Who should bolster cyber protections?

By KELLY HEARN   |   Nov. 16, 2001 at 4:20 PM
share with facebook
share with twitter

WASHINGTON, Nov. 16 (UPI) -- Oh, how things change.

Once championed as a bastion of openness and anonymity, the Internet has evolved into a highly traceable cataloger of the minutiae of human habits. And despite having decentralized markets, broadened access to information and even emboldened revolutions (see Serbia, Chiapas, Indonesia), the global network has exacerbated consumerism, accommodated prurient longings (much of it involving exploited children) and provided a global megaphone to the world's lunatics.

Now, as its user base swells alongside its interconnection to critical infrastructure systems, officials in government and industry believe the Internet has become a potential weapon of mass destruction.

According to the Washington-based industry trade group Electronic Industries Alliance, private companies own 80 percent of the global network. And thanks to the Internet's design, instability of one network can quickly mean instability of all.

So, the question is, who should shore up the nation's computer networks against criminal and terrorist attack? The companies that routinely design software products with convenience rather than security as a guide? Or a government with an overlapping and confusing regulatory system, one that often maintains outdated and vulnerable computer systems?

According to a range of experts, the answer is likely to be a mix of both, but there's little agreement on exactly which side should weigh more in that public/private effort.

Experts widely acknowledge that companies should share information about attacks and system vulnerabilities, both with government and other companies. To make that process more attractive, Microsoft and other industry leaders, including the EIA, have called for an exception to the Freedom of Information Act for cyber security information that a private company voluntarily shares with the government.

Besides information exchange, software makers should reconsider how they design their products, say experts, focusing on security rather than convenience. The former director of NPIC, Michael Vatis, in a recent interview with National Public Radio said industry should "step back and see if there's a way to fundamentally design the way software is made and the way the Internet is structured so that we can have security imbedded from the foundation up."

"(For software makers) it's all about time to market and ease of use, not security," said Dave Wreski, CTO of Guardian Digital, a company in Upper Saddle River, N.J., that deals with Linux-based computer security systems. "Major players like Sun, Microsoft, Oracle and Linux should work together to make sure their software has gone through sanity checks and matched a common set of security criteria. They together could define a trusted standard that all software must pass."

Wreski told United Press International in a telephone interview that industry is unlikely to voluntarily agree to make such a standard and the federal government should step in.

"The government needs to make sure major players are doing it," he said. "They have to force them. Otherwise they won't do it."

Rep. Cliff Sterns, R-Fla., who chairs a House energy and commerce subcommittee, told UPI the government should consider making a safety standard for government networks, one that private government contractors could be held to.

"There needs to be a standard," he said.

Microsoft would rather see standards and enhancements come from within industry.

Howard Schmidt, chief security officer for Microsoft, told a panel of House lawmakers Thursday the federal government can facilitate private efforts to bolster security but said, "voluntary cooperation and industry-led initiatives will work best to address computer security issues."

He noted in-house efforts recently undertaken by Microsoft, including a Strategic Technology Protection Program to better train it's developers and generally boost the software giant's offerings. Schmidt also said the government should stiffen penalties for hacker and increase the number of computer savvy cops.

Marry Ann Davidson of Oracle Corporation told the same House panel Thursday that security is the responsibility of consumers and companies, and each should work together to create "a culture of security."

"Consumers of information technology need to be discriminating. They must make security a purchasing criteria," she said.

Davidson stressed that "vendors of information technology need to cooperate on security standards to facilitate the growth of secure systems and commit to a secure product life cycle." She also noted that ironically "benign computer hackers" who break into networks simply for bragging rights could be a tool for network security specialists.

"The more (benign) hackers expose product vulnerabilities and contact the vendors whose products they so creatively break into, giving them time to address the vulnerabilities, the more secure the resulting product is," she said. "It is not too far fetched to think that a 'cybercorp of hackers' can measurably help secure the nation's critical infrastructure against the hackers of a malicious foreign power."

Rep. Sterns told UPI that in the long run the government should try to establish such a cybercorp to ferret out network vulnerabilities.

Even before Sept 11, the federal government has worked with the private sector to shore up computer defenses. The SANS Institute, a computer research organization, and the FBI's National Infrastructure Protection Center work together to continuously update a list of the Internet's Ten Most Critical Internet Security Vulnerabilities. And the National Infrastructure Assurance Council, of which Microsoft's Bill Gates is a member, advises the president in part on how the public and private sectors can work together to thwart cyber attacks.

But such programs aren't enough for some, including Dick Brown, chairman and chief executive officer of Electronic Data Systems, a well-known Dallas-based provider of data storage and information security. In a speech Tuesday at the Comdex technology trade show in Los Vegas, Brown said the federal government should spend more on the nation's computer infrastructure. He said the bulk of funds allocated for computer security since Sept. 11 had been aimed at the military sector and not for the U.S. information infrastructure.

"This is ironic, given it was this infrastructure that kept America working following the attacks on our physical assets," Brown said. "We are just as vulnerable today to an electronic Pearl Harbor."

Related UPI Stories
Trending Stories