homewho are hackers?the riskswho's responsibleprotecting yourselfinterviews

interview: martha stansell-gamm

photo of martha stansell-gamm

As Chief of the Justice Department's Computer Crime and Intellectual Property Section, she is in charge of investigations and prosecutions, law enforcement training, legislation, international work, and advising the federal sector on a broad range of information - technology issues. She has worked on more hacker cases than any other federal prosecutor.
The hacker phenomenon keeps raising in my mind the question of whether or not hackers are a problem, or a symptom of an intrinsic problem in this whole new technology.

And the intrinsic problem would be the security of the network?

The security of the network, the universal accessibility of it and the democracy of it.

Okay. Well, if you ask me which is it, my answer is yes, it's both.

. . . It's important to understand that networks, like streets, like automobiles, are never going to be perfectly secure. We want them to be as secure as they can be and that's rational; that's a reasonable expectation. But we then introduce people into that environment. And, you know, people break into houses. People break into banks. And they steal things, and it's very clear to the society that that's not permitted, that's not okay. And I think we need to inculcate the same ethic into technology users. It's not okay to do things just because it's possible, just because we can.

What about the argument that hackers are kind of like the Ralph Naders vis-à-vis the automobile industry, pointing out weaknesses that we should know about?

I hear that argument a lot, and I have to say that I think it's a very silly one. It seems to me that thanking hackers who violate the privacy of networks or network users for pointing out to us our vulnerabilities is a little bit like sending thank-you notes to burglars for pointing out the infirmity of our physical alarms. That's silly.

. . . If these folks are really trying to assist with network security, then what I suggest is that they get a job with somebody who's working on that problem or study in a university and write papers on that problem, and offer your solutions to the community. . . .

Is it true that prosecutors and law enforcement people are finding that a lot of private sector interests are reluctant to complain about the fact that they'd been hacked?

You're right that this is this is clearly an underreported crime, there's no doubt about that. I think there are a lot of reasons for that. First of all, I'm not sure that these crimes are always or even frequently detected. That's a harder technological problem than it seems. Second, I think that the people who are working on system security have a tendency, because it's their discipline, to view hackers as a technological problem with technological solutions. They don't naturally think about turning to other specialists like law enforcement to assist them in securing their system. And third, there's no doubt that some victims are concerned about competitive disadvantage if a certain incident becomes known. . . .

Is the public sector sufficiently involved in this whole area? Does it have a sufficient handle on it, or is it too much under the control of the private sector . . . ?

No, it's not too much under the control of the private sector. It makes absolute sense for the private sector to have a great deal of control over a problem like this. The networks are primarily owned by them, so it only makes sense that they would have enormous responsibility in control.

It seems to me that thanking hackers . . . for pointing out to us our vulnerabilities is a little bit like sending thank-you notes to burglars for pointing out the infirmity of our physical alarms. But you could say the same thing about the railroads and the airlines and the telephone companies.

Indeed. I think that we're still experiencing this. As a society, I don't think we know for sure what all the answers are going to be. What is clear to me is that, whatever your perspective on the problem--whether one is in a private sector or law enforcement or intelligence communities or war fighters or whatever--that we're going to solve the problem best if we focus on our piece of the responsibility and control. So our goal in law enforcement is to train prosecutors and agents so they are very able to handle these kinds of cases. . . .

From your experience, what has been the worst situation you have seen?

. . . Certainly one of the worst cases, in my opinion, is a case that significantly threatened public safety, and that was a hacking case on the telephone network in the Boston area several years ago.

What happened?

What happened was the phones went down in Worcester, Massachusetts, for something like six hours all over town. The communications went out from the regional airport. And apparently, the airport used the communication system not only to make phone calls, but used it to communicate with incoming aircraft, and in fact that was how the aircraft turned on the runway lights as they approached the airport. So it was a horrible potential consequence for public safety. There were no crashes. As I understand it, nobody tried to call 911 while having a heart attack. But those kinds of damages are certainly foreseeable, and all of this damage resulted from a couple of high school students who were hacking telephone switches, which are, of course, computers.

How much of the blame for vulnerability lies in the manufacturing of software, in the tendency to minimize security as a factor?

