Battening Down Security Hatches

Federal government to push standards on agencies and private industry.

As companies continue to grapple with security and disaster recovery concerns brought about by the Sept. 11 terrorist attacks, the federal government is considering a broad set of security standards that it will push its agencies and private industry to follow.

Last week, the Business Software Alliance, at its Global Tech Summit in Washington, issued a "Cyber Security Blueprint" to guide collaborative government and industry initiatives. The proposals include greater investment in enhanced security tools, federal research and development investment in security technology, and increased criminal penalties against computer crimes.

While theres much debate over the shape of the proposals, no one is disputing that something like this must be done. There had been much talk even before Sept. 11 of a so-called cyber-terrorist event that would serve as a wake-up call to CIOs and security administrators.

"Is there the potential for some sort of big event? Absolutely. Yes," said George Samenuk, CEO of Network Associates Inc., who was in New York to attend the InfoSecurity Conference last week. "I think were naive if we dont believe it can happen. A year ago, people thought they were prepared, but the events of the past year have showed us thats not true. Were ill-prepared."

During both series of meetings last week, top government officials including Vice President Dick Cheney and U.S. Attorney General John Ashcroft expressed grave concerns about the security of the nations government and corporate networks. They made it clear that they will not wait for a disastrous cyber-security event to take place before acting.

"The threat is taken very seriously within the government," said Samenuk, who attended the meetings in Washington last week. "Theres no doubt in my mind that theyre going to do something."

While the form of the proposed government guidelines has not been determined, Samenuk said there will likely be a government/industry panel overseeing the issue.

Observers said its important that the government concentrate on the nations critical infrastructure and not overstep its bounds by trying to impose rules on the private sector. But the policies will need buy-in from all affected organizations for them to succeed.

"The key to national infrastructure protection is a grass-roots movement with people devoted to a common cause," said Steve Hunt, an analyst at Giga Information Group Inc., in Chicago. "Its an achievable goal, and it wont cost a fortune."

Indeed, despite the numerous government warnings and continued security incidents such as last weeks rampaging Goner worm, Samenuk and others said they still believe that awareness of the vulnerability of corporate and government networks is low. That, they said, is a major impediment to any large-scale effort to fix the problem.

"The immediate threat is low, but the long-term one is high," said Charles Neal, vice president of cyber-terrorism detection and response at Exodus Communications Inc., in El Segundo, Calif., and a former FBI agent. "Its coming."

Neal said another difficulty with combating cyber-terrorism is the lack of information about the few events that have taken place.

"No one wants to raise their hand and say that they were hit, so we never know what happens," Neal said. "Id say fewer than 3 percent of our customers report incidents like that."

"The strength of security is not the issue," said William Conner, president and CEO of Entrust Inc., at the summit. "Its the attributes of security and the life cycle of security."

Industry luminaries, while eager to join government initiatives to strengthen cyber-security, are not without reservations regarding some of the governments proposed measures, including the so-called Magic Lantern surveillance technology. Magic Lantern is a series of surveillance tools under development by federal law enforcement officials. The tools are essentially a combination of existing technologies that can be remotely installed on a suspects computer to monitor keystrokes, passwords and other PC activity.

"It fundamentally creates an opportunity for a back door to be implemented in software," said John Thompson, chairman, CEO and president of Symantec Corp., about Magic Lantern. "I think, quite frankly, thats the start of a slippery slope."

Discussing the governments increased electronic surveillance powers enacted since Sept. 11, Eric Schmidt, chairman and CEO of Google Inc., said, "Its OK as long as theres a judge involved to issue an order. Where we get into trouble is where the software snarfs everything up in the world."

Newt Gingrich, former speaker of the U.S. House of Representatives and current CEO of The Gingrich Group, in Atlanta, told attendees of the InfoSecurity Conference that government and corporate networks will be the targets of new and varied threats in the coming years that arent even on the map yet.

"You should scan very widely and look for disruptive systems because they give us the capability to shift to a real-time information environment," Gingrich said. "As information becomes worldwide, you will have threats from overseas, and we have to pay the kind of systematic attention to security that you would if you were opening a bank in a huge intersection."