Computer Security is No Quick Fix

Unfortunately, securing our technology and the information it carries isn't going to be quite that easy. The war metaphor depends on two premises:

• The crisis must have a clear end date by which we would know whether we have won or lost.
• Public and political concern must be galvanized by a potential cataclysm. Widespread infrastructure failure due to the millennium bug was viewed as unacceptable, so a "win at all costs" attitude prevailed.

Assuring the integrity of our information systems is not a problem that can be solved once and for all. It requires continuing vigilance to emerging threats. An appropriate metaphor would be more akin to maintaining the peace or protecting public health than to winning a war or even battling a disease. While we may overcome a particular invader, the security threat constantly is changing.

Notwithstanding almost weekly reminders of the fragility of our information infrastructure, those who must pay the bills should it be harmed-Congress in the case of the federal government and corporate boards in the case of the private sector-have failed to evince the sense of urgency that the threat warrants. Officials in the Defense and financial sectors, where the consequences of security breaches are real and measurable, have stepped up their efforts, but even they aren't yet on emergency alert.

Witness the recent theft by a group based in Russia and the Ukraine of more than a million credit card numbers from more than 40 electronic commerce and electronic banking Web sites. The FBI went public about the case because the perpetrators were exploiting vulnerabilities in the companies' operating systems that were well known and for which patches had been available for years. The enterprises that came under attack failed to take action despite the fact that their very existence depends on protecting their data. A response to this problem may be found on the Web site of the Center for Internet Security (www.cisecurity.org/patchwork.html). This nonprofit cooperative group seeks to reduce the risk of significant disruptions of electronic commerce and business operations due to technical failures or deliberate attacks. The site contains a downloadable program called Patchwork that will determine whether a Windows NT system has the same vulnerabilities exploited by the Russians and whether the system has been compromised. If any vulnerabilities are found, Patchwork will point users directly to the Microsoft patches and will verify that they were installed correctly.

The Y2K response may not be applicable to the security crisis, but it contains useful lessons. Two stand out:

• As demonstrated by the Russia/Ukraine credit card incident, the problem often is not in finding new remedies but in making sure that information on good practices is widely shared. Promoting a culture of information sharing, as Koskinen did so successfully for Y2K, will go a long way toward helping the people protecting against attacks even the odds with the attackers. Among organizations working to improve information sharing is the Computer System Security and Privacy Advisory Board (http://csrc.nist.gov/csspab), which reports to the Commerce Department, Office of Management and Budget, National Security Agency and appropriate congressional committees.
• No substitute exists for frequent, meaningful measurements to assess progress toward meeting some shared goal. Congressman Steve Horn, R-Calif., chair of the House Government Reform Committee's Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations, took an important first step in focusing public attention last fall by issuing report cards on federal agency computer security. Unlike Y2K, computer security is not static; a well-protected system today could be cracked tomorrow if system managers fail to keep up with the latest patches.