Selected Security Events in the 1990s

January 1990:
Programming error in software for the AT&T electronic switching systems causes a nine-hour outage, blocking an estimated 5 million calls.

January 1991:
Accidental fiber cut blocks 60 percent of the long-distance calls into and out of New York, disables air traffic control functions in New York, Washington and Boston and disrupts the operation of the New York Mercantile Exchange and several commodities exchanges.

October 1991:
National Research Council releases report, "Computers at Risk: Safe Computing in the Information Age."

December 1994:
U.S. Naval Academy
computer system is penetrated successfully.

February 1996:
Office of Management and Budget Circular A-130, Appendix III, "Security of Federal Automated Information Resources," is updated, requiring agencies to assign responsibility for security, develop a system security plan, screen and train individual users, assess risk, plan for disasters and contingencies and periodically review their security safeguards. It also requires agencies to define responsibilities for individuals with access to automated systems, and to implement security incident response and reporting capabilities.

July 1996:
President Clinton establishes CIO Council, chaired by OMB, to address governmentwide technology issues and advise OMB on policies and standards needed to implement legislative reforms. Council members include chief information officers and deputy CIOs from each major agency.

September 1996:
General Accounting Office issues report, "Information Security: Opportunities for Improved OMB Oversight of Agency Practices."

October 1996:
Clinger-Cohen Act of 1996 stipulates that agency heads are directly responsible for information technology management, including ensuring that the information security policies, procedures and practices of their agencies are adequate. The act also requires the appointment of a CIO for each of the 24 largest federal agencies to provide expertise to implement needed reforms.

March 1997:
A 15-year-old hacker working from Croatia penetrates a computing system at Andersen Air Force Base in Guam.

March 1997:
Commands sent from a hacker's personal computer disable vital services to the Federal Aviation Administration control tower at the Worcester, Mass., airport.

June 1997:
As part of the Eligible Receiver exercise,
an NSA hacker team breaks into Defense
Department computers and the U.S. electric
power grid system. The team simulates a series of rolling power outages and 911 emergency telephone overloads in Washington and other cities.


July 1997:
Operator installs a corrupted top-level domain name server database at Network Solutions and effectively wipes out access to roughly 1 million sites on the Internet.


August 1997:
GAO issues an exposure draft of the Federal Information System Controls Audit Manual, which describes a methodology for evaluating federal agency information security programs.


September 1997:
Employee uploads an incorrect set of translations into a Signaling System 7 processor and causes a 90-minute network outage for AT&T toll-free telephone service.


October 1997:
State Department shuts down portions of one of its international computer systems after GAO discovers evidence of an intruder in computers at two overseas posts.

October 1997:
President's Commission on Critical Infrastructure Protection issues its report, "Critical Foundations: Protecting America's Infrastructures." It calls for a national effort to assure the security of the United States' increasingly vulnerable and interconnected infrastructures, such as telecommunications, banking and finance, energy, transportation and essential government services.

November 1997:
CIO Council, under OMB's leadership, designates information security as one of six priority areas and establishes a security committee.

February 1998: Software failure in Illuminet, a private carrier, interrupts operation of the New York Mercantile Exchange and telephone service in several major East Coast cities.


April 1998:
Software flaws cause an outage in the AT&T frame-relay
network.

May 1998:
Clinton issues Presidential Decision Directive 63 (PDD-63), calling for an effort to ensure the security of the nation's critical infrastructures for communication, finance, energy distribution and transportation. Establishes National Coordinator for Security, Infrastructure Protection and Counter-Terrorism. Forms the Critical Infrastructure Coordination Group, which is supported by the Critical Infrastructure Assurance Office (CIAO) within the Department of Commerce.


July 1998:
A tree shorts a line running to a power plant in Idaho, bringing about cascading outages that take down the three main California-Oregon transmission trunks and interrupt service for 2 million customers.


September 1998:
GAO issues the report, "Information Security: Serious Weaknesses Place Critical Federal Operations and Assets at Risk."

November 1998:
Agency plans for critical infrastructure protection called for under PDD-63 are due to CIAO.