[infowar.de] Year After 9-11, Cyberspace Door Is Still Ajar

[Ralf Bendrath <bendrath -! - zedat - fu-berlin - de>]

Infowar.de, http://userpage.fu-berlin.de/~bendrath/liste.html
-------------------------------------------------------------

Wie die IT-Sicherheitsprediger hofften, dass der 11.9.2001 ihnen endlich
mehr Aufmerksamkeit bescheren wuerde, und wie die Firmen sie dann doch
weiterhin kaum beachteten...
RB

 The New York Times, September 9, 2002

Year After 9/11, Cyberspace Door Is Still Ajar

By JOHN SCHWARTZ

 Sounding the alarm is
not the same as paying for a deadbolt on the door. Which may explain why,
despite the heightened fears of cyberterrorism and online security that
followed last September's attacks in New York and Washington, few American
businesses or organizations have responded with new measures to safeguard
their computing systems from intruders.

Harris Miller had hoped it would be otherwise. He recalls that warning
Americans about cyberterrorism and online security before Sept. 11 had been
an exercise in futility.

"I felt like Sisyphus," said Mr. Miller, president of the the Information
Technology Association of America, a trade group, adding that his pleas for
greater awareness and quicker action were consistently ignored. "Just
rolling the stone up the mountain, and it kept rolling right back down
again." For government, corporations and individuals alike, Mr. Miller said,
computer security was always "the 11th item on a 10-item list."

Then came the attacks - and with them, a growing sense that terrorism could
happen anywhere. And anywhere included the nation's computer networks and
all the critical systems that were tied to them.

"It really was a wake-up call," said Mario Correa, director of Internet and
network security policy for the Business Software Alliance, an industry
lobbying group in Washington.

Security experts predicted that their calls would finally be heeded and that
corporations and governments would shore up their cyberdefenses. Some even
spoke of a "security dividend" for the industry arising from the attacks.
The International Data Group, a publisher of trade magazines, even announced
a new magazine, CSO, aimed at the hoped-for legions of deep-pocketed
corporate chief security officers.

So what has changed in the year since the attacks?

Not so much, actually.

The fretting, certainly, has been vocal. Companies say in survey after
survey that they believe they, and the government, are still vulnerable to
cyberattack. Indeed, a poll published this summer by the Business Software
Alliance found that 60 percent of those who are directly responsible for
their companies' network security believe that United States businesses are
at risk for a major cyberattack in the next 12 months.

And a government team led by Richard A. Clarke, the White House cyberspace
security adviser, has been busy on a computer security framework that is to
be announced next week and is expected to spell out actions that should be
taken by government, industry and even individuals to safeguard the
Internet.

The fretting and frameworking, however, has not escalated into spending.
Money spent on security has been flat the last year, with no turnaround
imminent, said Steve Hunt, a vice president of the Giga Information Group, a
high-technology analysis company.

"The security market is not going to benefit in 2002," he said. A survey of
the customers of Sanctum Inc., a security company in Santa Clara, Calif.,
which said it had extensively interviewed 10 customers on the topic, showed
that only three had made new Internet security moves because of the Sept. 11
attacks.

Other areas of security, like the disaster preparedness of information
technology systems, have also come under increased scrutiny since Sept. 11.
But, as with cybersecurity, little money has been spent. In a survey
conducted for AT&T, 73 percent
of those questioned said their companies had reviewed their disaster
recovery planning after Sept. 11, but only one in 10 said business disaster
planning had become a top priority after the attacks.

That is not particularly surprising in tight economic times, when most
information technology spending has focused on incremental improvements to
current systems, said Art Coviello, the chief executive of RSA Data
Security, a computer network security company in Bedford, Mass. At a
conference of chief information officers early this year, Mr. Coviello
recalled, executives listed the top three priorities in 2002 as "cut costs,
cut costs and cut costs."

"The next priority was to make more out of what they had," he said. "The
next priority after that was security."

Part of the reason for the lack of action is a growing sense of frustration
with the task of making computer systems secure, said Peter S. Tippett, the
chief technology officer of Trusecure, a computer security management firm
in Herndon, Va. Trying to keep up with each individual software patch and
vulnerability and apply each one to every computer and network has become an
all but impossible task for many organizations.

The Computer Emergency Response Team, a federally financed monitoring group
and information clearinghouse at Carnegie Mellon University, identified
2,437 software vulnerabilities in 2001, but fewer than 1 percent were used
in actual attacks. "Why don't we figure out what the essential security is?"
Mr. Tippett said.

He suggested that another reason companies had not acted decisively could be
a growing sense among industry experts that the threat of cyberterrorism had
been overstated. He noted that although the world's computer networks are
increasingly tied to critical systems like power grids and
telecommunications networks, a cyberterrorism episode is unlikely to stand
alone, or to be devastating in itself. Instead, he said, such an attack
would probably come in conjunction with physical attacks and be meant mainly
to sow confusion. He compared such a disruption to "a snowstorm on top of an
otherwise bad day."

