Hardening the Nets Defenses

Ruminations on the future of information technology tend to be optimistic homilies, cheerful predictions of nothing but the goodness of faster, cheaper and more useful computers. The future of Internet security, however, is a much different story.

Ruminations on the future of information technology tend to be optimistic homilies, cheerful predictions of nothing but the goodness of faster, cheaper and more useful computers.

The future of Internet security, however, is a much different story.

The forecast on this front isnt for blue skies — its more like a tornado warning. The number of vulnerabilities in and attacks against the Internets infrastructure is growing at an alarming rate. Every week seems to bring a new and more diabolical worm or virus. In 2000, the Computer Emergency Response Team Coordination Center at Carnegie Mellon University, a security information clearinghouse, received 1,090 vulnerability reports -- more than double the number from the previous year. In the first half of 2001, CERT had already received 1,151 reports, and officials expect more than 2,000 by the end of this year.

"Things will continue to get worse for the foreseeable future," says Bruce Schneier, chief technology officer of security consulting firm Counterpane Internet Security. "Systems are getting more complex faster than they are getting more secure. What businesses need to do is to manage their risks."

The complexity of computer systems is a key culprit: The average Web site today runs on 40 million lines of code, says David K. Black, manager of Accentures security practice. Its extraordinarily difficult for code writers and their customers to keep up with all the vulnerabilities that could crop up in such a complicated system, he says.

While the most damaging security threats are still launched from a companys own internal network, the volume of Internet attacks is getting heavier. An Internet subculture that includes mischief makers and cybercriminals seems to be growing. In a survey this summer of 325 U.S. companies and government agencies, IDC found that 75 percent of security threats came from external sources, compared with 45 percent from external sources in 2000 -- results that surprised Chris Christiansen, IDCs principal Internet security analyst.

"Wed heard anecdotally that the number of people out there hacking is enormous," Christiansen says. "The number of probes, pings and scans is unbelievable. It used to be something like three a day. Now its more like 100."

Whats more, says Christopher W. Klaus, founder and CTO of Atlanta-based Internet Security Systems, those in the hacker underground are growing more sophisticated.

"Two years ago, the virus writers and the hackers were completely different communities. Now those skill sets are coming together," Klaus says. "Weve been lucky because most of the attackers writing these programs have been doing it for ego, to show the world they can spread their virus as far as possible." But after the Sept. 11 attacks against the U.S., "now were aware that not everyone in the world has such benign intentions."

Will things ever get better? Or will the Internet become a permanent black hole of attacks and leaky software? Security experts say the threats will level off, particularly as companies spend more time and energy sealing their electronic borders.

Accentures Black says that more computer science students today are being taught important concepts of fundamental security -- which means computer systems in the future will incorporate security from the beginning. But, he adds, "as long as software is written by human beings, there will be mistakes in the software, and there are bad people who are willing to exploit them."

There are other encouraging developments. In virtually every organization, the issue of security -- physical security as well as data security -- has moved to the fore after the deadly terrorist attacks last month. Add to that the high-profile Nimda and Code Red worm epidemics, and now data security is becoming a boardroom topic of urgent concern. "I dont know of anyone who is not re-evaluating their security practices today," says Stuart Campbell, partner in charge of KPMGs information risk management practice.

Even before the terrorist strikes, security spending was expected to jump tenfold within a decade. According to a Gartner report released in June, U.S. companies today spend an average of 0.4 percent of their revenue on information security, but that will rise to 4 percent of revenue by 2011.

Data security professionals are also hoping to see for new laws that should help deter criminal behavior online. "Right now, there is almost no prosecution on the Internet, and hackers know this," Counterpanes Schneier says. In light of the Sept. 11 attacks, analysts expect legislators to initiate a serious crackdown on computer crime, passing stiff new laws in the months ahead.

"The criminalization of even petty hacking will rise," IDCs Christiansen says. "The U.S. government is going to go after people who threaten the national information infrastructure with a vengeance."

Senior Writer Brian Ploskina contributed to this report.