Well, I'm not in the blame business. I'd rather recast the question a little bit and say, "If we have opportunities for doing it better, where are they and what do they cost?" Writing software is hard, especially the kinds of software programs that we want to buy now. There are thousands and thousands of lines of programming code--probably more--and these software applications are interacting with operating system software, and so there are levels of application. How all of these fit together is tremendously complicated.

So, first of all, it's not an easy problem to solve. Second, to the extent that our software is vetted and perfect and bug-free, somebody is going to be paying for that. It makes the software more expensive. Is the public willing to pay to buy more expensive software if a greater part of the emphasis goes from designing the software to ensuring that there aren't intended unintended security consequences?

But isn't this one of those areas where people in the public sector shake the big stick and say, "Cost is the secondary consideration. You have to make it safer, and you have to pay more for it."

That's certainly one possibility, but it's probably one of last resort. There are some other ways that we have in our culture for straightening out relative liability and risk and a lot of that is in private litigation. You know, companies are perfectly able to sue manufacturers if they feel that they've been sold a product that's deficient in some way. And I'm not recommending that, of course. But they certainly know how to get recourse. There's also an insurance angle. As we become more understanding of the negative possibilities in these communication systems, I think a lot of companies are beginning to look to insure risks and liabilities. . . .

It seems to me that it's probably way too early in our understanding of the problem for government to come crashing in and say, "Okay, we know how this ought to operate. We're going to write the rules and we're going to tell you what all of this needs to look like." It's a little uncomfortable, but I think we need to live this out a little bit and find our answers. . . .

What does an individual with a little PC and an internet account do to protect the Social Security number and the various other personal data? And what does a corporation or a company do to install appropriate firewalls?

. . . If you are going to navigate in the internet world, you don't have to be an engineer, but it is smart to understand something about how the communication system operates. There are different ways of connecting to the internet. Some are faster. Some are more secure. Some have more controls. . . . What I would suggest is, "Don't just look at fast, don't just look at cheap. Also look at safe." This will require you to get a little familiar with the technology. . . . Do a little bit of reading, and talk to friends who are technologically sophisticated, and get some good advice about privacy and security on networks.

If you are a company and you have financial reasons for wanting to secure your network, then it's very, very important to think about personnel security and some background checks. The cheapest contractor may not be the most secure contractor. There are trade-offs in all of these decisions that we make. . . .

How do you quantify this problem of vulnerability on the internet?

It's big. It's deep. It's wide. It has many facets, and there are no comprehensive empirical studies. . . . But we do have some numbers. We have watched the internet double every year for the last nine or ten years. And reports to law enforcement--although we know this is a very under-reported crime--are certainly keeping pace with that. . . . We also know, because we're hearing that the seriousness of these cases is growing larger. There's more economic damage. The victims are screaming that this is painful for them.

There are also some interesting numbers that were produced by the Department of Defense. . . . The DOD . . . tests the security of its own network by "red teaming" or "tiger teaming" it. Industry is increasingly doing this as well. They have hackers--good hackers who follow the rules--trying to hack into their own networks. . . . One pretty steady figure is that they're able, over the course of a week, to get into about 88 percent of them. And keep in mind that, in doing this, DOD is not writing elaborate hacker code. . . . They're not diving through dumpsters looking through phonebooks. They are using tools, hacking tools, which are accessible from the Net--garden variety, nothing exotic. And they have been able, over some span of years, to get in about 88 percent of the time.

Once they get in, they watch to see what percentage of the system administrators know they're there. That number has varied over the years, but my understanding is it is quite low--something on the order of three or four or five percent of system administrators know that the system has been penetrated. Of the system administrators who know that the system has been violated, something like 25 percent of those report it up their chain to a law enforcement agency. So if you do the math, if those numbers are accurate at all and if we can extrapolate from them, every reported intrusion within DOD represents something 150 unreported intrusions. . . .

We keep hearing Osama bin Laden's name mentioned in the content of hacking and vulnerability to international terrorism. Is this real?

It is real. It's a rational concern. Look at how easy it is for people who are not tremendously skillful and don't have a lot of resources to affect our communications networks, to steal information, to get root control, to shut things down. It doesn't take a great intuitive leap to assume that this could be employed for other purposes. . . .

home · who are hackers? · risks of the internet · who's responsible · how to be vigilant · interviews
discussion · video excerpts · synopsis · press · tapes · credits
FRONTLINE · wgbh · pbs online

some photos copyright ©2001 photodisc
web site copyright 1995-2014 WGBH educational foundation