Twenty years ago this week, a collective of young hackers came to Washington with a warning for Congress: Software and computer networks everywhere were woefully insecure. During that now-infamous hearing in May 1998, one told senators that “any of the seven individuals seated before you” could take down the Internet in just half an hour.
In a return trip to Capitol Hill on Tuesday, the same hackers offered a similarly bleak assessment: Digital security is hardly any better. Four members of the collective known as L0pht reunited on the 20th anniversary of what is now referred to as the first congressional cybersecurity hearing to talk about what has changed since then. Yet in a wide-ranging panel discussion hosted by the Congressional Internet Caucus, they lamented how the technology is vastly different but many of the underlying vulnerabilities still exist.
“At L0pht we tried to be the voice of reason in raising awareness for problems,” said Joe Grand, who went by the hacker name Kingpin in his L0pht days. “Nearly all of what we said 20 years ago still holds true. Yes, there have been improvements, but the general class of problems are the same.”
Here are a few of them:
The same exploit the L0pht hackers could have used to take down the Internet in 1998 is still around today.
It's called Border Gateway Patrol hijacking, and it takes advantage of a fundamental weakness in the Internet's infrastructure -- essentially preventing routers from being able to talk to each other and get Web traffic where it needs to go.
Just a few weeks ago, hackers used this to steal more than $150,000 in cryptocurrency, said Chris Wysopal, who goes by the hacker name Weld Pond. “We’re still building new technology like cryptocurrency and blockchain, with all its promise of being secure, on old network foundations,” he said. “We keep building new things on old infrastructure that never seems to get fixed.”
People are often unwilling to take better security precautions even when they know they are available.
If a security measure is too complicated, people won’t use it, Grand said, “and that’s just human nature.”
The landscape of digital threats is much more diverse, with all kinds of bad actors trying to take advantage of the Internet.
State-sponsored hackers and international criminal organizations, once just a hypothetical menace, have emerged as a top digital threat to governments and companies around the world.
“Back then the threat was the teenage hacker,” Wysopal said. “It was like, ‘Yeah, they’re kind of ankle-biters’... Now it’s nation-states. So every vulnerability got a lot more risky.”
The federal government still isn't setting security standards.
Standards and certifications created by industry groups are "largely based on what feels right, rather than data showing what makes something strong in a security sense," said Peiter Zatko, who went by the name Mudge.
He asked: “Where’s the equivalent of the National Transportation Safety Board crash test results” for software? Cybersecurity is a public safety issue, “so why has this been almost entirely left to the free market to secure and make safe?”
The hackers raised similar concerns in their 1998 hearing, telling lawmakers that companies couldn't be trusted to police themselves. "At this point it's time for the government to step in and step up," Zatko said Tuesday.
Luckily cybersecurity companies and the IT industry is stepping up. With an array of safety precautions and software implementations, we're well on our way to setting a standard. Is your company thinking about cybersecurity?