The increasing number of Internet users has sparked a proportional increase in electronic commerce. Thrown into the mix is security, and we're not just talking about leaving the back door unlocked. Security issues are being looked at more than ever before, and conversations about procedural changes, crackers, costs, obstacles and encryption requirements are more than just casual.
Jody Westby is a senior fellow and director of information technology studies for The Progress & Freedom Foundation. She shared her thoughts on security.
Q: Four out of five federal government security managers didn't know whether their computers had been attacked by hackers. How difficult is it to detect intrusion and damage, and what measures should be in place to protect systems?
A: The difficulty of detecting system intrusions and damage is dependent upon the system protections that are in place, such as firewalls, encryption and security software, in addition to effective corporate procedures, such as routine monitoring, password changes and access restrictions to systems and data. Intrusion detection must be coupled with effective procedures and policies outlining steps to take in the event of security breaches and/or damage to data. The worth of detection is limited if, figuratively, everyone tromps through the crime scene with muddy boots. Effective security measures to limit or prevent intrusions or sabotage require governments to set their own security requirements and procedures, determine who has access to the network and databases, define the controls and security procedures governing access, conduct periodic monitoring of system use and regular security audits, establish on- and off-site storage of system backups, and specify procedures for handling system intrusions and preserving evidence.
Q: Jim Settle, the retired director of the FBI's computer crime squad, once said, "You bring me a select group of hackers and within 90 days I'll bring this country to its knees." How alarmed should we be about computer security today?
A: Very alarmed. There are about 17 million people globally with the skills to launch an attack on infrastructure. Two teen-age hackers invaded 11 sensitive government computer systems in what was labeled by Deputy Defense Secretary John Hamre as the most organized and systemic attack on U.S. defense networks in history. According to the 1998 Computer Crime and Security Survey conducted by the FBI and the Computer Security Institute, the theft of confidential or proprietary information cost U.S. businesses in 1998 an estimated $300 billion, with 64 percent of respondents reporting they had suffered a security breach within the last year. Government networks are especially vulnerable and are a more likely target from hackers than private sector entities, irrespective of the motive. Government executives, faced with transparency in government and public scrutiny, often cannot keep security breaches quiet, and risk major headlines and damage to the integrity of the agency with each instance.
Q: As use of the Internet increases, what sort of changes are you making to policies, procedures and funding for computer security within your organization?
A: Internet access is, without a doubt, one of leading causes of security breaches. It creates a portal for outside access. Therefore, it is essential that adequate analysis of who will be allowed Internet access, and the installation of necessary system safeguards (firewalls, intrusion and detection software) and procedures, precede the actual Internet connection. Effective security policies involve coordinated and ongoing communication between the CIO, chief security officer, general counsel, top-level executives, the users of the system and human resources, irrespective of whether it is a government or corporate network. New security risks accompany government acceptance of electronic filings, e-commerce, utilization of digital signatures and certificate authorities, electronic data interchange and online interaction with citizens. Governments simply must devote adequate funding to implement -- and maintain -- the management and operation of a complete security program and to attract and keep well-trained personnel with high-tech skills.