Landmark Senate Hearings Exposed Risks and Threats That Are Still Being Confronted
Declassified Records Offer Roadmap to Often Incomplete U.S. Government and Industry Response
Washington, D.C., January 9, 2019 – More than 20 years ago, in May 1998, seven hackers from the Boston-based “hacker think tank” L0pht Heavy Industries, appeared alongside Dr. Peter Neumann, a private sector expert on computer security, before the Senate Committee on Governmental Affairs for one of the first-ever[1] Congressional hearings focusing specifically on cybersecurity. The hearing covered a wide array of topics, addressing the breadth of challenges posed by cybersecurity rather than providing a detailed look at any single problem. The Committee held two more hearings in a series on cybersecurity in 1998, looking at information security in the Department of Defense, and electronic warfare and cybersecurity within the Social Security Administration and Veterans Affairs, respectively.
Today, the Cyber Vault project at the National Security Archive is posting these ground-breaking hearings along with a variety of subsequent official reports, testimony, and related materials that trace the evolution of U.S. government and public awareness of and approaches to the challenges, problems, and threats posed by the world of cyber. These records – a fraction of the documentation that constitutes the Cyber Vault Library – have been gathered from Federal agencies, the U.S. Congress, the courts, and private industry. Together they offer a glimpse into the scope and complexities of the issues, but also serve as a reminder that many of the basic security questions raised two decades ago by L0pht and other experts still lack meaningful answers.
Some of the topics addressed during the first hearing, like the complications arising from the Y2K problem, have been dealt with in the intervening 20 years. A number of significant problems, such as insider threat, remain, though in some cases they have been mitigated, for example by access control and legal measures.
Other issues discussed during the hearing have changed context. Problems with mobile phone security are briefly mentioned by Dr. Neumann during the hearing, specifically the “random interception of Newt Gingrich’s cell phone call and the recent case of the Secret Service pager messages, all of which were being routinely intercepted” (7). Though Dr. Neumann was discussing the use of a radio scanner to record cell phone calls, mobile device security remains a challenge today. International mobile subscriber identity (IMSI) catchers, such as Stingray devices, are a problem currently being addressed by the Department of Homeland Security. IMSI catchers can be used to track and monitor cellular communications, and threaten the security of mobile communications.
“Security by design” is also discussed throughout the hearing, though without the particular name attached. Both Dr. Neumann and the L0pht hackers describe the unwillingness of software manufacturers to build security into their products, and the inconsistency in applying patches to known security flaws. This is a problem currently endemic in the Internet of Things (IoT). The problem of time to market described by the L0pht hackers in the hearing has recently been echoed by the FCC about software manufacturing and IoT devices.
Similarly, the hearing discusses the development of cybersecurity standards by the National Institute of Standards and Technology. NIST has developed a number of these standards in the past twenty years, along with guidelines for their use. However, federal agencies are still struggling to implement these standards. Agencies are also forced to continually formulate new standards and guidelines to address new cybersecurity challenges, such as cloud computing.
However, there are a number of cybersecurity problems covered in the hearing that remain unresolved today. The “going dark debate,” for example, is a current conversation that is echoed in the hearing. Much as the hearing describes, law enforcement struggles with cryptography regimes that do not grant them access to all encrypted information. Despite cases like the San Bernardino terrorist attacks creating controversy over this issue, law enforcement concerns about access to information impacting investigations have never been formally addressed by the U.S. legislature.
Critical infrastructure is another topic from the hearing that remains a major challenge for the U.S. While some related issues such as what a response to a cyberattack on the electric grid would look like have begun to be addressed, many of the concerns expressed regarding the insecurity of critical infrastructure remain. Dr. Neumann and the L0pht hackers describe insecurities in power, transportation, finance and banking, and telecommunications infrastructure. The cybersecurity of these sectors, along with several others, has been a specific focus for recent administrations.
Finally, the 1998 hearing touches on the threat posed to the U.S. by state actors. The question posed by the chairman of the committee about foreign states hiring groups of hackers like the L0pht think tank has proven to be prescient. Foreign hackers have proven to be a significant problem, and the focus on cyber threats from the government has increased over the past few years. One of the specific topics in the hearing, the security of satellites and satellite communications, has remained out of focus in the last twenty years, despite increasing risks posed by foreign actors.
Document 01
1998-05-19
Source: ProQuest Database.
This is the full transcript of the Senate’s first hearing on cybersecurity featuring the testimony of Dr. Peter Neumann and the L0pht hackers.
Document 02
1998-05-19
Source: Senate Committee on Homeland Security and Governmental Affairs.
This is the written testimony of Dr. Peter Neumann for the first-ever Senate hearing on cybersecurity.
Document 03
1998-05-19
Source: Senate Committee on Homeland Security and Governmental Affairs.
This Governmental Affairs Committee Chair Fred Thompson’s prepared statement for the first-ever Senate hearing on cybersecurity.
Document 04
1998-06-24
Senate Committee on Governmental Affairs, “Cyber Attack: Is the Nation at Risk?” Unclassified.
