The hacker phenomenon keeps raising in my mind the question of whether or
not hackers are a problem, or a symptom of an intrinsic problem
in this whole new technology.
As Chief of the Justice Department's Computer Crime and Intellectual Property Section, she is in charge of investigations and
prosecutions, law enforcement training, legislation, international work, and
advising the federal sector on a broad range of information - technology issues.
She has worked on more hacker cases than any other federal prosecutor.
And the intrinsic problem would be the security of the network?
The security of the network, the universal accessibility of it and the
democracy of it.
Okay. Well, if you ask me which is it, my answer is yes, it's both.
. . . It's important to understand that networks, like streets, like
automobiles, are never going to be perfectly secure. We want them to be as
secure as they can be and that's rational; that's a reasonable expectation. But
we then introduce people into that environment. And, you know, people break
into houses. People break into banks. And they steal things, and it's very
clear to the society that that's not permitted, that's not okay. And I think we
need to inculcate the same ethic into technology users. It's not okay to do
things just because it's possible, just because we can.
What about the argument that hackers are kind of like the Ralph Naders vis-à-vis the automobile industry, pointing out weaknesses that we should know
I hear that argument a lot, and I have to say that I think it's a very silly
one. It seems to me that thanking hackers who violate the privacy of networks
or network users for pointing out to us our vulnerabilities is a little bit
like sending thank-you notes to burglars for pointing out the infirmity of our
physical alarms. That's silly.
. . . If these folks are really trying to assist with network security, then
what I suggest is that they get a job with somebody who's working on that
problem or study in a university and write papers on that problem, and offer
your solutions to the community. . . .
Is it true that prosecutors and law enforcement people are finding that a
lot of private sector interests are reluctant to complain about the fact that
they'd been hacked?
You're right that this is this is clearly an underreported crime, there's no
doubt about that. I think there are a lot of reasons for that. First of all,
I'm not sure that these crimes are always or even frequently detected. That's a
harder technological problem than it seems. Second, I think that the people
who are working on system security have a tendency, because it's their
discipline, to view hackers as a technological problem with technological
solutions. They don't naturally think about turning to other specialists like
law enforcement to assist them in securing their system. And third, there's no
doubt that some victims are concerned about competitive disadvantage if a
certain incident becomes known. . . .
Is the public sector sufficiently involved in this whole area? Does it have
a sufficient handle on it, or is it too much under the control of the private
sector . . . ?
No, it's not too much under the control of the private sector. It makes
absolute sense for the private sector to have a great deal of control over a
problem like this. The networks are primarily owned by them, so it only makes
sense that they would have enormous responsibility in control.
But you could say the same thing about the railroads and the airlines and
the telephone companies.
Indeed. I think that we're still experiencing this. As a society, I don't think
we know for sure what all the answers are going to be. What is clear to me is
that, whatever your perspective on the problem--whether one is in a private
sector or law enforcement or intelligence communities or war fighters or
whatever--that we're going to solve the problem best if we focus on our piece
of the responsibility and control. So our goal in law enforcement is to train
prosecutors and agents so they are very able to handle these kinds of cases. .
From your experience, what has been the worst situation you have
. . . Certainly one of the worst cases, in my opinion, is a case that
significantly threatened public safety, and that was a hacking case on the
telephone network in the Boston area several years ago.
What happened was the phones went down in Worcester, Massachusetts, for
something like six hours all over town. The communications went out from the
regional airport. And apparently, the airport used the communication system not
only to make phone calls, but used it to communicate with incoming aircraft,
and in fact that was how the aircraft turned on the runway lights as they
approached the airport. So it was a horrible potential consequence for public
safety. There were no crashes. As I understand it, nobody tried to call 911
while having a heart attack. But those kinds of damages are certainly
foreseeable, and all of this damage resulted from a couple of high school
students who were hacking telephone switches, which are, of course, computers.
How much of the blame for vulnerability lies in the manufacturing of
software, in the tendency to minimize security as a factor?
Well, I'm not in the blame business. I'd rather recast the question a little
bit and say, "If we have opportunities for doing it better, where are they and
what do they cost?" Writing software is hard, especially the kinds of software
programs that we want to buy now. There are thousands and thousands of lines of
programming code--probably more--and these software applications are
interacting with operating system software, and so there are levels of
application. How all of these fit together is tremendously complicated.
