Frequent intrusions by hackers into critical computer networks have industry
looking at stronger security measures. Primary concerns cited by industry officials
include the emergence of new vulnerabilities, lack of money for computer security,
and fear of theft of corporate secrets.
Industry and government "can not afford not to do something about security,"
said Maj. Gen. John P. Casciano, (Ret.), vice president for information operations/
infrastructure protection business for Litton TASC Inc., Reading, Massachusetts.
"It goes to intellectual property; it goes to issues of privacy for customers;
it goes to electronic commerce," and it goes to providing security for
information that is proprietary.
"Our whole economy is based on information and information technology,"
he said in an interview.
Computers are increasingly vulnerable to hackers attempting to infiltrate networks,
experts said.
The typical hacker used to be 14 to 16 years of age, white male, somewhat of
an introvert, said Mark Gembicki, chairman and chief technology officer for
WarRoom Research LLC, Baltimore. "In most cases coming from a divorced
family, good in the sciences, in the computer side obviously, not so hot in
the math and the social sciences." However, this is no longer the case,
based on information from Corporate America's Competitive Edge, a searchable
database. "Our hacker profile, based upon two years of data and talking
with 320 companies-Fortune 500 companies [is that] the hackers are around 30-33,
white male again, professional," Gembicki said.
They have a $50,000 to $60,000 a year median income, and they can afford to
buy expensive computer equipment, he said. "When you look at vulnerabilities,
and national security and corporate security realize that the wiley 14-year-old
kid is now 30 to 33 years old, with the gold American Express, driving a Beemer,"
said Gembicki.
"The threat and the attacker have changed," said Gembicki. "Now
you have to worry about somebody getting in because he or she knows that that
new formula you have to fight cancer-or everything from that to a new deodorant
to a brake system from Chrysler-is worth a lot of money in the open market,"
said Gembicki.
Preventive Measures
Matthew G. Devost, director of intelligence analysis, at iDefense, a computer
security company in the Washington, D.C. area, said that most computer incidents
can be prevented if the company has adequate knowledge that the vulnerability
exists. Devost believes that companies put themselves at risk if they become
aware that their systems are vulnerable but fail to take preventive action.
Patricia Irving, president of InnovaTek, Richland, Washington, a small business
that creates chemical and biological defense technology, has seen indicators
that hackers may be trying to access her firm's computer network. "Our
technologies are being used for national security type purposes, and the U.S.
government has a concern about what might be happening" in countries that
might not be friendly toward the United States or with terrorist groups inside
and outside this country, said Irving.
"These incidents are related more to industrial espionage concerns,"
she said. "We are in a very competitive arena right now in terms of intellectual
property. We are creating new technologies and new products that are cutting
edge, [and that] results in great competition in the early stages of product
development.
"Any interest in chemical and biological weapons outside the legitimate
business development areas is of concern for security recently," said Irving.
"The Central Intelligence Agency is tracking it, and they have talked to
us about such concerns [but] we can't really easily monitor what is going on
on our website," said Irving. "And it is clear that there are people
interested in our site that would be of concern for U.S. security."
An intern is working this summer at InnovaTek to train the staff on computer
security, she said.
Security Tradeoffs
"There will be tradeoffs in terms of expense and the amount of security
and the ease and access that we will want as a small company," said Irving.
The company's desire to establish new business partnerships, she explained,
also present new potential risks to computer security.
Lockheed Martin, Bethesda, Maryland, a major defense technology industrial
conglomerate, has more complex security requirements. The company not only has
many divisions that are linked by computer networks, but it also exchanges information
with its government partners. "Now because of the Internet and intranet
that companies have-and the extranets for electronic commerce and such-and the
partnerships and agreements that you need to make on programs, you need to combine
a lot of different people using the same resources to be cost effective and
competitive," said Lynda McGhie, director of corporate information protection
at Lockheed Martin.
"We are investing a lot in the detection and the auditing and the automation
of auditing and alarm systems, and just checking the network and just checking
the systems," said McGhie. Requiring single sign-ons and moving to integrated
directories where [the user's] identity is on a card, in a software algorithm
or stored on a computer will be necessary for better computer protection, she
added.
"I think we are going to be even more vulnerable, because literally the
whole keys to the kingdom are going to be in that environment," she said.
"If somebody does break in and does compromise [the network], that person
is going to have the potential to get into a lot more stuff, [such as] computing
resources and information, and cause a lot more problems," said McGhie.
