The Promise of Security

As the U.S. government nears opening day for the Homeland Security Department, eWEEK Labs examines corporate users' security concerns and vendors' changing perceptions.

As the U.S. government nears opening day for the Homeland Security Department, IT buyers and users may wonder how the landscape of computer and network security will be changed by the governments actions—as well as by continuing development of attackers methods and security vendors innovations.

The previously separate worlds of public safety and foreign intelligence are converging on the evening news. The result appears in high-profile law enforcement actions, such as the investigation of Ptech Inc., of Quincy, Mass., late last year. It also appears in the invasive (and for IT vendors, potentially lucrative) information processing demands of laws such as the tortuously named USA PATRIOT Act, whose moniker abbreviates "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism."

Private-sector IT managers are justifiably concerned about the impact of these intrusive new rules, especially when combined with the Beltways business-as-usual faction fighting—which threatens to impede the March 1 startup of the Department of Homeland Security due to struggles over whose people get which top jobs.

In this report, eWeek Labs examines corporate users security perceptions and concerns and explores IT vendors changing perception of the problems to be solved and their planned responses in corresponding products and services.

The international scope of the Internet greatly complicates the challenge of government response. "I write a virus in South America, I use a zombie in Japan, I attack targets in the U.S.," hypothesized Vincent Weafer, senior director of Symantec Security Response at Symantec Corp., in Santa Monica, Calif. "Its hard enough to write a law thats not obsolete 2 minutes later, without the complication of normalizing laws across the various countries."

Brian Kelly, CEO at private security intelligence company iDefense Inc., in Chantilly, Va., suggested that governments can enable security by permitting or aiding international efforts but that they cant produce it or even define it in law. "The government should provide some leadership and guidance, not get caught up in a lot of unnecessary legislation," Kelly said. "That leads to auditors, bureaucracy, that I believe will ultimately be counterproductive."

Nor is this just a case of security vendors protecting their own competitive arena. Enterprise users with whom eWeek Labs spoke were equally leery of government-directed computer security efforts.

"With the government trying to limit encryption technology exports and so on, they seem to be more of a hindrance than help," said Ed Benincasa, director of MIS at FN Manufacturing Inc., in Columbia, S.C., and an eWeek Corporate Partner. "Many companies such as ourselves are multinational, and country lines begin to blur. Technology is also being developed in many other countries—limits may put a damper on U.S. competitiveness."

Michael Schwedhelm, senior vice president and CIO at United Labor Bank, in Oakland, Calif., and also an eWeek Corporate Partner, doesnt see the necessary cultural fit between the dynamic security environment and the responsiveness of legislators and regulators.

"I feel more comfortable and confident about centralized private and semi-private organizations like CERT, SANS and BugTraq," Schwedhelm said.

Symantecs Weafer downplayed the need for government anti-terrorism agencies to focus on cyber-warfare. "Its not 9/11 but 9/18—that was the key date," he said about the Nimda outbreak just one week after the World Trade Center and Pentagon terrorist attacks. "Dont waste a lot of time wondering whos going to attack. Most of the attacks use the same techniques."

But the government does have one credible role, and thats in enforcement.

"It used to be that auditors came in once a quarter, did what they had to do and went away; IT got ready for that visit, entertained them and then got back to work," said Steve Artick, vice president at Pedestal Software Inc., in Newton, Mass. "Now theres a lot more interaction and a much higher management interest in assuring that operations take place in a secure manner because [the Health Insurance Portability and Accounting Act] hits people with massive penalties if they dont comply with regulations."

This increased interaction and accountability make the cost justification for security tools more concrete than former speculation about potential threats or failures.