For NSA vet, security's still a hard sell

[InfoSec News <isn () c4i org>]

http://www.eetimes.com/story/OEG20010605S0052

By Terry Costlow 
EE Times
06/05/01

Bill Crowell has spent his career in security, going from top civilian
at the National Security Agency to president and chief executive
officer of Cylink Corp., a developer of public-key security systems.
But at times, he just can't help being a hacker.

"I used to work where we had a facial recognition system in a briefing
center," Crowell recalls. "We didn't have the images bound to the
individual with a public key, so I slipped my picture into the file of
the guy who did a demo of the system. He . . . couldn't figure out how
I kept getting in the door saying I was him."

Having executive access didn't hurt in pulling out that little trick,
which also underscores a key difficulty facing security engineers. "A
hacker only has to come up with one technique," Crowell points out.
"The protector has to anticipate all current and future attacks."

Crowell works on two fronts, to protect against attacks and to
convince companies that they really need security. Crowell became boss
of Cylink (Santa Clara, Calif.), a 17-year-old developer of secure
networks, in 1998 after serving as vice president of product strategy.
He's focusing on combinations of technology like biometrics and smart
cards in pursuit of foolproof protection.

"Probably the strongest security is when you have three-factor
security, something like a smart card with some version of a biometric
file, something you know like a password or carry like a biometric,
and then something you are, the biometric," said Crowell.

Though he earned a political science degree from Louisiana State
University in 1962, Crowell has been in technology since he designed
circuits for a local company while he was in high school.

To avoid the situation he created when he slipped his own picture into
someone else's file, Crowell said, those who use all three aspects of
this security approach should make sure the biometric portion that
people carry as a credential has been signed by someone who is
trusted, the way a notary approves written signatures today.

"Otherwise, people could steal your identity and insert their
biometric information for yours," Crowell said.

Biometrics like fingerprints and retinal or facial scans are gaining
acceptance, but Crowell predicts it'll be a slow ramp, at first driven
by high-end applications.

"Biometrics will find its way into high-value transactions fairly
quickly, when someone's doing $500,000 transactions fairly often,"
Crowell said. "But I don't see it being used extensively for consumer
purposes or for Internet shopping very soon. It requires a large
infrastructure of readers that will keep many merchants from adopting
it."

Cryptography doesn't require that vast infrastructure, so Crowell sees
quicker acceptance. As companies vie for Web profits, he said,
cryptography and smart cards offer them a potent way to get payments
via the Net.

"We'll see a quick ramp, particularly when people use smart cards or
other tokens to authenticate themselves," Crowell said. "Those are
going to be very popular for authentication, for buying software or
other digitally protected files over the Internet. Things like an MP3
file or software that doesn't have to be packaged and can be delivered
over the Internet could really benefit. These are areas where you want
to be sure you're avoiding large-scale fraud. Most businesses do not
care nearly as much about small-scale fraud."

Unfortunately for Crowell and others in the security business, a lot
of companies don't care much about fraud at all, at least when it
comes to understanding the potential losses from fraud using the
corporation's networks and electronic databases.

Competing with inaction

"Our No. 1 competition, without a doubt, is companies that don't do
anything," Crowell said. "There's just not enough understanding in the
upper echelons of business on the compelling need to install security
into their business. Business models before the Internet accepted a
certain amount of fraud as part of the cost of doing business. But
with the Internet, fraud may be repeatable on such a large scale that
it may no longer be possible to pass costs on to customers."

Accepting the potenial for electronic theft was no problem when
Crowell worked at NSA. Along with protecting defense communications,
the agency is charged with exploiting the vulnerabilities of foreign
communications.

Crowell did two stints at NSA, leaving in 1989 when the Cold War's end
made him think "it was time to do something else." But by the end of
1990, shortly before the Gulf War began, he was back, serving in a
number of senior positions that included chief of staff and deputy
director, the latter the agency's highest civilian post. He recalls
NSA as "a fun place" with "some of the greatest toys you'll ever get
to work with."

"It's a mysterious place, but a lot of the stories about the NSA never
say anything, are misleading. The movie Enemy of the State is as far
from reality as you can get," he said.

But if the stories are misleading at times, the tales of top secrecy
also contain some truth. "In modern times, on signal intelligence, I
can't talk about things," Crowell said. But, "on the historical side
of signal intelligence, I was involved in making public NSA success
decoding KGB messages, which were supposedly unbreakable, during World
War II. That exploitation went on for 37 years."

Now he's hoping that it won't take that long for the security market
to take off. Eventually, Crowell said, it's likely that all corporate
networks will employ some type of security. But he disagrees with
those who think that it's going to happen in just a few years.

"I feel it will take the better part of a decade before security is
ubiquitous," Crowell said. Acceptance will come industry by industry,
he predicted.

"The financial industry is a good user of security not because they're
more prone to security but because they have to use it, their business
depends on assuring customers that fraud is rare. Finance is the No. 1
user [of security], large multinational companies like Intel are next,
and the government is probably third."

In the future, the medical world is likely to become a big adopter.
The new Health Insurance Portability and Accountability Act is driving
hospitals and medical offices to computerized record keeping, and
security is a big concern for all involved.

"The health industry is small for us right now," Crowell said. "They
have traditionally spent little money on security and until recently
spent little on IT. They used paper. It will become a large sector
because regulations require health organizations to pay more attention
to the privacy of medical records."

Eventually, he predicts,even the companies that today couldn't care
less about security will tout their protective measures. That will
help them get business from around the world.

"One of the remaining issues in the cyber world that really needs to
be addressed is how essential security is to how we conduct business,"
Crowell said. "There are no borders in cyberspace. Business will go to
the leanest, best companies, and security will be part of their
marketing. Consumer surveys show that the majority of those who don't
shop on the Internet say it's because they don't trust it."

When he's not trying to thwart the criminal element, Crowell and his
wife, Judy, are bikers.

"My wife and I are both avid motorcyclists," Crowell said. "We'll take
3,000 to 4,000-mile trips. We also like to go fly fishing. On our
latest 4,000-mile trip, we looked at a lot of rivers."

When he isn't away from his San Jose, Calif., home, Crowell likes to
spend his time cooking. "I cook very fancy things most every day,
though I do less of it now that I'm CEO and am traveling more," he
said.

His business travels still keep him somewhat involved in government
activities. Government agencies will continue to be closely involved
in all aspects of security as they try to stay ahead of those who
would steal from corporations or tap into military and government
transmissions. He hopes industry and government agencies will learn
how to develop technologies and techniques that benefit both sides.

"There will be more and more cooperation between government and
industry, in my opinion," said Crowell.






ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.