30+ Years of Freedom of Information Action

Cybersecurity: When Hackers Went to the Hill — Revisiting the L0pht Hearings of 1998

Published: Jan 9, 2019
Briefing Book #655

Edited by Rosemary Tropeano

For more information, contact:
202-994-7000 or nsarchiv@gwu.edu

Landmark Senate Hearings Exposed Risks and Threats That Are Still Being Confronted

Declassified Records Offer Roadmap to Often Incomplete U.S. Government and Industry Response

Cybersecurity: When Hackers Went to the Hill — Revisiting the L0pht Hearings of 1998

Washington, D.C., January 9, 2019 – More than 20 years ago, in May 1998, seven hackers from the Boston-based “hacker think tank” L0pht Heavy Industries, appeared alongside Dr. Peter Neumann, a private sector expert on computer security, before the Senate Committee on Governmental Affairs for one of the first-ever[1] Congressional hearings focusing specifically on cybersecurity. The hearing covered a wide array of topics, addressing the breadth of challenges posed by cybersecurity rather than providing a detailed look at any single problem. The Committee held two more hearings in a series on cybersecurity in 1998, looking at information security in the Department of Defense, and electronic warfare and cybersecurity within the Social Security Administration and Veterans Affairs, respectively.

Today, the Cyber Vault project at the National Security Archive is posting these ground-breaking hearings along with a variety of subsequent official reports, testimony, and related materials that trace the evolution of U.S. government and public awareness of and approaches to the challenges, problems, and threats posed by the world of cyber.  These records – a fraction of the documentation that constitutes the Cyber Vault Library – have been gathered from Federal agencies, the U.S. Congress, the courts, and private industry.  Together they offer a glimpse into the scope and complexities of the issues, but also serve as a reminder that many of the basic security questions raised two decades ago by L0pht and other experts still lack meaningful answers.

Some of the topics addressed during the first hearing, like the complications arising from the Y2K problem, have been dealt with in the intervening 20 years. A number of significant problems, such as insider threat, remain, though in some cases they have been mitigated, for example by access control and legal measures.

Other issues discussed during the hearing have changed context. Problems with mobile phone security are briefly mentioned by Dr. Neumann during the hearing, specifically the “random interception of Newt Gingrich’s cell phone call and the recent case of the Secret Service pager messages, all of which were being routinely intercepted” (7). Though Dr. Neumann was discussing the use of a radio scanner to record cell phone calls, mobile device security remains a challenge today. International mobile subscriber identity (IMSI) catchers, such as Stingray devices, are a problem currently being addressed by the Department of Homeland Security. IMSI catchers can be used to track and monitor cellular communications, and threaten the security of mobile communications.

“Security by design” is also discussed throughout the hearing, though without the particular name attached. Both Dr. Neumann and the L0pht hackers describe the unwillingness of software manufacturers to build security into their products, and the inconsistency in applying patches to known security flaws. This is a problem currently endemic in the Internet of Things (IoT). The problem of time to market described by the L0pht hackers in the hearing has recently been echoed by the FCC about software manufacturing and IoT devices.

Similarly, the hearing discusses the development of cybersecurity standards by the National Institute of Standards and Technology. NIST has developed a number of these standards in the past twenty years, along with guidelines for their use. However, federal agencies are still struggling to implement these standards. Agencies are also forced to continually formulate new standards and guidelines to address new cybersecurity challenges, such as cloud computing.

However, there are a number of cybersecurity problems covered in the hearing that remain unresolved today. The “going dark debate,” for example, is a current conversation that is echoed in the hearing. Much as the hearing describes, law enforcement struggles with cryptography regimes that do not grant them access to all encrypted information. Despite cases like the San Bernardino terrorist attacks creating controversy over this issue, law enforcement concerns about access to information impacting investigations have never been formally addressed by the U.S. legislature.

Critical infrastructure is another topic from the hearing that remains a major challenge for the U.S. While some related issues such as what a response to a cyberattack on the electric grid would look like have begun to be addressed, many of the concerns expressed regarding the insecurity of critical infrastructure remain. Dr. Neumann and the L0pht hackers describe insecurities in power, transportation, finance and banking, and telecommunications infrastructure. The cybersecurity of these sectors, along with several others, has been a specific focus for recent administrations.

Finally, the 1998 hearing touches on the threat posed to the U.S. by state actors. The question posed by the chairman of the committee about foreign states hiring groups of hackers like the L0pht think tank has proven to be prescient. Foreign hackers have proven to be a significant problem, and the focus on cyber threats from the government has increased over the past few years. One of the specific topics in the hearing, the security of satellites and satellite communications, has remained out of focus in the last twenty years, despite increasing risks posed by foreign actors.

