Hacker attacks, other abuse continue to rise

Computer systems abuse from insiders and outsiders plagues federal agencies creating mounting financial losses according to an annual survey released last week.

More than 50 percent of the 82 federal agencies surveyed reported that their computer systems were accessed by unauthorized individuals last year according to a study jointly conducted by the FBI and the Computer Security Institute (CSI) San Francisco. Those figures show an 11 point increase from 1995 figures when 39 percent of the 77 agencies surveyed confirmed unauthorized usage.

The majority of attacks or misuse resulted from viruses insider abuse of Internet privileges laptop theft unauthorized access by insiders and system penetration according to the survey.

Reported attacks and misuse of systems in the government were higher than incidents reported in the private sector. Most attacks - which include system penetration sabotage and financial fraud - on government systems resulted from Internet access which reverses the trend of agency employees as the most likely source of these types of attacks said Richard Power an analyst at CSI. FBI officials could not be reached for comment.

"The conventional wisdom has always been that 80 percent of the problem is insiders and 20 percent of the problem is outside " Power said. "If you had looked at the [survey] numbers a few years ago they would have been turned around. The difference is the Internet. This indicates that at least for government there are a lot more people trying to get in."

More than 62 percent of 47 federal agencies responding said the Internet was a frequent origin of attack while 40 percent cited internal access as a frequent origin of attack. Remote access was cited by 25 percent of the respondents.

The cost of these breaches also is increasing. Thirty-four agencies reported that these security breaches resulted in $1.5 million in financial losses according to the survey. This figure probably represents only the "tip of the iceberg " Power said because only three-quarters of the 45 agencies that reported unauthorized use or attacks quantified their losses.

In addition Power said that because many attacks and abuses go unnoticed many of the agencies that reported no unauthorized use probably had suffered some losses.

The Air Force is one agency that appears to be making progress against security breaches. According to recent Air Force Computer Emergency Response Team statistics the number of Air Force hacking incidents decreased to 47 in 1996 compared with 84 in 1995 and the number of intrusions decreased to 20 in 1996 from 26 in 1995. Attacks from computer viruses however jumped to 896 in 1996 from 583 a year earlier.

According to Maj. Gen. Michael Hayden commander of the Air Force Air Intelligence Agency (AIA) hackers are shying away from Air Force sites because the agency has demonstrated its ability to track and prosecute them. Of 111 Air Force bases 104 have fully operational automatic intrusion detection systems and the remaining bases will have systems within weeks he said.

The solution to federal agency - and private-sector - security breaches is better training Power said.Capt. Philip Ray director of the Navy's Information Warfare/Command and Control Division said his office is pushing for increased security training for network administrators.

"Everybody thinks that technology is going to solve the problem. To realize true security you have to bring the work force along. It's a cultural change " Ray said.