Security typically is looked at as a roadblock as opposed to an enabler, she
added.
Perpetrators of computer break-ins, meanwhile, pointed out that, in general,
companies can create their own problems by taking shortcuts to achieve secure
systems.
"Many businesses hire outside consultants to set up their technology and
leave to avoid paying outside expenses. These [shortcuts] are a ... hacker's
dream come true," said The CatMan, a computer hacker with a website on
the Internet, New York City. He requested that his real name not be used. "Most
of the time, the passwords are set to default, and the security breach can be
[completed in] a matter of moments.
"Additionally, since staff is unfamiliar with the system outside of data
entry and report generation, the breach often goes unnoticed," said the
computer hacker. "You would not believe how many places have '123456' or
'qwerty' as a password because they didn't think of a password before setting
up the account," he said. "Passwords should have a unique spelling
and be alphanumeric to prevent password cracking programs used by your neighborhood
crackers.
"I firmly believe that, if information is to remain secure, it should
not be networked. If remote access is needed, then setup [should be] a secure
model. Limit the amount of accounts, and be creative with the passwords."
The CatMan also said that a majority of the problems with computers result
from employee actions-the person installing the computer system focuses on accessibility
rather than security. "Nine of 10 electronic security breeches are internal
and are contrary to the Hollywood image [and are] not all that elaborate nor
use holographic computer animations," he added.
Another breech of security is the physical location of a password list, said
The CatMan. "A password or password list should be treated like a credit
card number and not left laying around for anyone to stumble across," he
said.
It is also just recently that government has begun addressing issues related
to industry and network security, according to Gembicki.
"U.S. corporations have almost no security [from the government] when
it comes to really protecting themselves against a competitor trying to steal
proprietary information, or a 14-year-old hacker," said Gembicki.
An ongoing problem for both industry and government, industry officials said,
is both sides' inability to share information about specific break-ins to their
systems. Several years ago, the Clinton administration set up a special panel
to address security risks to government computers. The President's Commission
[on Critical Infrastructure] considered that "telecommunications, and energy,
health and human services, that they were critical infrastructures, but they
failed to overlook the network and activity that really drives corporate America
and our infrastructure," said Gembicki.
"It wasn't until a few months ago that there were statements made by the
U.S. government, [saying] corporate America is global and corporate America
is borderless on the Internet," he said.
Government Involvement
Gembicki said that one problem related to information sharing is the Intelligence
Oversight Act. If the CIA or National Security Agency (NSA) has information
that a cyber attack will occur or has occurred, they cannot share it with U.S.
businesses. "That creates an unfair disadvantage to U.S. companies,"
he added. "In a state of emergency, the government clamps down on information,
and they mark it as classified and sensitive, and they use industry as a collection
arm for the current state-of-the hack or the current state-of-affairs,"
said Gembicki.
Then, when industry is clamoring for help to protect its networks, the government
often will refuse to share information, citing national security secrecy, said
Gembicki. "It is a one-way pipe in the government, and it doesn't turn
around," he added.
Gembicki said that industry and government can work together, but tradeoffs
need to occur. He advocates a security co-op program similar to those being
used by national security agencies such as the CIA, NSA and State Department,
which have created college internships that allow students to learn about their
organizations. He suggested agencies also could allow similar exchanges with
industry.
The government can develop a personal relationship at the executive-level with
industry, said Gembicki. The industries participating in this program then can
know that, if they have a problem, they can call that agency and have a direct
contact for support. If there is an exchange at the executive level that it
is blessed by both industry and government, it can prevent many of the information
sharing problems that industry and government have today, said Gembicki.
Gembicki currently is developing a survey to assist companies assessing critical
infrastructure threats, called Corporate America's Competitive Edge. "The
reason we focused on Fortune 500 companies is that critical infrastructure is
our weakest link." This database project uses both qualitative and quantitative
information to answer questions that industry may have concerning threats to
their critical infrastructure.
This project was based on responses from 320 companies. Each company was given
a free information security assessment or a free business intelligence assessment
in exchange for a two-year quarterly commitment to fill out forms that asked
questions on 36 different topics, had 27 industry segments, and asked more than
180 questions. The response rate was 67 percent.
When asked who in government should run a program to teach businesses to be
more secure, 90 percent of the companies said the preferred agency is the Department
of Commerce, said Gembicki. The companies believed that corporate security is
more important than national security.
"There is a polar difference between what government believes and what
industry believes," said Gembicki.