 

DOCUMENTS

Document 01

1998-05-19

Senate Committee on Governmental Affairs, “Weak Computer Security in Government: Is the Public at Risk?” Unclassified.

Source: ProQuest Database.

This is the full transcript of the Senate’s first hearing on cybersecurity featuring the testimony of Dr. Peter Neumann and the L0pht hackers.


Document 02

1998-05-19

Peter G. Neumann, Principal Scientist, SRI International, Statement for the Record for the Senate Committee on Governmental Affairs, “Weak Computer Security in Government: Is the Public at Risk?” Unclassified.

Source: Senate Committee on Homeland Security and Governmental Affairs.

This is the written testimony of Dr. Peter Neumann for the first-ever Senate hearing on cybersecurity.


Document 03

1998-05-19

Senator Fred Thompson, Statement for the Record for the Senate Committee on Governmental Affairs, “Weak Computer Security in Government: Is the Public at Risk?” Unclassified.

Source: Senate Committee on Homeland Security and Governmental Affairs.

This Governmental Affairs Committee Chair Fred Thompson’s prepared statement for the first-ever Senate hearing on cybersecurity.


Document 04

1998-06-24

Senate Committee on Governmental Affairs, “Cyber Attack: Is the Nation at Risk?” Unclassified.

Source: ProQuest Database.

This is the full transcript of the second in the 1998 series of hearings on cybersecurity before the Senate Committee on Governmental Affairs. It focuses primarily on information security in the Department of Defense.


Document 05

1998-09-23

Senate Committee on Governmental Affairs, “Information Security.” Unclassified.

Source: ProQuest Database.

This is the full transcript of the third in the 1998 series of hearings on cybersecurity before the Senate Committee on Governmental Affairs. It focuses on information security in the Social Security Administration and Veterans’ Affairs.


Document 06

2000-03-02

Senate Committee on Governmental Affairs, “Cyber Attack: Is the Government Safe?” Unclassified.

Source: ProQuest Database.

This is the full transcript of a hearing in 2000 before the Senate Committee on Governmental Affairs on cybersecurity risks to the U.S. government. It was the first hearing on cybersecurity held by the committee subsequent to the 1998 series.


Document 07

2013-02-12

The White House, Executive Order - Improving Critical Infrastructure Cybersecurity, February 12, 2013. Unclassified.

This executive order is one of the foundations for modern efforts to improve the cybersecurity of critical infrastructure in the U.S.


Document 08

2014-10-00

Office of the Inspector General, United States Department of State and the Broadcasting Board of Governors, AUD-IT-15-17, Audit of the Department of State Information Security Program, October 2014. Sensitive but Unclassified.

This document from the Inspector General reports the findings of an audit of Department of State information security. State was found to be out of compliance with FISMA, OMB, and NIST standards for information security, evidencing the difficulties of implementing standards for cybersecurity in the federal government.


Document 09

2015-09-08

Congressional Research Service, Encryption and Evolving Technology: Implications for U.S. Law Enforcement Investigations, September 8, 2015. Unclassified.

This report from the Congressional Research Service details the challenges that law enforcement agencies must grapple with due to rapidly-evolving encryption technologies.


Document 10

2015-10-21

Government Accountability Office, Statement of Gregory C. Wilshusen, Cybersecurity of the Nation’s Electricity Grid Requires Continued Attention. October 21, 2015. Unclassified.

This statement from the GAO revisits findings from a 2011 GAO report regarding the cybersecurity of the electric grid, and discusses actions taken between 2011 and 2015 to reduce the grid’s vulnerability.


Document 11

2016-03-00

National Institute of Standards and Technology, Guideline for using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms, March 2016. Unclassified.

This document provides guidance on how encryption can be utilized to secure unclassified Federal data.


Document 12

2016-03-18

Department of Defense, Department of Defense Cloud Computing Security Requirements Guide Version 1 Release 2, March 18, 2016. Unclassified.

This document provides guidance for the secure implementation of cloud computing within the Department of Defense.


Document 13

2016-04-11

Richard Campbell, Congressional Research Service, Subject: Testimony – Blackout! Are We Prepared to Manage the Aftermath of a Cyber-Attack or Other Failure of the Electrical Grid? April 11, 2016. Unclassified.

This statement from the Congressional Research Service details both the risk posed to the electric grid by cyberattacks, as well as the coordination needed between industry and government for recovery.


Document 14

2016-06-00

House Homeland Security Committee, Going Dark, Going Forward: A Primer on the Encryption Debate. June 2016. Unclassified.

