Cybersecurity : When Hackers Went to the Hill — Revisiting the L0pht
Hearings of 1998
Published:
Jan 9, 2019
Briefing
Book #655
Edited by Rosemary Tropeano
For more information, contact:
202-994-7000 or nsarchiv@gwu.edu
Landmark Senate Hearings Exposed Risks and
Threats That Are Still Being Confronted
Declassified Records Offer Roadmap to Often
Incomplete U.S. Government and Industry Response
Washington, D.C., January 9, 2019 – More than 20 years ago, in May 1998, seven hackers from the
Boston-based “hacker think tank” L0pht Heavy Industries, appeared alongside Dr.
Peter Neumann, a private sector expert on computer security, before the Senate
Committee on Governmental Affairs for one of the first-ever[1] Congressional hearings focusing
specifically on cybersecurity. The hearing covered a wide array of topics,
addressing the breadth of challenges posed by cybersecurity rather than
providing a detailed look at any single problem. The Committee held two more hearings
in a series on cybersecurity in 1998, looking at information security in the
Department of Defense, and electronic warfare and cybersecurity within the
Social Security Administration and Veterans Affairs, respectively.
Today, the Cyber Vault project at the National
Security Archive is posting these ground-breaking hearings along with a variety
of subsequent official reports, testimony, and related materials that trace the
evolution of U.S. government and public awareness of and approaches to the challenges,
problems, and threats posed by the world of cyber. These records – a
fraction of the documentation that constitutes the Cyber Vault
Library – have been gathered from Federal agencies, the U.S. Congress, the
courts, and private industry. Together they offer a glimpse into the
scope and complexities of the issues, but also serve as a reminder that many of
the basic security questions raised two decades ago by L0pht and other experts
still lack meaningful answers.
Some of the topics addressed during the first
hearing, like the complications arising from the Y2K problem, have been dealt
with in the intervening 20 years. A number of significant problems, such as
insider threat, remain, though in some cases they have been mitigated, for
example by access
control and legal
measures.
Other issues discussed during the hearing have
changed context. Problems with mobile phone security are briefly mentioned by
Dr. Neumann during the hearing, specifically the “random interception of Newt
Gingrich’s cell phone call and the recent case of the Secret Service pager
messages, all of which were being routinely intercepted” (7). Though Dr.
Neumann was discussing the use of a radio scanner to record cell phone calls,
mobile device security remains
a challenge today. International mobile subscriber identity (IMSI)
catchers, such as Stingray devices, are a problem currently
being addressed by the Department of Homeland Security. IMSI catchers can
be used to track and monitor cellular communications, and threaten the security
of mobile communications.
“Security by design” is also discussed
throughout the hearing, though without the particular name attached. Both Dr.
Neumann and the L0pht hackers describe the unwillingness of software
manufacturers to build security into their products, and the inconsistency in
applying patches to known security flaws. This is a problem
currently endemic in the Internet of Things (IoT). The problem of time to
market described by the L0pht hackers in the hearing has recently been echoed
by the FCC about software manufacturing and IoT devices.
Similarly, the hearing discusses the
development of cybersecurity standards by the National Institute of Standards
and Technology. NIST has developed a number of these standards
in the past twenty years, along with guidelines
for their use. However, federal agencies are still struggling to
implement these standards. Agencies are also forced to continually
formulate new standards and guidelines to address new cybersecurity challenges,
such
as cloud computing.
However, there are a number of cybersecurity
problems covered in the hearing that remain unresolved today. The “going dark
debate,” for example, is a current conversation that is echoed in the
hearing. Much as the hearing describes, law enforcement struggles
with cryptography regimes that do not grant them access to all encrypted
information. Despite cases like the
San Bernardino terrorist attacks creating controversy over this issue, law
enforcement concerns about access to information impacting
investigations have never been formally addressed by the U.S. legislature.
Critical infrastructure is another topic from
the hearing that remains a major challenge for the U.S. While some related
issues such as what a response to a cyberattack on the electric grid would
look like have begun to be addressed, many of the concerns expressed
regarding the insecurity of critical infrastructure remain.
Dr. Neumann and the L0pht hackers describe insecurities in power,
transportation, finance and banking, and telecommunications infrastructure. The
cybersecurity of these sectors, along with several others, has been a specific
focus for recent administrations.
Finally, the 1998 hearing touches on the
threat posed to the U.S. by state actors. The question posed by the chairman of
the committee about foreign states hiring groups of hackers like the L0pht
think tank has proven to be prescient. Foreign hackers have proven to be a significant
problem, and the focus on cyber threats from the government has increased
over the past few years. One of the specific topics in the hearing, the
security of satellites and satellite communications, has remained out of focus
in the last twenty years, despite increasing risks posed by foreign actors.
DOCUMENTS
Document 01
1998-05-19
Source: ProQuest
Database.
This is the full transcript of the Senate’s
first hearing on cybersecurity featuring the testimony of Dr. Peter Neumann and
the L0pht hackers.
Document 02
1998-05-19
Source: Senate Committee
on Homeland Security and Governmental Affairs.
This is the written testimony of Dr. Peter
Neumann for the first-ever Senate hearing on cybersecurity.
Document 03
1998-05-19
Source: Senate
Committee on Homeland Security and Governmental Affairs.
