Making a Federal Case Out of IT Security

When the Bush administration a few weeks ago raised the country's terrorism alert status to Code Orange and prescribed that citizens gather supplies for a potential emergency, most of us armed ourselves with jokes about plastic sheeting and duct tape rather than addressing the problem. For people who, like me, are old enough to be children of the Cold War, the warnings were a little too reminiscent of fallout shelters and "duck-and-cover" drills to be taken entirely seriously.

In my high school, those civil defense posters bore a final, hand-scrawled direction right after the instructions to get under your desk and put your head between your knees. It read: "And kiss your butt goodbye." Youthful sang-froid aside, it's not that we weren't jittery then; we were, just as we are now. But gallows humor seems to be the only sane response to earnest survival advice that's obviously inadequate for the threatened catastrophe.

Not so humorous but only a little more reassuring is the strategy for protecting cyber-based critical infrastructure that was recently released by the Department of Homeland Security (DHS).

The DHS report delineates the need for a "panoramic vantage point" of the Internet to create a "synoptic or holistic" view of cyberspace. The aim is to locate that vantage point within the sphere of the DHS, the better for the agency to protect us all.

The impulse is understandable, but I wouldn't count on it happening anytime soon. Corporate IT users are struggling mightily to get views of the circumscribed landscape of their own networks. And there's no shortage of vendors that claim to offer some variety of end-to-end monitoring or management function to their customers, suggesting that the need, and therefore the market, for such capabilities is real. Why do I sense that it's going to be even tougher for a gargantuan government bureaucracy, with considerable but uncoordinated resources, to achieve a panoramic view of a global network of largely unrelated nodes?

To complicate matters further, Howard Schmidt, acting chairman of the President's Critical Infrastructure Protection Board, says the DHS will encourage the private sector to use diverse networking architectures and service providers as a way to limit the risk of a massive, debilitating cyberattack.

The size and complexity of the DHS's mission undermine confidence that it can keep the critical infrastructure secure -- as does the suspicion that the agency won't be nimble enough to stop the inventive freelance crackers out there, let alone committed lunatics who are out to do more than mischief.

But the DHS could help by using its bully pulpit to persuade corporate managers to get more aggressive with their own IT security. The federal government has thus far been hesitant to force private companies to improve security, and it's clear that the carrot of tax breaks will be considered before the stick of regulation is raised.

What's hard to figure out, given the stakes, is why companies don't do more without any urging. It's not as though bolstering the security of their networks would be an altruistic gesture -- corporations lose billions of dollars each year because of security breaches.

And it's not a matter of waiting for technology that works or figuring out what to do. One frustrated IT manager I talked to recently, who asked not to be identified for obvious reasons, said he thinks he could make his company 80% to 90% more secure with the tools already in place if he had the authority to enforce policies that already exist.

Here are a few steps -- you've heard them all before -- that should be taken at every company now:

• Track vulnerabilities and install available patches promptly. Security vendor Symantec said recently that the number of reported vulnerabilities among its customers was up 81% in 2002 over the previous year.

• Insist on strong user authentication and access-control policies and technologies.

• Use up-to-date antivirus software.

• Install and maintain properly configured firewalls.

• Deploy intrusion-detection software that allows you to define the rules for alerts.

• Monitor activity logs carefully and consistently.

• Protect the data center by establishing programming policies to minimize those old bugaboos, buffer overflows and format string errors.

If companies took these obvious steps, they would make themselves and the economy more secure and provide building blocks for an overarching cybersecurity strategy. By themselves, these steps won't make our critical infrastructure safe, but they're a start. And getting them done would beat the heck out of stashing duct tape, plastic sheeting and a few cans of Dinty Moore in the basement.

Tommy Peterson is Computerworld's Technology editor. Contact her at tommy_peterson@computerworld.com.

Related:

Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon