"What complicates the picture right now is, unfortunately, a severely damaged security structure that we have overall," said Spafford. Computer systems, he said, grew organically. "Security was not usually a concern, nor was privacy. Things were built around the obvious question: 'does it do what I want it to do, and is it cheap?'"
Spafford gave some figures, saying: "In 2003-2004 we saw about 4,000 vulnerabilities reported in those [commonly used software packages]. In 2005 it jumped up to about 4,600, and so far this year we are averaging about 20 per day. That's an incredible load to try to keep up with."
Identity theft, fraud and other cyber crime is a constant threat to businesses and government, and costs of attacks are believed to exceed $100 billion per year, said Spafford.
There are now more than 130,000 known examples of malware. Almost all those are for Windows or Internet Explorer on Windows, he explained, and about 50 new ones are reported each day.
Of special concern, said Spafford, are "root kits" that invade the operating system kernel. If this happens, said Spafford, "it hides itself, captures keystrokes, passwords, credit card numbers and other sensitive information and sends it on." The best thing to do is wipe the disk clean and re-install your software, he said.
Spafford said proactive and protective measures need to be put into place. Vendors need to show why their services should be trusted and come out with better products and new features that address the issues businesses and government face.
"Products, even ones we can expect to come soon, such as Microsoft Vista, will not solve all our problems," said Spafford. "In particular, Vista may have some new security features but will require significant expenditures to license and upgrade equipment to run it. So it's not going to be a solution.
"Firewalls aren't a solution," he continued, "because where is your perimeter when people have laptops that they take home, when consultants are given access over the Internet, when USB keys with data go in and out, when cell phones with Bluetooth are used to connect up to computers, or when 802.11 wireless is available from the street outside a building?"
Spafford said that the real threat to security -- and of greatest concern to government -- is organized crime, not terrorism. The situation is getting worse, he said, as gangs -- especially in Eastern Europe and Africa -- get bolder and more sophisticated.
Because computer systems are not a high-priority target for terrorists, said Spafford, they are not funded. "DHS' research budget for IT security is less than 1 percent," he said. "More is spent making sure we don't carry cigarette lighters on board airplanes than in addressing some of the fundamental problems of security."
Legislation by the government tends to make the situation more complex. The Real ID act and Help America Vote make a wide amount of personal information available on the Web. The public is concerned and losing confidence about revealing personal data on the Web and this impacts government 24/7 online services.
Spafford says that the best way to approach security and meet the challenge is to position yourself to think ahead and make a plan that includes long-range policymaking, education and enforcement. Items to consider for planning and making policies are:
- Information, how and
- where it is being stored, is it encrypted, is it really needed? How long does it need to be stored? Decide where and how long data should reside
- Understand new technologies -- pay attention to new products on the market -- what is necessary to protect and benefit information being stored?
- Limit connectivity -- everything doesn't need to be connected to everything. Carefully partition and careful sharing
- Develop a heterogeneous environment -- different hardware and software platforms that are resistant to attacks and that can detect attacks when they occur. It's not good to have more that 40 percent interconnectivity; problems are more likely to spread. Multiple platforms are needed but the cost is higher.
