There are no absolutes in security.” True-enough advice from Darwin John, a strategic adviser for Blackwell Consulting Services and previously CIO at the FBI. Recently, John spoke at a Security Summit hosted by eWEEK and addressed an expectation in upper corporate suites that security solutions can be treated as an absolute. For the technology managers in the room, the message was not new, but each year the difficulty of balancing security concerns with the need for open, Internet-enabled business operations becomes more, rather than less, difficult.
When I asked the summit audience if the race between IT and computer attackers is still neck and neck, as it was last year, the consensus was that the race remains even but that the pace has picked up considerably. Richard Clarke, former cyber-security czar for three presidential administrations and now a central figure in the political controversy over terrorism, gave the bad guys the lead during his afternoon keynote (more on that later). Recent events bolster Clarkes judgment.
A few days after the summit, Cisco executives found themselves embroiled in an apparent security breach related to the companys crown jewels. While Cisco officials remained tight-lipped, it seems that someone or some group figured out a way to nab a sizable chunk of the companys IOS (Internetwork Operating System) source code. The reason for the theft is unclear, but IOS is central to running much of the companys networking hardware. The theft comes as tough news for a company using network security as a sales message.
As our lead story—the first of a three-part series—this week explains, security increasingly involves organized criminal activities rather than the errant, misdirected deeds of computer hackers. As Blackwells John put it, a CIOs greatest fear is an intrusion the company is unaware of. Clarke said a company has to deal with both the whole and the parts of security simultaneously or risk being unaware of a burgeoning security problem. In Ciscos case, it was apparently unaware of a problem until it started getting calls from the media.
“Things are not getting better; they are getting worse” in the information security world, said Clarke at the summit. He cited the growing number of vulnerabilities and exploits, the increasing speed with which those exploits circle the globe and the growing sophistication of cyber-criminals as evidence of the worsening state of computer security.
To address this insecure computer environment, Clarke listed a range of initiatives the government and private industry should undertake.
The government should increase security funding at the research and development level; rework laws to build a comprehensive approach to cyber-crime regulation; expand broadband access and, more important, ensure that access is provided in a secure manner; and use the governments buying power to encourage encryption and software that meet security standards.
According to Clarke, private industry should make sure that software security is an integral part of the evaluation process and that multiple levels of authentication are part of the e-commerce environment. It should also take an active, rather than passive, role in advocating comprehensive, rational cyber-security programs from government at the local, state and federal levels. Companies need to designate someone to be responsible for cyber-security, Clarke said.
After a day of running panels and speaking with attendees, Id side with Clarke in contending that the bad guys are ahead at this stage of the cyber-security race. The expansion of wireless networks, handheld devices and high-speed connections is happening faster than vendors can patch and upgrade systems that were never designed for this range of services and worldwide access. Users still are demanding ease of access over security, and vendors are not requiring at least two levels of authentication for fear of losing business to competitors. New waves of technology, such as voice over IP and digital product tagging, will continue the expansion while security considerations will have to catch up. The upside is that private companies are committing budget dollars and personnel to cyber-security. I hope funding and resource allocation can get the race back to neck-and-neck status by next year.
Editor in Chief Eric Lundquist can be reached at [email protected]