From: Harvey Newstrom (mail@HarveyNewstrom.com)
Date: Mon Sep 09 2002 - 14:29:23 MDT
The New York Times reports that spending on computer security has been
flat since 9/11. Despite everyone talking about heightened security,
nobody is actually spending money to improve their security.
<cypherpunks@www.nytimes.com/2002/09/09/technology/09SECU">http://cypherpunks:cypherpunks@www.nytimes.com/2002/09/09/technology/09SECU.
html?todaysheadlines>
Year After 9/11, Cyberspace Door Is Still Ajar
By JOHN SCHWARTZ
Sounding the alarm is not the same as paying for a deadbolt on the
door. Which may explain why, despite the heightened fears of
cyberterrorism and online security that followed last September's
attacks in New York and Washington, few American businesses or
organizations have responded with new measures to safeguard their
computing systems from intruders.
Harris Miller had hoped it would be otherwise. He recalls that warning
Americans about cyberterrorism and online security before Sept. 11 had
been an exercise in futility.
"I felt like Sisyphus," said Mr. Miller, president of the the
Information Technology Association of America, a trade group, adding
that his pleas for greater awareness and quicker action were
consistently ignored. "Just rolling the stone up the mountain, and it
kept rolling right back down again." For government, corporations and
individuals alike, Mr. Miller said, computer security was always "the
11th item on a 10-item list."
Then came the attacks — and with them, a growing sense that terrorism
could happen anywhere. And anywhere included the nation's computer
networks and all the critical systems that were tied to them.
"It really was a wake-up call," said Mario Correa, director of
Internet and network security policy for the Business Software
Alliance, an industry lobbying group in Washington.
Security experts predicted that their calls would finally be heeded
and that corporations and governments would shore up their
cyberdefenses. Some even spoke of a "security dividend" for the
industry arising from the attacks. The International Data Group, a
publisher of trade magazines, even announced a new magazine, CSO,
aimed at the hoped-for legions of deep-pocketed corporate chief
security officers.
So what has changed in the year since the attacks?
Not so much, actually.
The fretting, certainly, has been vocal. Companies say in survey after
survey that they believe they, and the government, are still
vulnerable to cyberattack. Indeed, a poll published this summer by the
Business Software Alliance found that 60 percent of those who are
directly responsible for their companies' network security believe
that United States businesses are at risk for a major cyberattack in
the next 12 months.
And a government team led by Richard A. Clarke, the White House
cyberspace security adviser, has been busy on a computer security
framework that is to be announced next week and is expected to spell
out actions that should be taken by government, industry and even
individuals to safeguard the Internet.
The fretting and frameworking, however, has not escalated into
spending. Money spent on security has been flat the last year, with no
turnaround imminent, said Steve Hunt, a vice president of the Giga
Information Group, a high-technology analysis company.
"The security market is not going to benefit in 2002," he said. A
survey of the customers of Sanctum Inc., a security company in Santa
Clara, Calif., which said it had extensively interviewed 10 customers
on the topic, showed that only three had made new Internet security
moves because of the Sept. 11 attacks.
Other areas of security, like the disaster preparedness of information
technology systems, have also come under increased scrutiny since
Sept. 11. But, as with cybersecurity, little money has been spent. In
a survey conducted for AT&T, 73 percent of those questioned said
their companies had reviewed their disaster recovery planning after
Sept. 11, but only one in 10 said business disaster planning had
become a top priority after the attacks.
That is not particularly surprising in tight economic times, when most
information technology spending has focused on incremental
improvements to current systems, said Art Coviello, the chief
executive of RSA Data Security, a computer network security company in
Bedford, Mass. At a conference of chief information officers early
this year, Mr. Coviello recalled, executives listed the top three
priorities in 2002 as "cut costs, cut costs and cut costs."
"The next priority was to make more out of what they had," he said.
"The next priority after that was security."
Part of the reason for the lack of action is a growing sense of
frustration with the task of making computer systems secure, said
Peter S. Tippett, the chief technology officer of Trusecure, a
computer security management firm in Herndon, Va. Trying to keep up
with each individual software patch and vulnerability and apply each
one to every computer and network has become an all but impossible
task for many organizations.
The Computer Emergency Response Team, a federally financed monitoring
group and information clearinghouse at Carnegie Mellon University,
identified 2,437 software vulnerabilities in 2001, but fewer than 1
percent were used in actual attacks. "Why don't we figure out what the
essential security is?" Mr. Tippett said.
He suggested that another reason companies had not acted decisively
could be a growing sense among industry experts that the threat of
cyberterrorism had been overstated. He noted that although the world's
computer networks are increasingly tied to critical systems like power
grids and telecommunications networks, a cyberterrorism episode is
unlikely to stand alone, or to be devastating in itself. Instead, he
said, such an attack would probably come in conjunction with physical
attacks and be meant mainly to sow confusion. He compared such a
disruption to "a snowstorm on top of an otherwise bad day."
Still, Mr. Tippett and other security experts agree that the nation's
computer networks need more effective and extensive shoring up.
Meanwhile, Bush administration officials argue that despite the lack
of progress cited by others, great strides have actually been made
since last September.
Mr. Clarke, chairman of the president's Critical Infrastructure
Protection Board, said the real alarm was sounded not on Sept. 11 but
on Sept. 18. That is when a piece of rogue computer software named
Nimda spread through Internet-connected computers around the world and
caused damage that was estimated in the billions of dollars. The
creator of Nimda, which attacked computers and installed "back doors"
for subsequent hacker attacks, has never been identified.
"Sept. 11 made everybody in corporate America think about security,"
Mr. Clarke said. "Sept. 18 made them think about cybersecurity."
Since then, he said, software companies have grown far more serious
about plugging the kinds of vulnerabilities that Nimda exploited.
Microsoft, for example, shut down its software development efforts for
nearly two months in a $100 million effort to analyze Windows software
for bugs and to train its engineers in "trustworthy computing"
techniques.
Other major software makers have announced similar efforts to make
security "not an add-on, but a central thought" in software design,
Mr. Clarke said. Industries that did not pay much heed to
cybersecurity before — Mr. Clarke cited power companies as an example
— have "really begun taking security seriously," with widespread use
of encryption to shield data from prying eyes and authentication
systems to ensure that only authorized people have access to critical
system controls.
And government is "beginning to walk its talk" by shoring up its own
systems, Mr. Clarke said. The administration's proposed budget for the
2003 fiscal year calls for $4.2 billion for securing federal networks,
a 56 percent increase over the the current fiscal year. And next week,
on Sept. 18, Mr. Clarke's team plans to release its action plan for
safeguarding the Internet.
But government can only do so much, since most of the networks and
systems that need to be protected are in private hands, Mr. Clarke
observed. "The government is not going to secure hospitals and banks
and railroads — they have to do it for themselves," he said.
Mr. Correa's industry group has spent much of the last year trying to
ensure that the government's responses to the Sept. 11 attacks do not
do more harm than good. "You're seeing Congress look for what appear
to be quick fixes and really are not," he said.
The group opposed, for example, well-intentioned early efforts by
lawmakers that would have required federal agencies to upgrade
computer security using very specific technologies obtained through
strict government procurement guidelines.
Under early drafts of legislation, for example, the National Institute
of Standards and Technology was to specify the kinds of antivirus and
firewall software and hardware that would be used in government
systems. Mr. Correa's group feared that the specifications would
quickly become outdated, because antivirus software, for instance,
must evolve continually to keep pace with new kinds of threats.
So Mr. Correa's group and others requested — successfully — that the
bills specify only performance goals, like a requirement that any
firewall software be able to block a certain number of intrusions a
second, without defining how the software accomplish that task.
"You've got to make those security standards performance-based, not
technology-based," Mr. Correa said, or "they will be outmoded in a
week."
Mr. Correa's group is also fighting an administration plan to put a
unit of the Commerce Department that helps set computer security
standards, the Computer Security Division, into the new Department of
Homeland Security — a move that they argue would make that group less
effective by blurring purely technical issues with military and
law-enforcement agendas that could end up with worse, not better,
technology.
His group has also tried to pave the way for greater cooperation among
industries and the government on security issues. Those efforts have
included legislative proposals for making sure that companies are
willing to share information with the government by carving out
exemptions in the Freedom of Information Act for such exchanges, so
that information given voluntarily to the government about intrusions
is not made public.
Mr. Hunt, the Giga Information analyst, sees reasons for optimism. "No
security vendors are getting richer, and there are a lot of security
problems yet to be solved," he said.
But, he added, companies have begun to shift toward viewing security
as an integrated business function and not merely the province of a
"little cult in the corner of the I.T. department." In surveys
conducted more than a year ago, only 30 percent of all companies said
they had a person responsible for connecting security efforts with the
actual risks of the business, he said. Now, nearly 90 percent do.
"This is not a 200 percent improvement in spending," Mr. Hunt said.
"It is an improvement in quality, meaning the haphazard approach to
security management of the past — an approach that left many holes —
is steadily being replaced by robust processes of detection and
response."
Even Harris Miller says he is feeling less Sisyphean lately. "While
there's been much more attention in the private sector, there's a long
way to go," Mr. Miller said. "But I don't feel the exercise is as
futile as it was a year ago. Now the need is to get the money spent."
-- Harvey Newstrom, CISSP <www.HarveyNewstrom.com> Principal Security Consultant <www.Newstaff.com>
This archive was generated by hypermail 2.1.5 : Sat Nov 02 2002 - 09:16:53 MST