So, first of all, it's not an easy problem to solve. Second, to the extent that
our software is vetted and perfect and bug-free, somebody is going to be paying
for that. It makes the software more expensive. Is the public willing to pay to
buy more expensive software if a greater part of the emphasis goes from
designing the software to ensuring that there aren't intended unintended
But isn't this one of those areas where people in the public sector shake
the big stick and say, "Cost is the secondary consideration. You have to make
it safer, and you have to pay more for it."
That's certainly one possibility, but it's probably one of last resort. There
are some other ways that we have in our culture for straightening out relative
liability and risk and a lot of that is in private litigation. You know,
companies are perfectly able to sue manufacturers if they feel that they've
been sold a product that's deficient in some way. And I'm not recommending
that, of course. But they certainly know how to get recourse. There's also an
insurance angle. As we become more understanding of the negative possibilities
in these communication systems, I think a lot of companies are beginning to
look to insure risks and liabilities. . . .
It seems to me that it's probably way too early in our understanding of the
problem for government to come crashing in and say, "Okay, we know how this
ought to operate. We're going to write the rules and we're going to tell you
what all of this needs to look like." It's a little uncomfortable, but I think
we need to live this out a little bit and find our answers. . . .
What does an individual with a little PC and an internet account do to
protect the Social Security number and the various other personal data? And
what does a corporation or a company do to install appropriate firewalls?
. . . If you are going to navigate in the internet world, you don't have to be
an engineer, but it is smart to understand something about how the
communication system operates. There are different ways of connecting to the
internet. Some are faster. Some are more secure. Some have more controls. . . .
What I would suggest is, "Don't just look at fast, don't just look at cheap.
Also look at safe." This will require you to get a little familiar with the
technology. . . . Do a little bit of reading, and talk to friends who are
technologically sophisticated, and get some good advice about privacy and
security on networks.
If you are a company and you have financial reasons for wanting to secure your
network, then it's very, very important to think about personnel security and
some background checks. The cheapest contractor may not be the most secure
contractor. There are trade-offs in all of these decisions that we make. . . .
How do you quantify this problem of vulnerability on the internet?
It's big. It's deep. It's wide. It has many facets, and there are no
comprehensive empirical studies. . . . But we do have some numbers. We have
watched the internet double every year for the last nine or ten years. And
reports to law enforcement--although we know this is a very under-reported
crime--are certainly keeping pace with that. . . . We also know, because we're
hearing that the seriousness of these cases is growing larger. There's more
economic damage. The victims are screaming that this is painful for
There are also some interesting numbers that were produced by the Department of
Defense. . . . The DOD . . . tests the security of its own network by "red
teaming" or "tiger teaming" it. Industry is increasingly doing this as well.
They have hackers--good hackers who follow the rules--trying to hack into their
own networks. . . . One pretty steady figure is that they're able, over the
course of a week, to get into about 88 percent of them. And keep in mind that,
in doing this, DOD is not writing elaborate hacker code. . . . They're not
diving through dumpsters looking through phonebooks. They are using tools,
hacking tools, which are accessible from the Net--garden variety, nothing
exotic. And they have been able, over some span of years, to get in about 88
percent of the time.
Once they get in, they watch to see what percentage of the system
administrators know they're there. That number has varied over the years, but
my understanding is it is quite low--something on the order of three or four or
five percent of system administrators know that the system has been penetrated.
Of the system administrators who know that the system has been violated,
something like 25 percent of those report it up their chain to a law
enforcement agency. So if you do the math, if those numbers are accurate at all
and if we can extrapolate from them, every reported intrusion within DOD
represents something 150 unreported intrusions. . . .
We keep hearing Osama bin Laden's name mentioned in the content of hacking
and vulnerability to international terrorism. Is this real?
It is real. It's a rational concern. Look at how easy it is for people who are
not tremendously skillful and don't have a lot of resources to affect our
communications networks, to steal information, to get root control, to shut
things down. It doesn't take a great intuitive leap to assume that this could
be employed for other purposes. . . .
home · who are hackers? · risks of the internet · who's responsible · how to be vigilant · interviews
discussion · video excerpts · synopsis · press · tapes · credits
FRONTLINE · wgbh · pbs online
some photos copyright ©2001 photodisc
web site copyright 1995-2014
WGBH educational foundation