Source: ProQuest Database.
This is the full transcript of the second in the 1998 series of hearings on cybersecurity before the Senate Committee on Governmental Affairs. It focuses primarily on information security in the Department of Defense.
Document 05
1998-09-23
Senate Committee on Governmental Affairs, “Information Security.” Unclassified.
Source: ProQuest Database.
This is the full transcript of the third in the 1998 series of hearings on cybersecurity before the Senate Committee on Governmental Affairs. It focuses on information security in the Social Security Administration and Veterans’ Affairs.
Document 06
2000-03-02
Senate Committee on Governmental Affairs, “Cyber Attack: Is the Government Safe?” Unclassified.
Source: ProQuest Database.
This is the full transcript of a hearing in 2000 before the Senate Committee on Governmental Affairs on cybersecurity risks to the U.S. government. It was the first hearing on cybersecurity held by the committee subsequent to the 1998 series.
Document 07
2013-02-12
This executive order is one of the foundations for modern efforts to improve the cybersecurity of critical infrastructure in the U.S.
Document 08
2014-10-00
This document from the Inspector General reports the findings of an audit of Department of State information security. State was found to be out of compliance with FISMA, OMB, and NIST standards for information security, evidencing the difficulties of implementing standards for cybersecurity in the federal government.
Document 09
2015-09-08
This report from the Congressional Research Service details the challenges that law enforcement agencies must grapple with due to rapidly-evolving encryption technologies.
Document 10
2015-10-21
This statement from the GAO revisits findings from a 2011 GAO report regarding the cybersecurity of the electric grid, and discusses actions taken between 2011 and 2015 to reduce the grid’s vulnerability.
Document 11
2016-03-00
This document provides guidance on how encryption can be utilized to secure unclassified Federal data.
Document 12
2016-03-18
This document provides guidance for the secure implementation of cloud computing within the Department of Defense.
Document 13
2016-04-11
This statement from the Congressional Research Service details both the risk posed to the electric grid by cyberattacks, as well as the coordination needed between industry and government for recovery.
Document 14
2016-06-00
This study provides an overview of the various facets of the “going dark” debate and how encryption affects law enforcement investigations. It also addresses economic concerns, encryption in foreign nations, and the absence of simple solutions.
Document 15
2016-09-00
This study discusses the cybersecurity threats to satellite systems, as well as technical aspects of those threats.
Document 16
2016-11-00
This report is part of an annual series on the impact of smartphone encryption on public safety and law enforcement in New York City. It provides a law enforcement perspective on the “going dark” debate.
Document 17
2016-11-07
This draft paper discusses the establishment of a variety of capabilities that would increase the ability of manufacturers to detect cyberattacks on industrial control systems.
Document 18
2017-01-18
Federal Communications Commission, Cybersecurity Risk Reduction, January 18, 2017. Unclassified.
This report from the FCC describes various lines of effort undertaken by the FCC regarding cybersecurity risk reduction. Of particular relevance to the L0pht testimony are the discussions of security by design challenges and efforts by the FCC to combat these.
Document 19
2017-04-00
This study reports on security threats to mobile devices for government users and networks.
Document 20
2017-05-11
This statement from the Director of National Intelligence provides an intelligence community perspective on the cybersecurity threats faced by the U.S., including by foreign state actors.
Document 21
2017-06-13
This statement discusses the threat of state sponsored cyberattacks, including those by China and North Korea, as well as U.S. policy responses to those attacks.
Document 22
2017-06-17
This document establishes the process by which federal agencies outside of the intelligence community can gain access to information on IC networks, in other words outlining a form of access control.
Document 23
2017-09-00
This report documents a NIST workshop by the same name. Included among the topics at the workshop were the problems posed by the insecurity of many IoT devices and the need to increase ecosystem security and resilience.
Document 24
2018-03-00
This document reports the findings of an investigation into the accuracy of FBI testimony to Congress in light of allegations about Bureau capability to unlock the iPhone of San Bernardino attacker Syed Rizwan Farook. It provides context for some of the complications surrounding the “going dark” debate.
Document 25
2018-04-16
This document provides the finalized version of NIST’s framework for improving critical infrastructure cybersecurity.
Document 26
2018-05-22
This letter from Christopher Krebs discusses the presence of IMSI catcher devices in the National Capital Region, with brief mention of efforts by NPPD to address the problem.
Document 27
2018-08-14
United States v. Winner - Government's Sentencing Memorandum in the United States District Court for the Southern District of Georgia. August 14, 2018.
This memorandum on the sentencing of Reality Winner is the most recent document from a prominent case about the leaking of IC information on cybersecurity threats. The government response to leaks like these is one piece of a regime designed to mitigate insider threat.
[1]. Though the L0pht hearing is often cited as the first to be held on cybersecurity, Congress had previously held narrowly scoped hearings on specific computer security issues. The L0pht hearing was the first on the need to address broader cybersecurity challenges.