http://www.eetimes.com/story/OEG20010605S0052 By Terry Costlow EE Times 06/05/01 Bill Crowell has spent his career in security, going from top civilian at the National Security Agency to president and chief executive officer of Cylink Corp., a developer of public-key security systems. But at times, he just can't help being a hacker. "I used to work where we had a facial recognition system in a briefing center," Crowell recalls. "We didn't have the images bound to the individual with a public key, so I slipped my picture into the file of the guy who did a demo of the system. He . . . couldn't figure out how I kept getting in the door saying I was him." Having executive access didn't hurt in pulling out that little trick, which also underscores a key difficulty facing security engineers. "A hacker only has to come up with one technique," Crowell points out. "The protector has to anticipate all current and future attacks." Crowell works on two fronts, to protect against attacks and to convince companies that they really need security. Crowell became boss of Cylink (Santa Clara, Calif.), a 17-year-old developer of secure networks, in 1998 after serving as vice president of product strategy. He's focusing on combinations of technology like biometrics and smart cards in pursuit of foolproof protection. "Probably the strongest security is when you have three-factor security, something like a smart card with some version of a biometric file, something you know like a password or carry like a biometric, and then something you are, the biometric," said Crowell. Though he earned a political science degree from Louisiana State University in 1962, Crowell has been in technology since he designed circuits for a local company while he was in high school. To avoid the situation he created when he slipped his own picture into someone else's file, Crowell said, those who use all three aspects of this security approach should make sure the biometric portion that people carry as a credential has been signed by someone who is trusted, the way a notary approves written signatures today. "Otherwise, people could steal your identity and insert their biometric information for yours," Crowell said. Biometrics like fingerprints and retinal or facial scans are gaining acceptance, but Crowell predicts it'll be a slow ramp, at first driven by high-end applications. "Biometrics will find its way into high-value transactions fairly quickly, when someone's doing $500,000 transactions fairly often," Crowell said. "But I don't see it being used extensively for consumer purposes or for Internet shopping very soon. It requires a large infrastructure of readers that will keep many merchants from adopting it." Cryptography doesn't require that vast infrastructure, so Crowell sees quicker acceptance. As companies vie for Web profits, he said, cryptography and smart cards offer them a potent way to get payments via the Net. "We'll see a quick ramp, particularly when people use smart cards or other tokens to authenticate themselves," Crowell said. "Those are going to be very popular for authentication, for buying software or other digitally protected files over the Internet. Things like an MP3 file or software that doesn't have to be packaged and can be delivered over the Internet could really benefit. These are areas where you want to be sure you're avoiding large-scale fraud. Most businesses do not care nearly as much about small-scale fraud." Unfortunately for Crowell and others in the security business, a lot of companies don't care much about fraud at all, at least when it comes to understanding the potential losses from fraud using the corporation's networks and electronic databases. Competing with inaction "Our No. 1 competition, without a doubt, is companies that don't do anything," Crowell said. "There's just not enough understanding in the upper echelons of business on the compelling need to install security into their business. Business models before the Internet accepted a certain amount of fraud as part of the cost of doing business. But with the Internet, fraud may be repeatable on such a large scale that it may no longer be possible to pass costs on to customers." Accepting the potenial for electronic theft was no problem when Crowell worked at NSA. Along with protecting defense communications, the agency is charged with exploiting the vulnerabilities of foreign communications. Crowell did two stints at NSA, leaving in 1989 when the Cold War's end made him think "it was time to do something else." But by the end of 1990, shortly before the Gulf War began, he was back, serving in a number of senior positions that included chief of staff and deputy director, the latter the agency's highest civilian post. He recalls NSA as "a fun place" with "some of the greatest toys you'll ever get to work with." "It's a mysterious place, but a lot of the stories about the NSA never say anything, are misleading. The movie Enemy of the State is as far from reality as you can get," he said. But if the stories are misleading at times, the tales of top secrecy also contain some truth. "In modern times, on signal intelligence, I can't talk about things," Crowell said. But, "on the historical side of signal intelligence, I was involved in making public NSA success decoding KGB messages, which were supposedly unbreakable, during World War II. That exploitation went on for 37 years." Now he's hoping that it won't take that long for the security market to take off. Eventually, Crowell said, it's likely that all corporate networks will employ some type of security. But he disagrees with those who think that it's going to happen in just a few years. "I feel it will take the better part of a decade before security is ubiquitous," Crowell said. Acceptance will come industry by industry, he predicted. "The financial industry is a good user of security not because they're more prone to security but because they have to use it, their business depends on assuring customers that fraud is rare. Finance is the No. 1 user [of security], large multinational companies like Intel are next, and the government is probably third." In the future, the medical world is likely to become a big adopter. The new Health Insurance Portability and Accountability Act is driving hospitals and medical offices to computerized record keeping, and security is a big concern for all involved. "The health industry is small for us right now," Crowell said. "They have traditionally spent little money on security and until recently spent little on IT. They used paper. It will become a large sector because regulations require health organizations to pay more attention to the privacy of medical records." Eventually, he predicts,even the companies that today couldn't care less about security will tout their protective measures. That will help them get business from around the world. "One of the remaining issues in the cyber world that really needs to be addressed is how essential security is to how we conduct business," Crowell said. "There are no borders in cyberspace. Business will go to the leanest, best companies, and security will be part of their marketing. Consumer surveys show that the majority of those who don't shop on the Internet say it's because they don't trust it." When he's not trying to thwart the criminal element, Crowell and his wife, Judy, are bikers. "My wife and I are both avid motorcyclists," Crowell said. "We'll take 3,000 to 4,000-mile trips. We also like to go fly fishing. On our latest 4,000-mile trip, we looked at a lot of rivers." When he isn't away from his San Jose, Calif., home, Crowell likes to spend his time cooking. "I cook very fancy things most every day, though I do less of it now that I'm CEO and am traveling more," he said. His business travels still keep him somewhat involved in government activities. Government agencies will continue to be closely involved in all aspects of security as they try to stay ahead of those who would steal from corporations or tap into military and government transmissions. He hopes industry and government agencies will learn how to develop technologies and techniques that benefit both sides. "There will be more and more cooperation between government and industry, in my opinion," said Crowell. ISN is hosted by SecurityFocus.com --- To unsubscribe email isn-unsubscribeat_private
This archive was generated by hypermail 2b30 : Wed Jun 06 2001 - 05:54:54 PDT