We've learned a lot since 9/11, but we must learn more.
Two years after Sept. 11, 2001, is the U.S. IT infrastructure a safer place to do business? If you ask the average home computer user whos trying to untangle the latest worms and viruses, the answer will be no. If you ask the corporate IT administrator whos trying to decipher the host of new regulations under which he or she now operates, the answer will be, "Maybe some day when I get all this straightened out." If you ask the vendor selling security products, the answer will be, "You get what you pay for." These answers are not good enough.
John Jordan, a principal in Cap Gemini Ernst & Youngs Office of the CTO for the Americas, described the problem this way: "The wide and disruptive impact of Slammer and then SoBig would suggest that American infrastructure is still vulnerable at four levels: carriers/ISPs, government,
business in general and peoples home machines. Of these four, the carriers are probably in the best shape right now, but still vulnerable, especially to a professional as opposed to amateur attack."
The issue of security breaks down into three areas: data security, computing platforms and networks.
In data security, both the federal government and the private sector realize that data needs to be secured first. The investment in data security in all its forms, including encryption, protection and redundancy, is one of the best IT investments you can make.
Market research company IDCs findings show that most IT users understand this. IDC predicted that the backup-and-recovery services market will grow from $3 billion in 2001 to $4.2 billion in 2006, at an annual growth rate of 6.9 percent. Companies have realized that in this age of standard computing platforms, it is much easier to restore your operations if you can move the restored data to a new platform. "I think the protection of data transmission and data itself has grown by quantum leaps," said Nelson Ramos, an eWEEK Corporate Partner and vice president and regional CIO of Sutter Health, in Modesto, Calif.
In computing platforms, theres plenty of room for improvement. Microsofts recent decision to increase its dividend is great for its shareholders. The companys Trustworthy Computing initiative may provide benefits that are realized in the next operating system a couple of years hence. But this is a company in a monopoly position sitting on billions in cash. When AT&T held a monopoly, it knew its primary duty was to ensure a dial tone when you picked up the phone. Microsoft would be well-advised to create an independent security organization with the clout to look at architectures including trusted operating systems, card-based security, and partitioned or sandbox designs.
If Sun and the Linux gang are to find any success in cracking the monopoly, it will be in ensuring security rather than trying to beat Microsoft in price or ease of use.
In data networks, there are multiple threats. There are dangers to the physical network that are usually characterized in terms of 25 terrorists armed with backhoes. There are dangers to the software that runs the networks and to the software that runs on them. Issues such as spam, identity theft, and masquerading viruses and bugs fall under the category of dangers related to the software running on the nets. The loss of trust and the disgust with the e-mail you receive is a more fundamental problem than many vendors realize. The ability to deliver a quality of service that allows the level of trust and security to rise with the level of service is overpromised and underdelivered.
In only one out of three major areasdata securityweve seen substantial and real improvement since 9/11. Thats not good enough.
Maybe the appointment of Symantec Vice President Amit Yoran as the nations new cyber-security chief will finally get that program moving forward, but one Washington insider involved in the National Strategy to Secure Cyberspace said so far the program has had no impact whatsoever. Thats not good enough, either.
Editor in Chief Eric Lundquists e-mail address is firstname.lastname@example.org.