Forwarded from: Chris Wysopal <cwysopalat_private> http://www.economist.com/surveys/displayStory.cfm?story_id=1389589 Oct 24th 2002 From The Economist print edition Digital security, once the province of geeks, is now everyone's concern. But there is much more to the problem - or the solution - than mere technology, says Tom Standage WHEN the world's richest man decides it is time for his company to change direction, it is worth asking why. Only rarely does Bill Gates send an e-mail memo to the thousands of employees at Microsoft, the world's largest software company, of which he is chairman. He famously sent such a memo in December 1995, in which he announced that Microsoft had to become "hardcore" about the Internet. In January this year Mr Gates sent another round-robin. Its subject? The importance of computer security. Until recently, most people were either unaware of computer security or regarded it as unimportant. That used to be broadly true, except in a few specialised areas - such as banking, aerospace and military applications - that rely on computers and networks being hard to break into and not going wrong. But now consumers, companies and governments around the world are sitting up and taking notice. Why? The obvious answer seems to be that last year's terrorist attacks in America have heightened awareness of security in all its forms. But the deeper reason is that a long-term cultural shift is under way. Digital security has been growing in importance for years as more and more aspects of business and personal life have come to depend on computers. Computing, in short, is in the midst of a transition from an optional tool to a ubiquitous utility. And people expect utilities to be reliable. One definition of a utility, indeed, is a service that is so reliable that people notice it only when it does not work. Telephone service (on fixed lines, at least), electricity, gas and water supplies all meet this definition. Computing clearly does not, at least not yet. One of the many prerequisites for computing to become a utility is adequate security. It is dangerous to entrust your company, your personal information or indeed your life to a system that is full of security holes. As a result, the problem of securing computers and networks, which used to matter only to a handful of system administrators, has become of far more widespread concern. Computers are increasingly relied upon; they are also increasingly connected to each other, thanks to the Internet. Linking millions of computers together in a single, cloud-like global network brings great benefits of cost and convenience. Dotcoms may have come and gone, but e-mail has become a vital business tool for many people and an important social tool for an even larger group. Being able to access your e-mail from any web browser on earth is tremendously useful and liberating, as both business travellers and backpacking tourists will attest. Corporate billing, payroll and inventory-tracking systems are delivered as services accessible through web browsers. Online shop fronts make it fast and convenient to buy products from the other side of the world. The price of openness The flip side of easy connectivity and remote access, however, is the heightened risk of a security breach. Bruce Schneier, a security expert, points out that when you open a shop on the street, both customers and shoplifters can enter. "You can't have one without the other," he says. "It's the same on the Internet." And as music, movies, tax returns, photographs and phone calls now routinely whizz around in digital form, the shift from traditional to digital formats has reached a critical point, says Whitfield Diffie, a security guru at Sun Microsystems: "We can no longer continue this migration without basic security." The September 11th attacks, then, reinforced an existing trend. Government officials, led by Richard Clarke, America's cyber-security tsar, gave warning of the possibility that terrorists might mount an "electronic Pearl Harbour" attack, breaking into the systems that control critical telecommunications, electricity and utility infrastructure, and paralysing America from afar with a few clicks of a mouse. Most security experts are sceptical, but after spending years trying to get people to take security seriously, they are willing to play along. Scott Charney, a former chief of computer crime at the Department of Justice and now Microsoft's chief security strategist, says Mr Clarke's scare-mongering is "not always helpful, but he has raised awareness." The terrorist attacks certainly prompted companies to acknowledge their dependence on (and the vulnerability of) their networks, and emphasised the importance of disaster-recovery and back-up systems. A survey of information-technology managers and chief information officers, carried out by Morgan Stanley after the attacks, found that security software had jumped from fifth priority or lower to become their first priority. "It's moved up to the top of the list," says Tony Scott, chief technology officer at General Motors. "It's on everybody's radar now." The growing emphasis on security over the past year or two has been driven by a combination of factors, and has shown up in a variety of ways. Chris Byrnes, an analyst at Meta Group, a consultancy, notes that the proportion of his firm's clients (mostly large multinational companies) with dedicated computer-security teams has risen from 20% to 40% in the past two years. He expects the figure to reach 60-70% within the next two years. Previously, he says, it was financial-services firms that were most serious about security, but now firms in manufacturing, retailing and other areas are following suit. One important factor is regulation. Mr Byrnes points to the change made to American audit standards in 1999, requiring companies to ensure that information used to prepare public accounts is adequately secured. This has been widely interpreted, with the backing of the White House's critical-infrastructure assurance office, to mean that a company's entire network must be secure. Similarly, the April 2003 deadline for protecting patients' medical information under the Health Insurance Portability and Accountability Act (HIPAA) has prompted health-care providers, pharmaceutical companies and insurers to re-evaluate and overhaul the security of their computers and networks. In one recent case, Eli Lilly, a drug maker, was accused of violating its own online privacy policy after it accidentally revealed the e-mail addresses of 669 patients who were taking Prozac, an anti-depressant. The company settled out of court with America's Federal Trade Commission and agreed to improve its security procedures. But once HIPAA's privacy regulations come into force, companies that fail to meet regulatory standards will face stiff financial penalties. The same sort of thing is happening in financial services, where security is being beefed up prior to the introduction of the Basel II bank-capital regulations. The growth of high-profile security breaches has also underlined the need to improve security. The number of incidents reported to Carnegie Mellon's computer emergency response team (CERT), including virus outbreaks and unauthorised system intrusions, has shot up in recent years (see chart 1) as the Internet has grown. The "Love