Forwarded from: "eric wolbrom, CISSP" <ericat_private> http://www.nytimes.com/2002/09/09/technology/09SECU.html?pagewanted=all&position=bottom September 9, 2002 By JOHN SCHWARTZ Sounding the alarm is not the same as paying for a deadbolt on the door. Which may explain why, despite the heightened fears of cyberterrorism and online security that followed last September's attacks in New York and Washington, few American businesses or organizations have responded with new measures to safeguard their computing systems from intruders. Harris Miller had hoped it would be otherwise. He recalls that warning Americans about cyberterrorism and online security before Sept. 11 had been an exercise in futility. "I felt like Sisyphus," said Mr. Miller, president of the the Information Technology Association of America, a trade group, adding that his pleas for greater awareness and quicker action were consistently ignored. "Just rolling the stone up the mountain, and it kept rolling right back down again." For government, corporations and individuals alike, Mr. Miller said, computer security was always "the 11th item on a 10-item list." Then came the attacks -- and with them, a growing sense that terrorism could happen anywhere. And anywhere included the nation's computer networks and all the critical systems that were tied to them. "It really was a wake-up call," said Mario Correa, director of Internet and network security policy for the Business Software Alliance, an industry lobbying group in Washington. Security experts predicted that their calls would finally be heeded and that corporations and governments would shore up their cyberdefenses. Some even spoke of a "security dividend" for the industry arising from the attacks. The International Data Group, a publisher of trade magazines, even announced a new magazine, CSO, aimed at the hoped-for legions of deep-pocketed corporate chief security officers. So what has changed in the year since the attacks? Not so much, actually. The fretting, certainly, has been vocal. Companies say in survey after survey that they believe they, and the government, are still vulnerable to cyberattack. Indeed, a poll published this summer by the Business Software Alliance found that 60 percent of those who are directly responsible for their companies' network security believe that United States businesses are at risk for a major cyberattack in the next 12 months. And a government team led by Richard A. Clarke, the White House cyberspace security adviser, has been busy on a computer security framework that is to be announced next week and is expected to spell out actions that should be taken by government, industry and even individuals to safeguard the Internet. The fretting and frameworking, however, has not escalated into spending. Money spent on security has been flat the last year, with no turnaround imminent, said Steve Hunt, a vice president of the Giga Information Group, a high-technology analysis company. "The security market is not going to benefit in 2002," he said. A survey of the customers of Sanctum Inc., a security company in Santa Clara, Calif., which said it had extensively interviewed 10 customers on the topic, showed that only three had made new Internet security moves because of the Sept. 11 attacks. Other areas of security, like the disaster preparedness of information technology systems, have also come under increased scrutiny since Sept. 11. But, as with cybersecurity, little money has been spent. In a survey conducted for AT&T, 73 percent of those questioned said their companies had reviewed their disaster recovery planning after Sept. 11, but only one in 10 said business disaster planning had become a top priority after the attacks. That is not particularly surprising in tight economic times, when most information technology spending has focused on incremental improvements to current systems, said Art Coviello, the chief executive of RSA Data Security, a computer network security company in Bedford, Mass. At a conference of chief information officers early this year, Mr. Coviello recalled, executives listed the top three priorities in 2002 as "cut costs, cut costs and cut costs." "The next priority was to make more out of what they had," he said. "The next priority after that was security." Part of the reason for the lack of action is a growing sense of frustration with the task of making computer systems secure, said Peter S. Tippett, the chief technology officer of Trusecure, a computer security management firm in Herndon, Va. Trying to keep up with each individual software patch and vulnerability and apply each one to every computer and network has become an all but impossible task for many organizations. The Computer Emergency Response Team, a federally financed monitoring group and information clearinghouse at Carnegie Mellon University, identified 2,437 software vulnerabilities in 2001, but fewer than 1 percent were used in actual attacks. "Why don't we figure out what the essential security is?" Mr. Tippett said. He suggested that another reason companies had not acted decisively could be a growing sense among industry experts that the threat of cyberterrorism had been overstated. He noted that although the world's computer networks are increasingly tied to critical systems like power grids and telecommunications networks, a cyberterrorism episode is unlikely to stand alone, or to be devastating in itself. Instead, he said, such an attack would probably come in conjunction with physical attacks and be meant mainly to sow confusion. He compared such a disruption to "a snowstorm on top of an otherwise bad day." Still, Mr. Tippett and other security experts agree that the nation's computer networks need more effective and extensive shoring up. Meanwhile, Bush administration officials argue that despite the