of government agencies and businesses on networks of computers - supporting critical functions such as banking, communications, air traffic control and law enforcement - together with the rapid growth of international access to the Internet have created new and substantial vulnerabilities, senior intelligence officials maintain.
Until recently, the concept of "information warfare" has been widely dismissed as alarmist rhetoric and viewed as "post-Cold War hysteria" generated by those with an interest in maintaining the vast U.S. intelligence apparatus.
But the potential use of computer networks to undermine public confidence, disrupt essential services, play havoc with the economy or damage military capabilities is now being taken seriously in Washington.
Potential adversaries in 120 countries are gathering information via the Internet about Pentagon computer networks and developing methods of launching untraceable attacks to disable or compromise them, according to the National Security Agency.
"We are rapidly getting to the point where we could conduct warfare by dumping the economic affairs of a nation via computer networks," Sen. John Glenn, D-Ohio, said recently in response to testimony before a hearing on cyber security.
A series of hearings of the Senate Government Affairs Subcommittee on Investigations is shedding new light on the secretive world of cyberspies and hackers and expanding public debate about regulation and policing of the Internet.
According to computer security experts, the Internet has increased security risks not only because it links tens of thousands of computers but also because it has spawned widespread knowledge and interest in computer communications. By establishing standards for computer links, the Internet has provided would-be computer attackers with a standard target.
Banks' computer networks which are used to transfer billions of dollars every day have, for example, typically been based on a mix of old and new communications protocols and computer operating systems. Knowledge of how these networks operate has been limited to a few technical experts, most of them bank employees. This is "security through obscurity' says the chief technology officer of one large US bank.
But as banks convert their systems to modern Internet standards, the number of hackers capable of attacking these networks is expanding.
The potential for disaster may be huge. The vast majority of transactions conducted by banks now flow through computer networks. By one estimate, more than $2 trillion is moved via international wire transfers every day.
Similarly, the air traffic control system is based on outdated - and sometimes unreliable - computers. This, however, makes them relatively invulnerable to intrusion.
When the Federal Aviation Administration upgrades the systems, as planned, "they will become more vulnerable," says Dan Gelber, counsel to the Senate panel who led an eight-month investigation of computer security issues.
Yet the scope for possible threats posed by computer attacks remains difficult to measure, the Senate staff found. Even within most government departments there are few reports of computer breakins and therefore few records of how often computer networks are attacked and to what effect, says Gelber.
Data from a report published last month by the General Accounting Office suggest that Pentagon computers are a frequent target of hackers.
"Hackers have stolen and destroyed sensitive data and software. They have installed `back doors' into computer systems which allow them to surreptitiously regain entry ... They have crashed entire systems and networks," says Jack Brock, a GAO director. "At a minimum, these attacks are a multimillion-dollar nuisance to Defense. At worst, they are a serious threat to national security."
Defense Department computers containing non-classified but sensitive data were attacked approximately 250,000 times last year according to the Defense Information Systems Agency, a Pentagon computer security force. In an estimated 160,000 of these incidents, hackers succeeded in penetrating the computers.
DISA performs "Red Teaming" attacks on Defense Department computers using hacker techniques to test their vulnerability. Of 38,000 attacks conducted over the past three years, 65 percent were successful. But only one out of every 150 successful attacks was detected and reported.
Assessing the risks of hacking in the corporate arena is even more difficult, largely because the attacks are almost always undetected and because companies are reluctant to admit that they've been victims of computer breakins.
A survey conducted by a few leading computer security consultancies found losses of $800 million worldwide last year among clients in the banking and telecommunications industries, with half the losses in the U.S.
Yet FBI records show only one incident in which a U.S. bank lost money due to a computer intrusion - the much publicized 1994 attack on Citibank's cash management network by Russian hackers who are alleged to have stolen about $400,000.
The lack of solid evidence of computer security breaches presents a tricky problem for lawmakers.
"Without reliable threat assessment data, we can neither conduct meaningful risk management nor structure a coherent national response to this issue," says Sen. Sam Nunn, D-Ga., the ranking minority member of the investigations subcommittee who initiated the recent hearings.
There is mounting pressure on Congress to strike a new balance between concern about national security and the rights of people and companies to maintain privacy.
This promises to be a fractious debate. The Clinton administration is already in conflict with software producers who want relaxation of export controls on encryption software. Intelligence agencies want to be able to conduct "wiretaps" on computer communications to catch criminals and terrorists, while businesses say they need encryption to protect electronic commerce.
The net result may be a taming of the Wild West culture of the Internet. But it's not certain whether such measures will improve security or simply create new challenges for determined hackers.
(Distributed by Scripps Howard News Service.)