Cyber Security:
Experts Debate Best Approach To Computer Protection
By Ted Leventhal
Businesses, home users, the software industry and the
government all must take concerted steps to thwart the rising tide of malicious computer
code, computer experts told a House Energy and Commerce subcommittee on Thursday.
"The depressing fact is that it takes only one
personal computer, some decent programming skills, a warped mind and a cruel heart to
launch a virus or worm, and with over 40,000 viruses and their variant strains that have
been identified to this day, it appears as if these traits are not in short supply,"
said Telecommunications and the Internet Subcommittee Chairman Fred Upton, R-Mich.
Richard Pethia, director of the Software Engineering
Institute at the Computer-Emergency Response Team Coordination center of Carnegie Mellon
University, testified that while businesses and consumers needed to adopt better security
procedures, vendors also should strive to design virus-resistant software and eliminate
implementation errors that make products vulnerable to viruses.
Pethia said those techniques have been "known for
decades," and manufacturers should "adopt known, effective software engineering
practices" to end software flaws. The government should use its purchasing power to
compel them to do so, he added.
Ken Silva, vice president of VeriSign, took the opposite
tack, arguing that better security practices by businesses and consumers is the only
effective way to fight viruses and worms. The proliferation of malicious code, while
extremely serious, is only a symptom of "a much larger problem that we have today of
a highly attractive vulnerability across our computer networks" that can be closed by
software users.
"The idea that somehow if Microsoft made bulletproof
operating systems and applications all Internet security problems would evaporate is
purely fiction," he said. "Many of the worms attack not only popular operating
systems but open-source software as well."
Arthur Wong, vice president for response with Symantec,
agreed. "[Information technology] governance must be a part of the overall governance
of an organization," he said. Individual consumers must be taught to "protect
their piece of cyberspace." William Hancock, chief security officer for Cable &
Wireless, warned that virus attacks will become more damaging as more devices, such as
cellular telephones, digital videodisc players, radio-frequency identification systems and
even parking-gate systems become connected to the Internet. The "cure" for
Internet attacks is a long way off, he added, but in the short term he urged government to
give law enforcement the "skills and tools" to track cyber criminals.
He warned that terrorists increasingly will be tempted to
exploit vulnerabilities in computer infrastructure because the cost to mount attacks is
merely the cost of a computer and an Internet connection.
Robert Holleyman, president and CEO of the Business
Software Alliance, called for international cooperation in investigating and prosecuting
cyber attacks. "Continued collaboration, information sharing and tough laws in every
country criminalizing cyber attacks are vital to ensuring that law enforcement can help
prevent crime and investigate cyber criminals wherever they may hide."
Specialists See Need For New Ideas In Computer
Protection
Without new concepts and applications for computer
security, networking will fail to reach its full potential, and it may collapse under the
strain of unsolicited commercial e-mail and computer viruses and worms, experts warned on
Thursday. Computer scientists identified cyber-security problems and proposed solutions at
an Association for Computing Machinery event this week and shared their findings and
recommendations at a press conference on Thursday.
Eugene Spafford, executive director of the Center for
Education and Research in Information Assurance and Security at Purdue University, said
current trends have created a precarious computing environment. He said those trends
include smaller, cheaper computers within household items, cars and other devices; more
devices per network; more Internet users worldwide; more data collection and storage; and
the running of more critical services online.
Today's computer-security systems have been designed around
short-term, limited goals, he said. "We've adopted a culture of applying patches
rather than developing innovative security systems. Progress tends to be episodic, with no
long-term effort to change the way we compute."
John Richardson, Intel's government technical liaison
director, said the speed of computer networks, combined with the number of users, the
ready access to virus-writing tools and increasingly unpredictable computer attacks, has
led to the release of nearly 80,000 unique viruses on the Internet, and the number of
computer-security incidents is skyrocketing.
Richardson said, however, that researchers have built
systems with limited functionality that are resistant to attack, and research is pointing
to future solutions, provided all stakeholders can work together toward that common goal.
With a sustained effort, "epidemic-style" attacks could be eliminated by 2014,
he said.
"Nobody owns this problem," Richardson said,
calling for an end to "finger-pointing" between software developers, system
administrators and users.
Susan Landau, a senior staff engineer with Sun
Microsystems, said the security problem must be solved "because we rely on these
systems for everything. Security decisions are made locally, but the implications are
often global." Greater security will promulgate large-scale systems for important
societal applications, such as more extensive patient-record databases, electronic voting
and law enforcement. In addition to reducing security costs, researchers, users and the
government must work together, she said. "It's crucial we don't drop the ball."
Annie Anton, a professor at North Carolina State
University, called for progress toward security and privacy standards that users could
control. "Users need to be able to control the flow of their information," she
said. "Technology has been introduced so quickly, it outpaces users'
comprehensibility."
Independent security consultant Dan Geer said a
quantitative system for managing information risks that would as robust as financial-risk
management must be developed.
"We can't manage what we can't measure," Geer
said, adding that the probability of cyber attacks can be predicted, making it more
difficult for chief information officers to justify spending. "We already have a lot
of [security] data; we just can't analyze," Geer said, calling for the adoption of
metrics from other fields.
CYBER SECURITY: Experts Debate Best
Approach To Computer; Protection BYLINE: Ted Leventhal
Copyright 2003 National Journal Group, Inc. National Journal's Technology Daily PM Edition
November 6, 2003 Thursday
CYBER SECURITY: Specialists See Need For New Ideas In Computer; Protection BYLINE: Ted
Leventhal
Copyright 2003 National Journal Group, Inc. National Journal's Technology Daily PM Edition
November 20, 2003 Thursday |