lack of progress cited by others, great strides have actually been made since last September. Mr. Clarke, chairman of the president's Critical Infrastructure Protection Board, said the real alarm was sounded not on Sept. 11 but on Sept. 18. That is when a piece of rogue computer software named Nimda spread through Internet-connected computers around the world and caused damage that was estimated in the billions of dollars. The creator of Nimda, which attacked computers and installed "back doors" for subsequent hacker attacks, has never been identified. "Sept. 11 made everybody in corporate America think about security," Mr. Clarke said. "Sept. 18 made them think about cybersecurity." Since then, he said, software companies have grown far more serious about plugging the kinds of vulnerabilities that Nimda exploited. Microsoft, for example, shut down its software development efforts for nearly two months in a $100 million effort to analyze Windows software for bugs and to train its engineers in "trustworthy computing" techniques. Other major software makers have announced similar efforts to make security "not an add-on, but a central thought" in software design, Mr. Clarke said. Industries that did not pay much heed to cybersecurity before -- Mr. Clarke cited power companies as an example -- have "really begun taking security seriously," with widespread use of encryption to shield data from prying eyes and authentication systems to ensure that only authorized people have access to critical system controls. And government is "beginning to walk its talk" by shoring up its own systems, Mr. Clarke said. The administration's proposed budget for the 2003 fiscal year calls for $4.2 billion for securing federal networks, a 56 percent increase over the the current fiscal year. And next week, on Sept. 18, Mr. Clarke's team plans to release its action plan for safeguarding the Internet. But government can only do so much, since most of the networks and systems that need to be protected are in private hands, Mr. Clarke observed. "The government is not going to secure hospitals and banks and railroads -- they have to do it for themselves," he said. Mr. Correa's industry group has spent much of the last year trying to ensure that the government's responses to the Sept. 11 attacks do not do more harm than good. "You're seeing Congress look for what appear to be quick fixes and really are not," he said. The group opposed, for example, well-intentioned early efforts by lawmakers that would have required federal agencies to upgrade computer security using very specific technologies obtained through strict government procurement guidelines. Under early drafts of legislation, for example, the National Institute of Standards and Technology was to specify the kinds of antivirus and firewall software and hardware that would be used in government systems. Mr. Correa's group feared that the specifications would quickly become outdated, because antivirus software, for instance, must evolve continually to keep pace with new kinds of threats. So Mr. Correa's group and others requested -- successfully -- that the bills specify only performance goals, like a requirement that any firewall software be able to block a certain number of intrusions a second, without defining how the software accomplish that task. "You've got to make those security standards performance-based, not technology-based," Mr. Correa said, or "they will be outmoded in a week." Mr. Correa's group is also fighting an administration plan to put a unit of the Commerce Department that helps set computer security standards, the Computer Security Division, into the new Department of Homeland Security -- a move that they argue would make that group less effective by blurring purely technical issues with military and law-enforcement agendas that could end up with worse, not better, technology. His group has also tried to pave the way for greater cooperation among industries and the government on security issues. Those efforts have included legislative proposals for making sure that companies are willing to share information with the government by carving out exemptions in the Freedom of Information Act for such exchanges, so that information given voluntarily to the government about intrusions is not made public. Mr. Hunt, the Giga Information analyst, sees reasons for optimism. "No security vendors are getting richer, and there are a lot of security problems yet to be solved," he said. But, he added, companies have begun to shift toward viewing security as an integrated business function and not merely the province of a "little cult in the corner of the I.T. department." In surveys conducted more than a year ago, only 30 percent of all companies said they had a person responsible for connecting security efforts with the actual risks of the business, he said. Now, nearly 90 percent do. "This is not a 200 percent improvement in spending," Mr. Hunt said. "It is an improvement in quality, meaning the haphazard approach to security management of the past -- an approach that left many holes -- is steadily being replaced by robust processes of detection and response." Even Harris Miller says he is feeling less Sisyphean lately. "While there's been much more attention in the private sector, there's a long way to go," Mr. Miller said. "But I don't feel the exercise is as futile as it was a year ago. Now the need is to get the money spent." _______________________________________________________________________ eric wolbrom, CISSP Safe Harbor Technologies President & CIO 190 Goldens Bridge Ct. Voice 914.767.9090 ext. 6000 Katonah, NY 10536 Fax 914.767.3911 http://www.shtech.net _______________________________________________________________________ - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Sep 10 2002 - 03:03:46 PDT