A Glitch in Our Computer Thinking : We Create Powerful Systems With Pervasive Vulnerabilities

Our civilization seems to have developed an inherent craving for easy answers, especially regarding technology. In particular, we tend to anthropomorphize computers and endow them with human intelligence--while at the same time we deify them and endow them with infallibility.

There have been innumerable cases in which computer systems have failed to operate as expected, and others in which the systems have operated more or less as expected but people have not. The consequences have included losses--of life, personal well-being, equipment, financial assets, sensitive data and other valuable resources. One of the most serious problems in computer-related systems is the inadequate protection of such valuable resources against unintended or malevolent misbehavior by authorized as well as unauthorized computer users--and against malfunctions of the computer systems.

Various recent attacks on computer systems barely hint at the full extent of the vulnerabilities and the potential damage that could be done by malevolent “hackers” (or “crackers”), and they illustrate a serious problem for which there is no complete solution:

--Recent Pacific Bell experience shows that malevolent attacks are escalating in number and sophistication. The potential exists for intruders to systematically shut down telephone operations both locally and nationwide as well as to make free phone calls, listen in on conversations, gain access to unlisted-number information, alter bills of other users and generally wreak havoc.

--Other recent cracker attacks like the NASA computer break-ins by the Chaos Computer Club in West Germany, along with a flurry of computerized “Trojan horses” and self-propagating “viruses,” exemplify subtle attacks that exploit computer-system vulnerabilities on many different systems.

--Computer-aided financial fraud also appears to be escalating: $260 million in one successful case, with attempts of $70 million and $54 million having recently been serendipitously foiled. As larger and larger transactions become routine, the incentives for fraud will increase. (Although computer checks and balances are generally employed, they can also be subverted.)

--The shooting down of an Iranian Airbus by the American warship Vincennes provides the example of a case in which people must trust inaccurate computer-generated information in a crisis situation. Such misidentification could be globally devastating in a system like “Star Wars.” The possibility of crackers attacking such computer systems adds a significant measure of uncertainty.

--There is also significant potential for violations of civil and constitutional rights and of privacy. Various cases of false arrests resulting from inaccurate computer data or mistaken interpretations of data demonstrate further risks of blindly trusting computers. The global interconnection of data bases with almost instantaneous access worldwide will make possible the tracking of each person’s activities. The potential for a cracker to intrude illicitly on such a network and surreptitiously gather or modify information must also be a concern.

These examples are important in that they illustrate the vulnerability of computer systems and the fallibility of people who employ them. The relative alacrity with which many computer systems can be penetrated--often easily by authorized users, and in some cases almost as easily by unauthorized users--suggests that there is a real problem. Computers and their communications are frequently vulnerable, but they are also limited by the intelligence and wisdom of their developers, administrators and users.

It is a common myth that the complexity of such systems deters malfeasants. In fact, the attackers may understand the system better than many of the defenders. Digital technology is inherently finite--there are only certain possible cases. The number may be large, but often there are shortcuts that eliminate the need to search exhaustively for a needed clue--password, design flaw or code bug.

There are no guaranteed complete solutions that can prevent computer-system malfunctions, intrusions and both accidental and malevolent misuse. But there are prudent measures that can be taken to reduce the risks. Systems that are more soundly designed and implemented would be of some help--unless the intruders can subvert the system and bypass or alter the audit trails. Better laws that circumscribe malevolent hacking and that protect civil and constitutional rights would be of some help, but they cannot compensate for poor systems and poor management. Above all, we must have a computer-literate populace--better educated, better motivated and more socially conscious.

Computer security vulnerabilities are pervasive, but they are not usually evident to the general public. Depending on flawed computer systems will lead only to bigger disasters. Overall, we must work much harder to understand and openly consider the true risks of using computers.