Bug", a virus that spreads by e-mailing copies of itself to everyone in an infected computer's address book, was front-page news when it struck in May 2000. Many companies, and even Britain's Parliament, shut down their mail servers to prevent it from spreading. There have been a number of increasingly potent viruses since then, including Sircam, Code Red and Nimda, all of which affected hundreds of thousands of machines. The latest, called Bugbear, struck only this month. Viruses are merely one of the more visible kinds of security problem, but given the disruption they can cause, and the widespread media coverage they generate, such outbreaks prompt people to take security more seriously. Fear, sex and coffee Spending on security technology grew by 28% in 2001 compared with the year before, according to Jordan Klein, an analyst at UBS Warburg. Mr Klein predicts that spending will continue to grow strongly over the next few years, from around $6 billion in 2001 to $13 billion in 2005 (see chart 2). A survey carried out by Meta Group in August found that although only 24% of firms had increased their technology budgets in 2002, 73% had increased their spending on security, so security spending is growing at the expense of other technology spending. This makes it a rare bright spot amid the gloom in the technology industry. Steven Hofmeyr of Company 51, a security start-up based in Silicon Valley, says his company is pushing at a wide-open door: there is no need to convince anyone of the need for security technology. Indeed, Nick Sturiale of Sevin Rosen, a venture-capital fund, suggests that security is already an overcrowded and overfunded sector. "Security is now the Pavlovian word that draws the drool from VCs' mouths," he says. Security vendors are really selling fear, he says, and fear and sex are "the two great sales pitches that make people buy irrationally". So, a bonanza for security-technology firms? Not necessarily. The sudden interest in security does not always translate into support from senior management and larger budgets. A recent report from Vista Research, a consultancy, predicts that: "While the need to protect digital assets is well established, companies will pay lip service to the need to invest in this area and then largely drag their feet when it comes to capital spending on security." Even where security spending is increasing, it is from a very low base. Meta Group's survey found that most companies spend less than 3% of their technology budgets on security. Technology budgets, in turn, are typically set at around 3% of revenues. Since 3% of 3% is 0.09%, most firms spend more on coffee than on computer security, according to a popular industry statistic. The purse strings loosen only when companies suffer a serious security breach themselves, see one of their rivals come under attack or are told by auditors that lax security could mean they are compromising due diligence. Jobs on plates Mr Byrnes notes another factor that is impeding growth of the security market: a shortage of senior specialists. For much of the past year, he says, "There was more security budget than ability to spend it." John Schwarz, president of Symantec, a security firm, puts the number of unfilled security jobs at 75,000 in America alone. As a result, the security boom widely expected last year has yet to materialise. But Mr Hofmeyr reckons that the increase in security spending is just starting to kick in. Given the new interest in security, established technology firms, which have seen revenues plunge as firms slash technology spending in other areas, are understandably keen to jump on the bandwagon alongside specialist security vendors. Sun's advertisements boast: "We make the net secure." Oracle, the world's second-largest software firm, has launched a high-profile campaign trumpeting (to guffaws from security experts) that its database software is "unbreakable". Whether or not this is true, Oracle clearly regards security as a convenient stick with which to bash its larger arch-rival, Microsoft, whose products are notoriously insecure - hence Mr Gates's memo. It suits vendors to present security as a technological problem that can be easily fixed with more technology - preferably theirs. But expecting fancy technology alone to solve the problem is just one of three dangerous misconceptions about digital security. Improving security means implementing appropriate policies, removing perverse incentives and managing risks, not just buying clever hardware and software. There are no quick fixes. This survey will argue that digital security depends as much—if not more - on human cultural factors as it does on technology. Implementing security is a management as well as a technical problem. Technology is necessary, but not sufficient. A second, related misperception is that security can be left to the specialists in the systems department. It cannot. It requires the co-operation and support of senior management. Deciding which assets need the most protection, and determining the appropriate balance between cost and risk, are strategic decisions that only senior management should make. Furthermore, security almost inevitably involves inconvenience. Without a clear signal from upstairs, users will tend to regard security measures as nuisances that prevent them from doing their jobs, and find ways to get around them. Unfortunately, says Mr Charney, senior executives often find computer security too complex. "Fire they understand," he says, because they have direct personal experience of it and know that you have to buy insurance and install sensors and sprinklers. Computer security is different. Senior executives do not understand the threats or the technologies. "It seems magical to them," says Mr Charney. Worse, it's a moving target, making budgeting difficult. A third common misperception concerns the nature of the threat. Even senior managers who are aware of the problem tend to worry about the wrong things, such as virus outbreaks and malicious hackers. They overlook the bigger problems associated with internal security, disgruntled ex-employees, network links to supposedly trustworthy customers and suppliers, theft of laptop or handheld computers and insecure wireless access points set up by employees. That is not surprising: viruses and hackers tend to get a lot of publicity, whereas internal security breaches are hushed up and the threats associated with new technologies are often overlooked. But it sets the wrong priorities. Detective stories A final, minor, misperception is that computer security is terribly boring. In fact, it turns out to be one of the more interesting aspects of the technology industry. The war stories told by security consultants and computer-crime specialists are far more riveting than discussion of the pros and cons of customer-relationship management systems. So there really is no excuse for avoiding the subject. Anyone who has not done so already should take an interest in computer security. Unfortunately there is no single right answer to the problem. What is appropriate for a bank, for example, would be overkill for a small company. Technology is merely part of the answer, but it has an important role to play, so that is where this survey will start. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Oct 30 2002 - 01:29:39 PST