Jody Westby is a senior fellow and director of information technology studies for The Progress & Freedom Foundation. She shared her thoughts on security.
Q: Four out of five federal government security managers didn't know whether their computers had been attacked by hackers. How difficult is it to detect intrusion and damage, and what measures should be in place to protect systems?
A: The difficulty of detecting system intrusions and damage is dependent upon the system protections that are in place, such as firewalls, encryption and security software, in addition to effective corporate procedures, such as routine monitoring, password changes and access restrictions to systems and data. Intrusion detection must be coupled with effective procedures and policies outlining steps to take in the event of security breaches and/or damage to data. The worth of detection is limited if, figuratively, everyone tromps through the crime scene with muddy boots. Effective security measures to limit or prevent intrusions or sabotage require governments to set their own security requirements and procedures, determine who has access to the network and databases, define the controls and security procedures governing access, conduct periodic monitoring of system use and regular security audits, establish on- and off-site storage of system backups, and specify procedures for handling system intrusions and preserving evidence.
Q: Jim Settle, the retired director of the FBI's computer crime squad, once said, "You bring me a select group of hackers and within 90 days I'll bring this country to its knees." How alarmed should we be about computer security today?
A: Very alarmed. There are about 17 million people globally with the skills to launch an attack on infrastructure. Two teen-age hackers invaded 11 sensitive government computer systems in what was labeled by Deputy Defense Secretary John Hamre as the most organized and systemic attack on U.S. defense networks in history. According to the 1998 Computer Crime and Security Survey conducted by the FBI and the Computer Security Institute, the theft of confidential or proprietary information cost U.S. businesses in 1998 an estimated $300 billion, with 64 percent of respondents reporting they had suffered a security breach within the last year. Government networks are especially vulnerable and are a more likely target from hackers than private sector entities, irrespective of the motive. Government executives, faced with transparency in government and public scrutiny, often cannot keep security breaches quiet, and risk major headlines and damage to the integrity of the agency with each instance.
Q: As use of the Internet increases, what sort of changes are you making to policies, procedures and funding for computer security within your organization?
A: Internet access is, without a doubt, one of leading causes of security breaches. It creates a portal for outside access. Therefore, it is essential that adequate analysis of who will be allowed Internet access, and the installation of necessary system safeguards (firewalls, intrusion and detection software) and procedures, precede the actual Internet connection. Effective security policies involve coordinated and ongoing communication between the CIO, chief security officer, general counsel, top-level executives, the users of the system and human resources, irrespective of whether it is a government or corporate network. New security risks accompany government acceptance of electronic filings, e-commerce, utilization of digital signatures and certificate authorities, electronic data interchange and online interaction with citizens. Governments simply must devote adequate funding to implement -- and maintain -- the management and operation of a complete security program and to attract and keep well-trained personnel with high-tech skills.
Q: What is the most expensive aspect of computer security?
A: The most expensive aspect of computer security is the internal cost associated with ongoing training of personnel, and review of system architecture and security policies and procedures, routine system monitoring and security auditing, and maintaining on- and off-site system backups. Too often, passwords are established, firewalls are installed, access is determined, and then it is all left unattended and forgotten -- until a security breach
or sabotaged data rings the wake-up bell. The Computer Security Institute concludes that inadequate funding for information-security measures, staffing and training is the cause of the continuing annual rise in dollar losses from security breaches. Government agencies must not sacrifice funds for infrastructure and data security, lest the integrity of the agency be at risk.
Q: Do we need a new federal agency or a new system to look into attacks on confidential data?
A: No, unless the National Infrastructure Protection Center, housed within the FBI, were to become an independent entity, staffed perhaps with personnel from a variety of government agencies, such as Defense, National Security Council, FBI/DOJ, FEMA, Secret Service, etc. This type of structure would be less threatening to businesses and providers and would, I believe, result in increased communication between the public and private sectors regarding network and data security issues. Companies are reluctant to call federal law enforcement about security breaches for fear of losing control over a private situation, and state and local government executives worry about loss of control over their agency or being perceived by their citizens as incapable of handling the security matter. The new public/private system that needs to be developed is one that local, state and federal government executives are zealously working with private industry to establish. Several excellent infrastructure-assurance centers have been established in the private sector, and the market will sort out the best from the rest. The information-infrastructure security business is a two-way street that requires unprecedented communication and coordination between the public and private sectors, and it is too important to be held up or delayed due to organizational perceptions.
Q: Some say that the greatest threat to computer systems and data comes from within organizations. What measures can be taken to minimize this problem?
A: In addition to unauthorized access by insiders and insider abuse of Internet access as likely types of attack, 89 percent of the CSI/FBI survey respondents cited disgruntled employees as a likely source of security breaches. Government executives should not succumb to technology hype assuring that a security solution can be found through a piece of hardware, a software program or a one-time security audit. The single most important factor in securing the availability, confidentiality, and integrity of government data and networks is to have a complete security policy. Effective policies include system-access controls and cryptography; procedures for regular system monitoring, and intrusion detection and eradication; system backup procedures; intrusion response procedures; steps for the preservation of intrusion evidence; and periodic security audits; and thorough screening of personnel. Corresponding human-resource policies should not be forgotten; they are as critical as the system policies and procedures.
Q: What do you see as the biggest obstacle to installing a sound security program within a government agency?
A: Budgetary constraints are without a doubt the single biggest obstacle to establishing -- and maintaining -- a comprehensive security program. Bureaucracy comes in second. Governments must be prepared to be competitive in the marketplace for high-tech personnel, and they must devote adequate funds for maintaining a complete security program. This is difficult in the face of budget cuts coupled with a general lack of understanding regarding technology and associated security risks; too often politicians only close the barn door after the horses are stolen. Also, because effective security is dependent upon cooperation and interaction between system users and administrators, field offices or other agency personnel, human resources and security, without top-down support and the full cooperation of agency executives, the effectiveness of a security program can be seriously undercut by bureaucratic neglect, apathy or misunderstanding.
Q: Should state and local governments be concerned about the Clinton administration's restrictions on exports of encryption software?
A: Yes. The Clinton administration's position on encryption exports poses one of today's biggest threats to national security. Strong encryption software -- stronger than U.S. citizens are allowed to freely export -- is available over the Internet and can be legally downloaded by any American. It is used widely, without export restrictions, in the majority of countries. The administration's position threatens America's dominance of the encryption software market and will do nothing to keep encryption out of the hands of criminals and terrorists or control their use because, if faced with key escrow or key recovery systems, terrorists will quickly develop their own encryption black market, and our encryption companies will continue to leave the U.S. and establish foreign sites in order to take advantage of the global market. We have a grasp on national security if our law enforcement and intelligence communities can go to our U.S. encryption software industry and seek help when they need it; we have lost it if we have to go begging a foreign government or company to help us with an encryption problem. Threats to our national security and an encryption black market threaten all of us, including state and local governments, since governments are more likely targets than private-sector companies.
