http://www.siliconvalley.com/mld/siliconvalley/5147205.htm By Miguel Helft February 10, 2003 Just two weeks ago, a nasty little piece of software known to security experts as an Internet ``worm,'' wreaked havoc in parts of cyberspace. ``Slammer,'' as the worm was dubbed, went beyond the usual disruptions to e-mail and Web sites: It crippled 911 systems near Seattle, disabled Bank of America ATMs, and gummed up ticketing systems at Continental Airlines. The attack exploited a flaw in a Microsoft database program that was well known. Microsoft had issued a software ``patch'' to fix the flaw six months earlier. Computers that had the patch were not directly affected. Ironically, some of Microsoft's own computer servers did not have the patch and were overwhelmed by Slammer. That such an attack took place was no surprise to most security experts. But that the relatively simple worm -- Richard Clarke, who just retired as head of the National Strategy to Secure Cyberspace called it ``dumb'' and ``cheaply made'' -- could take its toll on electronic systems that many believed to be beyond the Internet, should worry everyone. ``More sophisticated attacks against known vulnerabilities in cyberspace could be devastating,'' Clarke said. ``We cannot assume that the past level of damage is in any way indicative of what could happen in the future.'' Making cyberspace more secure is not easy. The global network grew up as a freewheeling medium that allowed anyone and anything to connect. Without profound changes in how computer products are built, and how networks are maintained, it will remain vulnerable. ``We are making systems so complex that when they fail, they fail in a major way,'' says Eugene H. Spafford, a computer science professor at Purdue University specializing in security. But better technology alone will not suffice. Making cyberspace safer will require policy changes that affect the economic forces driving technology decisions. Companies view security as just any other business risk and make security decisions to minimize costs, says Bruce Schneier, chief technology officer of Counterpane Internet Security. As long as the costs of ignoring security outweigh the benefits of extra security, little will change. Schneier makes a compelling argument that enforcing liability both for making shoddy software and for not protecting networks could be the single most important step to improve security. ``Liability changes everything,'' Schneier wrote in an essay. It will force companies to rethink their priorities in product development, which currently emphasize new features over security and robustness. And it will force companies to be better guardians of their own networks and their customers' data. Liability enforcement will also spawn an insurance industry to help businesses manage liability risk. That industry, in turn, will demand better security. ``A company doesn't buy security for its warehouse because it makes it feel safe,'' Schneier wrote. ``It buys that security because its insurance rates go down.'' Finally, liability will help establish minimally accepted standards and processes for developing products and securing networks. Spafford recommends a similar approach. ``You could set up a tax credit for companies that invest in certain kinds of security technology,'' he says. Or we could hold liable a company that uses software known to be insecure, just like we hold liable a contractor who ``builds a new factory out of flammable wood, not steel.'' After all, Internet security is a bit like public health. If you don't protect yourself against disease, you are not only putting yourself at risk, but others as well. Unfortunately, Clarke's recommendations, expected to be unveiled soon, are not likely to endorse any such approaches. Following pressure from the tech industry, which recoils at the idea of mandates, the plan has been watered down. ``We've gone from mandates, to recommendations, to suggestions,'' Spafford says. Policymakers have been right to be cautious. In a field so complex, the wrong approach could easily make things worse, not better. And no one likes to increase the cost of doing business -- at least not until they realize that the costs of a crippling attack could prove to be far greater. Miguel Helft is a Mercury News editorial writer. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Feb 11 2003 - 10:47:19 PST