Businesses are racing into e-commerce, mobile computing and global expansion, all relying on technology to get them there. But that technology can also trip them up. A panel of experts talked to Computerworld business editor Kevin Fogarty and eBizChronicle.com Inc. CEO Sarwar Kashmeri about what the risks are and how global organizations need to cooperate to keep the bad guys in line.
Kevin Fogarty: Let's start with the coincidence that, the morning we sit down to talk about this, Mafiaboy, a 15-year-old kid, was arrested in Canada for launching denial-of-service attacks against Yahoo and others. Is this kind of thing a serious concern, or just an annoyance?
Paul S. Raines: I'll take a stab at it. A lot of people want to think that because a teen-ager launched the attack, that it must be really sophisticated. The real tack they should take on this is that because a teen-ager launched the attack, it's not that complicated to understand.
If you look at the distributed denial-of-service attack, everyone else had to pay a price because others weren't maintaining good security on their sites. So one of the things that I think will happen is some regulation of that.
Before a site gets a domain name registration, it (should) undergo site penetration testing, a security inspection. Then once it passes it, you could take a public-key certificate and embed it in a digital watermark on that site, so that you could see that that was indeed a safe site.
Alan E. Brill: The thing that I see in this whole Mafiaboy business is, I would bet, for all intents and purposes, (that he's) absolutely judgment-proof. If you're a victim, you're going to look at this and you're going to say, "Well, Mafiaboy is not a real great person to sue because, even if I win, I won't get anything."
But the attack didn't really come directly from Mafiaboy, did it? It came from a whole bunch of other places, some of which - universities - may not have a lot of money, but some corporations, some banks, they do. I think the way the issue may start to be brought to everybody's attention is when people start to say, "You who didn't notice that this was placed on your site, were you negligent?"
Once that starts to happen, people are going to be positively motivated to take some of the steps that they ought to. Often what legislation is not ready to do, litigation is there to start.
Thomas W. Patterson: I think that there's a third option: capitalism. If a company's not doing well, if a store doesn't have traffic or they've got break-ins all the time, shoppers stop going there, so (the store) hires a security guard. They put up bars on their windows.
I think if they want to stay in business, they need to learn how to stay in business on the Internet.
Brill: But if you look at the life cycle of dot-com organizations, over and over, it's the same old things that are happening, not just high-tech incidents but low-tech incidents hitting high-tech companies. We had one company in Silicon Valley call us in on a Monday morning. Their people came in, couldn't log on to the server, and they finally figured out why. Over the weekend, somebody had come in and stolen the server, so there was now a space with wires. No burglar alarms, no real security; it hadn't occurred to them.
A good way to start making this happen would be if the VCs said, "As part of the deal, I want you to have a security review; I want you to do the right thing, not just in terms of firewalls and intrusion detection, but physical security, background checks on your people, the right kind of noncompete, the right kind of confidentiality agreements."
Sarwar Kashmeri: Would you say that on the business-to-business side, the security is tighter?
Patterson: As you look at these big companies doing dot-com things, the old guard is intimidated by the new guard. And if the new guard says, "We don't have time for that; we don't have to play by those rules. I know we've got a 'what-we-can-post-on-the-Web' policy, but the hell with that, we're going to go just set up our own server in my garage, and do our own policing of the stuff." The old guard lets that happen because they don't really understand what it takes to perform and succeed on the Internet.
Brill: What we're seeing is, on the Internet, nobody knows you're a fraud. We got a call just last week from an organization that asked us, "As we establish B-to-B linkups, how can we find out if an organization, somewhere on the far side of the Pacific Rim, is real?"
The concept of due diligence has been suffering because of Internet time. If you want to do this transaction, you have to do this transaction right now, and all you know about them is what they claim, and that they have an IP address that you can actually contact. That's one of the places where you have to stop thinking purely in real time for the sake of real time, and again, start applying traditional business acumen to the problem.
Fast Access, High Risk
Brill: The other area that we've seen recently (that is) becoming more and more dangerous, in the IT area, is that executives in many companies are getting faster and faster connections at home - DSL, cable. And those are obviously inherently more dangerous. They're on all the time, they have fixed IP addresses.
