Feeling Insecure

Securing the Internet infrastructure that underpins corporate America has taken on a new urgency - some even call it a panic - as the nation moves deeper into its war on terrorism.

Securing the Internet infrastructure that underpins corporate America has taken on a new urgency - some even call it a panic - as the nation moves deeper into its war on terrorism.

Professionals in both information protection and traditional security say the sudden rush to find solutions underscores a change in a long-held attitude - confirmed by an American Institute for Industrial Security study three years ago - that "it cant happen here."

That attitude led many corporations to put security spending on hold, leaving vast holes in network protection just as Internet attacks on companies doubled.

But the Sept. 11 terrorist attacks and the ensuing barrage of government and intelligence community warnings about vulnerabilities of critical systems have washed away much of that complacency. In its wake is a growing movement among corporations to assess their security risks in detail, overhaul security budgets and protect themselves using both heightened traditional and high-tech methods.

"The response has been huge - unbelievable," said Caroline Hamilton, president and founder of Marylands RiskWatch, which does detailed risk assessments for large corporations and government agencies. "Ive never seen demand like this in the 10-year history of our company. Companies whove told us they dont have security problems are calling with their credit cards in hand."

Terrorist attacks or no, the latest numbers from the Computer Emergency Response Team Coordination Center, a security response group, should be enough to make I-managers review their Internet security. CERT last week said it has counted nearly 35,000 attacks and probes into company computers in the first nine months of this year.

At that rate, CERTs tally should top 46,000 for the year, more than double the 22,000 incidents reported last year.

But the Internet security landscape is strewn with unanswered questions. Can technological innovations themselves thwart cyberattacks, especially those launched by armies of terrorist hackers, who, many fear, could cripple the nations ability to deliver goods and services?

Are firewalls and virtual private networks enough to protect critical infrastructure and the privacy of data for customers and clients? Or do we face more draconian measures - like shutting off access to information systems for all but a companys most trusted employees?

And how do those responsible for information systems ensure that employees with access to sensitive systems - especially those that could affect public safety - are trustworthy?

In short, where are the holes that need to be filled, and what are the most important priorities?

The search for answers is taking place in corporate boardrooms, in e-mail musings between technology officers and engineers and on golf courses between information systems peers.

What is emerging, said Francis Juliano, chief technology officer of international business auction house DoveBid, is something less than consensus over how far corporations should go to protect themselves, their personnel and their clients.

"The Internet has become an appliance like the telephone, television and indoor plumbing," Juliano said. "We dont have to have it to live, but we have come to rely on it. To prevent attacks that can shut that system down relies on the collaborative efforts of everyone on the Internet to defend it.

"I talk to CIOs [chief information officers] and other CTOs of corporations, and there is a lot of concern. If the Internet goes down, there is no one person to fix it. And the issues are so far-reaching, so complex, where do you start?"