(2 of 3)
Officials differ about the likelihood that such sabotage could be carried off. But the damage that can be caused by a virus was dramatically illustrated last November, when computer hacker Robert Morris injected a bug into an unclassified Defense Department computer network, Arpanet. The virus reproduced wildly and brought research computers nationwide to a halt. "If someone at NORAD ((North American Aerospace Defense Command)) wanted to do what Robert Morris did at Arpanet, he could cause a lot of damage," says Stephen Walker, former Pentagon director of information systems. A retired senior military computer-security expert goes even further: "The potential for offensive use of viruses is so great that I would have to view the power and magnitude as comparable with that of nuclear or chemical weapons."
With all this in mind, the Government has in recent years stepped up efforts to ensure that all sensitive computers that have links to other systems are adequately protected by encoding equipment. In addition to guarding against assaults by hostile intelligence agencies, this improved encryption program appears to have ended, at least for now, the ability of amateur computer hackers to breach secure military systems.
The KGB does, however, consider hackers an asset in its search for weak points. The West German hackers arrested last month are believed to have broken into some 30 unclassified U.S. defense computers and tried to enter 420 others. According to Clifford Stoll, a computer expert at Harvard who followed their activities for almost a year, they seemed to be assembling a "map" of links between U.S. defense computers and systematically seeking out "unauthorized gateways" into classified systems. Such gateways are created when a computer user has access to both secure and unclassified networks and is careless about keeping them separate. The hackers never did get access to classified information. The reconnaissance they gave the Soviets cannot be fully exploited until the KGB recruits an insider with access to a computer at one of the installations on the hacker's map.
In other words, as in Reilly: Ace of Spies, there is no substitute for a man on the scene. The relative success of computer-security officials in frustrating outside attacks has turned attention to the more serious threat from insiders -- people who have authorized access to defense computers and who sell their services to a foreign government. Such an agent could do enormous damage, either as a spy or a saboteur. "There is a threat, and it's real," says Donald Latham, a former Assistant Secretary of Defense who had | primary responsibility for computer security.
NSA has figures that make the insider threat look soberingly real. An agency log of cases involving computer crime or computer espionage showed that up to 90% of known security breaches are the work of corporate or Government insiders. A 1981 study by NSA security officials estimated that 1 out of every 15,000 military computer key operators had sold or given away classified information in the previous 20 years. Since the military has more than 100,000 key operators at any one time, it could expect to have more than half a dozen security breaches.