This Governmental Affairs Committee Chair Fred
Thompson’s prepared statement for the first-ever Senate hearing on
cybersecurity.
Document 04
1998-06-24
Senate
Committee on Governmental Affairs, “Cyber Attack: Is the Nation at Risk?”
Unclassified.
Source: ProQuest
Database.
This is the full transcript of the second in
the 1998 series of hearings on cybersecurity before the Senate Committee on
Governmental Affairs. It focuses primarily on information security in the
Department of Defense.
Document 05
1998-09-23
Senate Committee on Governmental Affairs, “Information
Security.” Unclassified.
Source: ProQuest
Database.
This is the full transcript of the third in
the 1998 series of hearings on cybersecurity before the Senate Committee on
Governmental Affairs. It focuses on information security in the Social Security
Administration and Veterans’ Affairs.
Document 06
2000-03-02
Senate
Committee on Governmental Affairs, “Cyber Attack: Is the Government Safe?”
Unclassified.
Source: ProQuest
Database.
This is the full transcript of a hearing in
2000 before the Senate Committee on Governmental Affairs on cybersecurity risks
to the U.S. government. It was the first hearing on cybersecurity held by the
committee subsequent to the 1998 series.
Document 07
2013-02-12
This executive order is one of the foundations
for modern efforts to improve the cybersecurity of critical infrastructure in
the U.S.
Document 08
2014-10-00
This document from the Inspector General
reports the findings of an audit of Department of State information security.
State was found to be out of compliance with FISMA, OMB, and NIST standards for
information security, evidencing the difficulties of implementing standards for
cybersecurity in the federal government.
Document 09
2015-09-08
This report from the Congressional Research
Service details the challenges that law enforcement agencies must grapple with
due to rapidly-evolving encryption technologies.
Document 10
2015-10-21
This statement from the GAO revisits findings
from a 2011 GAO report regarding the cybersecurity of the electric grid, and
discusses actions taken between 2011 and 2015 to reduce the grid’s
vulnerability.
Document 11
2016-03-00
This document provides guidance on how
encryption can be utilized to secure unclassified Federal data.
Document 12
2016-03-18
This document provides guidance for the secure
implementation of cloud computing within the Department of Defense.
Document 13
2016-04-11
This statement from the Congressional Research
Service details both the risk posed to the electric grid by cyberattacks, as
well as the coordination needed between industry and government for recovery.
Document 14
2016-06-00
This study provides an overview of the various
facets of the “going dark” debate and how encryption affects law enforcement
investigations. It also addresses economic concerns, encryption in foreign
nations, and the absence of simple solutions.
Document 15
2016-09-00
This study discusses the cybersecurity threats
to satellite systems, as well as technical aspects of those threats.
Document 16
2016-11-00
This report is part of an annual series on the
impact of smartphone encryption on public safety and law enforcement in New
York City. It provides a law enforcement perspective on the “going dark”
debate.
Document 17
2016-11-07
This draft paper discusses the establishment
of a variety of capabilities that would increase the ability of manufacturers
to detect cyberattacks on industrial control systems.
Document 18
2017-01-18
Federal
Communications Commission, Cybersecurity Risk Reduction, January 18, 2017.
Unclassified.
This report from the FCC describes various
lines of effort undertaken by the FCC regarding cybersecurity risk reduction.
Of particular relevance to the L0pht testimony are the discussions of security
by design challenges and efforts by the FCC to combat these.
Document 19
2017-04-00
This study reports on security threats to
mobile devices for government users and networks.
Document 20
2017-05-11
This statement from the Director of National
Intelligence provides an intelligence community perspective on the
cybersecurity threats faced by the U.S., including by foreign state actors.
Document 21
2017-06-13
This statement discusses the threat of state
sponsored cyberattacks, including those by China and North Korea, as well as
U.S. policy responses to those attacks.
Document 22
2017-06-17
This document establishes the process by which
federal agencies outside of the intelligence community can gain access to
information on IC networks, in other words outlining a form of access control.
Document 23
2017-09-00
This report documents a NIST workshop by the
same name. Included among the topics at the workshop were the problems posed by
the insecurity of many IoT devices and the need to increase ecosystem security
and resilience.
Document 24
2018-03-00
This document reports the findings of an
investigation into the accuracy of FBI testimony to Congress in light of
allegations about Bureau capability to unlock the iPhone of San Bernardino
attacker Syed Rizwan Farook. It provides context for some of the complications
surrounding the “going dark” debate.
Document 25
2018-04-16
This document provides the finalized version
of NIST’s framework for improving critical infrastructure cybersecurity.
Document 26
2018-05-22
This letter from Christopher Krebs discusses
the presence of IMSI catcher devices in the National Capital Region, with brief
mention of efforts by NPPD to address the problem.
Document 27
2018-08-14
United
States v. Winner – Government’s Sentencing Memorandum in the United States
District Court for the Southern District of Georgia. August 14, 2018.
This memorandum on the sentencing of Reality
Winner is the most recent document from a prominent case about the leaking of
IC information on cybersecurity threats. The government response to leaks like
these is one piece of a regime designed to mitigate insider threat.
[1]. Though the L0pht hearing is often cited as the first to be held
on cybersecurity, Congress had previously held narrowly scoped hearings on
specific computer security issues. The L0pht hearing was the first on the need
to address broader cybersecurity challenges.