This study provides an overview of the various facets of the “going dark” debate and how encryption affects law enforcement investigations. It also addresses economic concerns, encryption in foreign nations, and the absence of simple solutions.


Document 15

2016-09-00

David Livingstone and Patricia Lewis, Chatham House, Space, The Final Frontier for Cybersecurity? September 2016. Not classified. (Used with permission)

This study discusses the cybersecurity threats to satellite systems, as well as technical aspects of those threats.


Document 16

2016-11-00

New York County District Attorney, "Report of the Manhattan District Attorney's Office on Smartphone Encryption and Public Safety: An Update to the November 2015 Report", November 2016. Unclassified. 

This report is part of an annual series on the impact of smartphone encryption on public safety and law enforcement in New York City. It provides a law enforcement perspective on the “going dark” debate.


Document 17

2016-11-07

Keith Stouffer and Jim McCarthy, National Institute of Standards and Technology, Capabilities Assessment for Securing Manufacturing Industrial Control Systems, Draft, November 7, 2016. Unclassified.

This draft paper discusses the establishment of a variety of capabilities that would increase the ability of manufacturers to detect cyberattacks on industrial control systems.


Document 18

2017-01-18

Federal Communications Commission, Cybersecurity Risk Reduction, January 18, 2017. Unclassified.

This report from the FCC describes various lines of effort undertaken by the FCC regarding cybersecurity risk reduction. Of particular relevance to the L0pht testimony are the discussions of security by design challenges and efforts by the FCC to combat these.


Document 19

2017-04-00

United States Department of Homeland Security, Study on Mobile Device Security, April 2017. Unclassified.

This study reports on security threats to mobile devices for government users and networks.


Document 20

2017-05-11

Daniel R. Coats, Director of National Intelligence, Statement for the Record, Worldwide Threat Assessment of the US Intelligence Community, May 11, 2017. Unclassified.

This statement from the Director of National Intelligence provides an intelligence community perspective on the cybersecurity threats faced by the U.S., including by foreign state actors.


Document 21

2017-06-13

Samantha Ravich, Foundation for the Defense of Democracies, Testimony before Senate Foreign Relations Subcommittee on East Asia, the Pacific, and International Cybersecurity, "State Sponsored Cyberspace Threats: Recent Incidents and U.S. Policy Response," June 13, 2017. Unclassified.

This statement discusses the threat of state sponsored cyberattacks, including those by China and North Korea, as well as U.S. policy responses to those attacks.


Document 22

2017-06-17

Office of the Director of National Intelligence, "Federal Partner Access to Intelligence Community Information Technology Systems," June 16, 2017. Unclassified.

This document establishes the process by which federal agencies outside of the intelligence community can gain access to information on IC networks, in other words outlining a form of access control.


Document 23

2017-09-00

National Institute of Standards and Technology, Enhancing Resilience of the Internet and Communications Ecosystem, September 2017. Unclassified.

This report documents a NIST workshop by the same name. Included among the topics at the workshop were the problems posed by the insecurity of many IoT devices and the need to increase ecosystem security and resilience.


Document 24

2018-03-00

United States Department of Justice Office of the Inspector General, A Special Inquiry Regarding the Accuracy of FBI Statements Concerning its Capabilities to Exploit an iPhone Seized During the San Bernardino Terror Attack Investigation, March 2018. Unclassified.

This document reports the findings of an investigation into the accuracy of FBI testimony to Congress in light of allegations about Bureau capability to unlock the iPhone of San Bernardino attacker Syed Rizwan Farook. It provides context for some of the complications surrounding the “going dark” debate.


Document 25

2018-04-16

National Institute of Standards and Technology, "Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1", April 16 2018. Unclassified.

This document provides the finalized version of NIST’s framework for improving critical infrastructure cybersecurity.


Document 26

2018-05-22

Christopher Krebs, Department of Homeland Security, “Krebs Letter to Wyden After May Meeting”, May 22, 2018. Unclassified.

This letter from Christopher Krebs discusses the presence of IMSI catcher devices in the National Capital Region, with brief mention of efforts by NPPD to address the problem.


Document 27

2018-08-14

United States v. Winner - Government's Sentencing Memorandum in the United States District Court for the Southern District of Georgia. August 14, 2018.

This memorandum on the sentencing of Reality Winner is the most recent document from a prominent case about the leaking of IC information on cybersecurity threats. The government response to leaks like these is one piece of a regime designed to mitigate insider threat.

Note

[1]. Though the L0pht hearing is often cited as the first to be held on cybersecurity, Congress had previously held narrowly scoped hearings on specific computer security issues. The L0pht hearing was the first on the need to address broader cybersecurity challenges.