(Part of UPI's Special Report on Sept. 11)
WASHINGTON (UPI) -- Although the Sept. 11 attacks focused a crush of attention on the country's vulnerability to terrorism in many forms, America's computer security largely remains unimproved, industry-watchers told United Press International.
Furthermore, much of the effort that has gone into defending against cyberattacks probably has been ineffective, said French Caldwell, a vice president at Gartner Group, an information technology analysis company in Stamford, Conn.
"Less than 1 percent of the attacks actually originate within the 'Axis of Evil,' so does 9/11 really present any new reason to build a cyberdefense?" Caldwell asked during a recent Gartner conference on the topic. "Most of the vulnerabilities from a cybersecurity standpoint can be closed with current technologies."
In the year since the attacks on the World Trade Center and the Pentagon, people have waited for the other shoe to drop in cyberspace, said Shawn Hernan, team leader for vulnerability handling at Carnegie Mellon University's CERT Coordination Center in Pittsburgh, which issues computer vulnerability warnings.
"There hasn't been anything terrorism-related in what we've seen," Hernan told UPI. "It's still possible, however, that a cyberattack could occur in conjunction with a physical one."
The greatest and least addressed vulnerability lies with existing software, Hernan said. Programmers still are too complacent about hacker skills. Despite the wealth of information available to would-be attackers online, cybersecurity tends to be an afterthought, not a key element of proper programming, he said.
The past year failed to yield any fundamental gains in computer security, according to Hernan. If the cyber equivalent of a Sept. 11 attack occurred, the information technology industry would need months or even years to respond appropriately, he said.
Corporate chief security officers, or CSOs -- positions that have proliferated over the past year -- are well-acquainted with the cyber threat, said Lew McCreary, editor in chief of the just-debuted CSO magazine.
"You can't spend all your time worrying about al Qaida coming through the firewall, when it's the person a couple of cubicles down from you that could do the real damage," McCreary told UPI.
A recent poll by the magazine revealed 53 percent of CSOs regard current employees as more of a threat to security than former workers or hackers, he said.
About a quarter of the companies polled reported no losses from cybercrime. Another 25 percent said they have lost less than $100,000. Nevertheless, the average corporate security budget reported in the poll is $8.4 million.
That number could increase, chief information officers told CIO magazine, a sister publication to CSO. About 56 percent of executives expect to spend more on security software in the coming months, said Gary Beach, CIO's publisher. Such spending has remained a top priority ever since the magazine began polling on the issue in January.
"What has happened is there's this focus on security, but it's only a means to an end," Beach told UPI. "(Companies) understand they have to put security measures in place so their business can continue in light of a cyberattack or an infrastructure attack."
About 88 percent of those polled by CIO understand new technology alone will not stop an attack, Beach said. But business is up for makers of firewalls -- software meant to close unauthorized avenues of communication.
There is a disconnect between business and security needs, said CERT's Hernan. More and more communications are being conducted over channels that firewalls cannot block or monitor adequately. Internet-based applications, which form vital communications links for widely dispersed corporations, create significant problems for firewalls.
Computer security officials face a multi-pronged challenge, CIO's Beach said. They must balance their approaches among management and employees, corporate partners and clients, he said. Firewalls can complicate that balancing act.
Many CIOs are trying to improve satisfaction among both customers and employees as a way of enticing both constituencies to help in the security effort. They also want to reduce the pool of potential disgruntled users who might attempt to damage the system, he said.
The Year 2000 problem -- ensuring computer clocks would not switch mistakenly from Dec. 31, 1999, to Jan. 1, 1900 -- provided an unexpected advantage in the quest for greater security, McCreary said. The corporate response to Y2K has been extremely helpful to CSOs looking to get senior management on board the cybersecurity bandwagon.
Companies always have focused on spending money to improve their product, but the Y2K situation demonstrated how valuable it is to prepare for possible harm to the system, he said. Corporate commitment to computer security is in any successful plan. Conversely, internal politics and culture can be as great an obstacle as out-of-date equipment. Instead of creating a blanket policy, companies should examine all their activities, determine the risks involved with each and construct rational plans to solve each problem, he said.
An upcoming CSO article examines how security problems with computers and their networks can extend into the physical world. The magazine suggests steps companies with large collections of computer hardware can take to head off such problems. They can control vehicle access near a vital facility or install safety glass on a building's exterior to help defend against a bomb attack, for example.
The idea of losing money from a cyberattack is relatively new, so it is difficult for companies to insure themselves against such a possibility, said Robert Hunter, director of insurance at the Consumer Federation of America. This situation existed before Sept. 11, which exacerbated the problem, but conditions could improve as the concept of cybersecurity insurance matures, he said at a recent CFA news conference.
"It's clear that anything with a question mark -- smaller lines, newer lines -- is going to have trouble," Hunter said. "That's particularly true of cyber, there's a lot of fear there ... that will work its way out as the market eases and profits rise."
The near-term future does not look particularly bright in terms of new ways to fight cyberterror, Gartner's Caldwell told UPI. Companies most likely to develop innovative solutions are small, with little or no clue how to get their ideas considered amid the ponderous government acquisition cycle, the best market for information technology, he said. Large companies most familiar with the system are unlikely to risk their existing business on radical ideas, he said.
"It's going to be a very, very long time before we see the payoff in new innovations specifically directed at (cyber) security," Caldwell said.
(This is part of UPI's Special Report on the anniversary of the Sept. 11 terror attacks.)