[ISN] For NSA vet, security's still a hard sell

From: InfoSec News (isnat_private)
Date: Tue Jun 05 2001 - 19:37:19 PDT

  • Next message: InfoSec News: "[ISN] Register duped by crimebusting D.I.R.T. Trojan"

    By Terry Costlow 
    EE Times
    Bill Crowell has spent his career in security, going from top civilian
    at the National Security Agency to president and chief executive
    officer of Cylink Corp., a developer of public-key security systems.
    But at times, he just can't help being a hacker.
    "I used to work where we had a facial recognition system in a briefing
    center," Crowell recalls. "We didn't have the images bound to the
    individual with a public key, so I slipped my picture into the file of
    the guy who did a demo of the system. He . . . couldn't figure out how
    I kept getting in the door saying I was him."
    Having executive access didn't hurt in pulling out that little trick,
    which also underscores a key difficulty facing security engineers. "A
    hacker only has to come up with one technique," Crowell points out.
    "The protector has to anticipate all current and future attacks."
    Crowell works on two fronts, to protect against attacks and to
    convince companies that they really need security. Crowell became boss
    of Cylink (Santa Clara, Calif.), a 17-year-old developer of secure
    networks, in 1998 after serving as vice president of product strategy.
    He's focusing on combinations of technology like biometrics and smart
    cards in pursuit of foolproof protection.
    "Probably the strongest security is when you have three-factor
    security, something like a smart card with some version of a biometric
    file, something you know like a password or carry like a biometric,
    and then something you are, the biometric," said Crowell.
    Though he earned a political science degree from Louisiana State
    University in 1962, Crowell has been in technology since he designed
    circuits for a local company while he was in high school.
    To avoid the situation he created when he slipped his own picture into
    someone else's file, Crowell said, those who use all three aspects of
    this security approach should make sure the biometric portion that
    people carry as a credential has been signed by someone who is
    trusted, the way a notary approves written signatures today.
    "Otherwise, people could steal your identity and insert their
    biometric information for yours," Crowell said.
    Biometrics like fingerprints and retinal or facial scans are gaining
    acceptance, but Crowell predicts it'll be a slow ramp, at first driven
    by high-end applications.
    "Biometrics will find its way into high-value transactions fairly
    quickly, when someone's doing $500,000 transactions fairly often,"
    Crowell said. "But I don't see it being used extensively for consumer
    purposes or for Internet shopping very soon. It requires a large
    infrastructure of readers that will keep many merchants from adopting
    Cryptography doesn't require that vast infrastructure, so Crowell sees
    quicker acceptance. As companies vie for Web profits, he said,
    cryptography and smart cards offer them a potent way to get payments
    via the Net.
    "We'll see a quick ramp, particularly when people use smart cards or
    other tokens to authenticate themselves," Crowell said. "Those are
    going to be very popular for authentication, for buying software or
    other digitally protected files over the Internet. Things like an MP3
    file or software that doesn't have to be packaged and can be delivered
    over the Internet could really benefit. These are areas where you want
    to be sure you're avoiding large-scale fraud. Most businesses do not
    care nearly as much about small-scale fraud."
    Unfortunately for Crowell and others in the security business, a lot
    of companies don't care much about fraud at all, at least when it
    comes to understanding the potential losses from fraud using the
    corporation's networks and electronic databases.
    Competing with inaction
    "Our No. 1 competition, without a doubt, is companies that don't do
    anything," Crowell said. "There's just not enough understanding in the
    upper echelons of business on the compelling need to install security
    into their business. Business models before the Internet accepted a
    certain amount of fraud as part of the cost of doing business. But
    with the Internet, fraud may be repeatable on such a large scale that
    it may no longer be possible to pass costs on to customers."
    Accepting the potenial for electronic theft was no problem when
    Crowell worked at NSA. Along with protecting defense communications,
    the agency is charged with exploiting the vulnerabilities of foreign
    Crowell did two stints at NSA, leaving in 1989 when the Cold War's end
    made him think "it was time to do something else." But by the end of
    1990, shortly before the Gulf War began, he was back, serving in a
    number of senior positions that included chief of staff and deputy
    director, the latter the agency's highest civilian post. He recalls
    NSA as "a fun place" with "some of the greatest toys you'll ever get
    to work with."
    "It's a mysterious place, but a lot of the stories about the NSA never
    say anything, are misleading. The movie Enemy of the State is as far
    from reality as you can get," he said.
    But if the stories are misleading at times, the tales of top secrecy
    also contain some truth. "In modern times, on signal intelligence, I
    can't talk about things," Crowell said. But, "on the historical side
    of signal intelligence, I was involved in making public NSA success
    decoding KGB messages, which were supposedly unbreakable, during World
    War II. That exploitation went on for 37 years."
    Now he's hoping that it won't take that long for the security market
    to take off. Eventually, Crowell said, it's likely that all corporate
    networks will employ some type of security. But he disagrees with
    those who think that it's going to happen in just a few years.
    "I feel it will take the better part of a decade before security is
    ubiquitous," Crowell said. Acceptance will come industry by industry,
    he predicted.
    "The financial industry is a good user of security not because they're
    more prone to security but because they have to use it, their business
    depends on assuring customers that fraud is rare. Finance is the No. 1
    user [of security], large multinational companies like Intel are next,
    and the government is probably third."
    In the future, the medical world is likely to become a big adopter.
    The new Health Insurance Portability and Accountability Act is driving
    hospitals and medical offices to computerized record keeping, and
    security is a big concern for all involved.
    "The health industry is small for us right now," Crowell said. "They
    have traditionally spent little money on security and until recently
    spent little on IT. They used paper. It will become a large sector
    because regulations require health organizations to pay more attention
    to the privacy of medical records."
    Eventually, he predicts,even the companies that today couldn't care
    less about security will tout their protective measures. That will
    help them get business from around the world.
    "One of the remaining issues in the cyber world that really needs to
    be addressed is how essential security is to how we conduct business,"
    Crowell said. "There are no borders in cyberspace. Business will go to
    the leanest, best companies, and security will be part of their
    marketing. Consumer surveys show that the majority of those who don't
    shop on the Internet say it's because they don't trust it."
    When he's not trying to thwart the criminal element, Crowell and his
    wife, Judy, are bikers.
    "My wife and I are both avid motorcyclists," Crowell said. "We'll take
    3,000 to 4,000-mile trips. We also like to go fly fishing. On our
    latest 4,000-mile trip, we looked at a lot of rivers."
    When he isn't away from his San Jose, Calif., home, Crowell likes to
    spend his time cooking. "I cook very fancy things most every day,
    though I do less of it now that I'm CEO and am traveling more," he
    His business travels still keep him somewhat involved in government
    activities. Government agencies will continue to be closely involved
    in all aspects of security as they try to stay ahead of those who
    would steal from corporations or tap into military and government
    transmissions. He hopes industry and government agencies will learn
    how to develop technologies and techniques that benefit both sides.
    "There will be more and more cooperation between government and
    industry, in my opinion," said Crowell.
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Wed Jun 06 2001 - 05:54:54 PDT