Still, Mr. Tippett and other security experts agree that the nation's
computer networks need more effective and extensive shoring up.

Meanwhile, Bush administration officials argue that despite the lack of
progress cited by others, great strides have actually been made since last
September.

Mr. Clarke, chairman of the president's Critical Infrastructure Protection
Board, said the real alarm was sounded not on Sept. 11 but on Sept. 18. That
is when a piece of rogue computer software named Nimda spread through
Internet-connected computers around the world and caused damage that was
estimated in the billions of dollars. The creator of Nimda, which attacked
computers and installed "back doors" for subsequent hacker attacks, has
never been identified.

"Sept. 11 made everybody in corporate America think about security," Mr.
Clarke said. "Sept. 18 made them think about cybersecurity."

Since then, he said, software companies have grown far more serious about
plugging the kinds of vulnerabilities that Nimda exploited. Microsoft, for
example, shut down its software development efforts for nearly two months in
a $100 million effort to analyze Windows software for bugs and to train its
engineers in "trustworthy computing" techniques.

Other major software makers have announced similar efforts to make security
"not an add-on, but a central thought" in software design, Mr. Clarke said.
Industries that did not pay much heed to cybersecurity before - Mr. Clarke
cited power companies as an example - have "really begun taking security
seriously," with widespread use of encryption to shield data from prying
eyes and authentication systems to ensure that only authorized people have
access to critical system controls.

And government is "beginning to walk its talk" by shoring up its own
systems, Mr. Clarke said. The administration's proposed budget for the 2003
fiscal year calls for $4.2 billion for securing federal networks, a 56
percent increase over the the current fiscal year. And next week, on Sept.
18, Mr. Clarke's team plans to release its action plan for safeguarding the
Internet.

But government can only do so much, since most of the networks and systems
that need to be protected are in private hands, Mr. Clarke observed. "The
government is not going to secure hospitals and banks and railroads - they
have to do it for themselves," he said.

Mr. Correa's industry group has spent much of the last year trying to ensure
that the government's responses to the Sept. 11 attacks do not do more harm
than good. "You're seeing Congress look for what appear to be quick fixes
and really are not," he said.

The group opposed, for example, well-intentioned early efforts by lawmakers
that would have required federal agencies to upgrade computer security using
very specific technologies obtained through strict government procurement
guidelines.

Under early drafts of legislation, for example, the National Institute of
Standards and Technology was to specify the kinds of antivirus and firewall
software and hardware that would be used in government systems. Mr. Correa's
group feared that the specifications would quickly become outdated, because
antivirus software, for instance, must evolve continually to keep pace with
new kinds of threats.

So Mr. Correa's group and others requested - successfully - that the bills
specify only performance goals, like a requirement that any firewall
software be able to block a certain number of intrusions a second, without
defining how the software accomplish that task.

"You've got to make those security standards performance-based, not
technology-based," Mr. Correa said, or "they will be outmoded in a week."

Mr. Correa's group is also fighting an administration plan to put a unit of
the Commerce Department that helps set computer security standards, the
Computer Security Division, into the new Department of Homeland Security - a
move that they argue would make that group less effective by blurring purely
technical issues with military and law-enforcement agendas that could end up
with worse, not better, technology.

His group has also tried to pave the way for greater cooperation among
industries and the government on security issues. Those efforts have
included legislative proposals for making sure that companies are willing to
share information with the government by carving out exemptions in the
Freedom of Information Act for such exchanges, so that information given
voluntarily to the government about intrusions is not made public.

Mr. Hunt, the Giga Information analyst, sees reasons for optimism. "No
security vendors are getting richer, and there are a lot of security
problems yet to be solved," he said.

But, he added, companies have begun to shift toward viewing security as an
integrated business function and not merely the province of a "little cult
in the corner of the I.T. department." In surveys conducted more than a year
ago, only 30 percent of all companies said they had a person responsible for
connecting security efforts with the actual risks of the business, he said.
Now, nearly 90 percent do.

"This is not a 200 percent improvement in spending," Mr. Hunt said. "It is
an improvement in quality, meaning the haphazard approach to security
management of the past - an approach that left many holes - is steadily
being replaced by robust processes of detection and response."

Even Harris Miller says he is feeling less Sisyphean lately. "While there's
been much more attention in the private sector, there's a long way to go,"
Mr. Miller said. "But I don't feel the exercise is as futile as it was a
year ago. Now the need is to get the money spent."


---------------------------------------------------------------
Liste verlassen: 
Mail an infowar -
 de-request -!
- infopeace -
 de mit "unsubscribe" im Text.