We're not ready for cyberspace attacks

[William Knowles <wk () C4I ORG>]

http://www.boston.com/dailyglobe2/144/business/We_re_not_ready_for_cyberspace_attacks+.shtml

By McDonnell Ulsch and Scott Steinert-Evoy, 5/23/2000

Computer hackers made headlines recently by lobbing virtual grenades
at some of the world's most popular Internet sites. The ''Love Bug''
and its mutations have wreaked havoc around the world.

But in the war to make businesses secure in today's interconnected
world, these attacks were merely skirmishes, nuisance attacks that
could have been orchestrated by a C-student testing classroom
theories. What would happen if malicious hackers mounted a concerted
assault?

Are banks, brokerages, and insurance companies as ready as they were
for the glitch known as Y2K?

The answer is largely no. The days when a strong vault, iron bars, and
an armed guard seemed an adequate deterrent to bank robbers have fast
disappeared. It's not enough to beef up security anymore. The whole
concept must be redefined.

With half of the world's computer capacity and more than 60 percent of
Internet assets, the United States is the most advanced and most
dependent user of information technology. Widespread electronic thefts
or disruptions could shake public confidence in the emerging new
economic order and wreak financial havoc.

But the specter of these attacks has not received the attention that's
merited: not from the Y2K-weary public and new media, and certainly
not from the upper echelons of corporate America. Y2K, after all, was
something CEOs could easily understand. It was a specific problem,
with a specific solution.

Most importantly, Y2K commanded the constant attention of the men and
women who run America's publicly held companies. Every CEO faced
regular questions from Wall Street analysts on Y2K preparedness. Stock
prices rose and fell on the strength of Y2K programs. That kind of
attention from the top opens corporate wallets like no back-office
Cassandra ever could.

Combating cyberterrorism also requires an enormous commitment. But the
solutions, like the problem, are more ambiguous than those associated
with Y2K. Each new dawn brings a new day of reckoning. Hackers develop
resistant strains to each new vaccine as the Internet becomes a
playground for all kinds of malcontents.

Some 118 million people around the world already possess the skills to
conduct cyberattacks, according to International Data Corp.

But thinking of security as an ''Internet-only'' problem is a
wrongheaded approach destined to fail.

The Internet may be fast emerging as a public network vital to the
flow of commerce. But it also depends on the rest of the critical
public infrastructure - the national power grid, the telephone
switching system - to operate at all. These systems are vulnerable to
a dizzying variety of attackers.

Conversely, the best computer security cannot stop a disgruntled
former employee with a password - or a key to the basement. These
types of inside attacks are by far the most common among US companies.

Some companies have already appointed chief security officers whose
mandates encompass both physical and network security. In the future,
these professionals must create a security culture where such
artificial lines will disappear entirely - and where information
security is a hot topic in the boardroom.

Investor punishment of the affected companies is sure to get the
attention of Wall Street analysts, and, consequently, top corporate
decision makers. They have a long road ahead of them. Instilling a
culture of security, unlike slaying the Y2K dragon, is a never-ending
quest.

MacDonnell Ulsch and Scott Steinert-Evoy work in the Technology Risk
Services consulting practice of PricewaterhouseCoopers LLP in Boston.


*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".