|image: Los Alamos Natl Lab|
Following the arrest late last year of Los Alamos National Laboratory scientist Wen Ho Lee and the more recent disappearanceand then reappearanceof two hard drives with classified nuclear weapons information from the same lab, computer security is on everyones mind. The Department of Energys (DOE) reaction has been to crack down on security at all national labs, regardless of the nature of their research.
While the DOE maintains that this is a necessary measure as protection from ever more sophisticated hackers, some scientists may find it an overreaction that hampers their research.
Information for everyone?
On the one hand, the Internet has opened up vast possibilities for researchers by allowing them to post data on publicly-accessible domains. They have quick access to material that used to take months to appear in scientific journalsif it appeared at all. But the DOEs mandate may threaten this golden age of data information.
Donald Fleming, Chief Information Officer at Brookhaven National Laboratory, says that his lab has been devoting a lot of attention to computer security regardless of the DOE concern. "We are concerned about the integrity of our scientific research data," he says. "It is true that these other events have lended some additional emphasis and urgency to addressing cybersecurity issues."
But its not just the threat of data theft or even carelessness with data within the labs that is cousing concern. Like all government labs, Brookhaven may be a target for hackers just because it has "dot-gov" in its name.
|This graph shows the number of website defacements each month from January of 1999 (left) to May 2000 (right). The number of defacements ranges from zero (lowest) to 700 (top).|
"The bad guys range from at the bottom of the totem polewhat we call script kiddies," says Flemming, "up to people in universities that have fairly sophisticated ways of attacking insitutions, and finally governments that are sponsoring things like trying to obtain commercial secrets and understand things about our defense programs and so forth."
It is possibly the script kiddiesschool-age children who break into computer systems for the thrill of it, often with programming that is simply copied from websitesthat have really brought the issue of hacking back to the forefront, what with recent high profile attacks on sites like Yahoo!, CNN and E-trade. According to attrition.org, there were more that 3,500 website defacements (1) in 1999, and the figure is on pace to double this year.
At cross purposes
The term "hacker" didnt start out with a negative connotation. It started at the Massachusetts Institute of Technology and originally meant someone who was very skilled in computers and able to manipulate their programs. But because knowledge is power, some of these experts eventually turned their talents to criminal activity.
By the time the Computer Fraud and Abuse Act was passed in 1986, hacking was serious business. The Computer Emergency Response Team, based at Carnegie-Mellon University, was formed in 1988 to investigate the growing number of attacks on computer networks.
Recently, the System Administration Networking and Security (SANS) Institute released a list of the "Ten Most Critical Internet Security Threats" in the hopes of giving system administrators a hand with security. Somes notorious hackers, such as Kevin Mitnick, have attempted to turn their expertise around to help companies strengthen security, but some consider trusting such individuals too risky.
Brookhaven scientists work with other researchers from all over the world, and until now, security has been relatively low. But Fleming says that is changing, and that Brookhaven is taking steps to significantly increase its security. Collaborative research and computer security, however, may be mutually exclusive.
"Scientific researchthe collaborative research environmentis premised on openness, and security is premised on restricted access, and those two are in tension with each other," says Fleming. "And what you are forced to do is to make tradeoffs between openness and access in order to address your security requirements."
To address these concerns, Brookhaven hosted a two-day conference beginning yesterday on computer security and open research. Participants included not only scientists, but also cybersecurity experts from the commercial sector.
In a way, its a shame that resources now being devoted to computer security are being diverted away from developing better products and research, Fleming says. But that may be the price society has to pay to travel on the information superhighway.
(1) - Attrition defines "defacements" as the unauthorized modification of the default-displayed webpage. They dont archive home pages (too hard to separate the hoaxes from the real thing), sub-pages (ditto), or free sites (ditto). They have to verify it, the exception being sites that have been defaced and widely reported. And so, Attrition does not track computer crime (unauthorized penetration of a site) per se, but a very specific sort of crime that is, for obvious reasons, verifiable.
Elsewhere on the web:
Computer Security Information from the Center for Information Technology
Computer Security News Daily
Computer Security Resource Clearinghouse
Journal of Computer Security
The Hacker Quarterly
Hackers Hall of Fame
The Hackers Home Page