If they have these connections, I would make sure that I had them install some sort of firewall-y type program. I recently was talking to a UN ambassador who was telling me that he just got his cable modem in. I asked him if he had this, and he said he didn't. We had lunch about a week later, and he said that within an hour of installing it, he was getting hits. Why would people do that? Maybe because you believe that these execs will take work home, and it's a lot easier to steal it from their home computer than it might be from their company computer.
Raines: We use two-factor authentication when (executives) are on the road. So it's that type of strong authentication mechanism and encryption that we look at and try to enable them that way.
Patterson: But there are fairly secure ways to link into your office network. You can set up a (virtual private network) port. It's much more secure; it's not impervious to all threats, but it's much more secure than having a bank of modems there and not publishing the phone numbers and hoping that nobody figures it out. You don't see too many companies really performing good risk analyses, though. They just assume that the threat they read about in Computerworld must apply to them, therefore they'd better do the countermeasure that's suggested at the end of the article. That's wasteful; that's dilutive.
Know Your Staff
Raines: One issue I wanted to raise was the risk of internal employees. What I find ironic (at) some of the dot-com companies, the turnover of their employees. They'll have people who are there for less than a year, and then they get recruited off to go someplace else.
Brill: That's exactly what we find. In fact, we have had occasion to look at the various logs on some knowledge engines, and, what a coincidence: In the week before each of certain people left, they suddenly had a desire for knowledge in volume. Nobody really had made the decision that said, "If somebody suddenly starts accessing 20 times more stuff than they've ever accessed before and that has nothing to do with their project, that's a warning sign."
Enforcement
Kashmeri: Could each of you comment whether you think the laws we have on the books now are sufficient?
RAINES: I think the laws themselves are sufficient. Where I think there may be some shortcomings is in issuing warrants, especially across jurisdictions - that is, not only between states but between countries.
PattERSOn: I very strongly believe that, when it comes to electronic commerce, the laws have to follow, not lead. I want commerce to lead, I want capitalism to lead. I don't mind if some companies that don't do a good job at running an Internet business fail. Over time, it will become obvious what should be a new law and what shouldn't be. I don't think that we're to that point - yet.
Brill: Internet technology seems to evolve at the speed of light, but law evolves at the speed of Congress. For that reason, I think we need to, as an industry, make our voices heard as to the kinds of laws and regulations that we need to do the job. And to work with some of the international groups that have been formed to allow transnational investigations, transnational search warrants.
Loose Cannons
Fogarty: What about wireless security and handhelds - threat or menace?
Patterson: Privacy is a big issue with mobile users. My Palm VII reports diligently back to (Palm Inc.) exactly where I go. My cell phone reports back to my cell phone carrier, when I'm in my hometown, anyway, within a hundred feet of where I am. And that's mandated by law.
That information is now also available to advertisers. My family might not know where I'm traveling to in any business day, but Palm certainly does.
Fogarty: What about securing the information on it?
Patterson: The rest of the world uses smart cards, and America will someday get there, but we've failed as a nation to get there because it's been technology looking for an application.
Brill: Right now, there are a couple of companies that are producing pointing devices, mouses, mice, that have fingerprint readers in them built into the panels. Not a separate device. And with the right software, when you hold that mouse and you put your finger on the little red window, it knows it's you. Kind of nice.
Kashmeri: Are the Europeans doing a better job of preserving privacy through their laws?
Brill: Well, I think they've got a much more organized approach to it. They've got an infrastructure, and that infrastructure, through the European community, has largely been regularized so that the rules throughout the community are rather standard.
Patterson: It's actually a very good way to do it. They pass laws; if you want to do business with them, you must adhere to these security practices. America is currently operating under an exemption from those laws. But ultimately, if you want to trade in their community online, you need to play by these rules.
One of the most technologically advanced countries in the world for e-commerce is Singapore. Everybody has smart cards; everybody has a digital certificate. If you want to do business, you must present your certificate and it must be authenticated by one of the trusted authorities that is trusted by the government of Singapore. Why has that happened in Singapore rather than in France?
One of the reasons is that Singapore was small enough to be a good, self-contained test case. Another is they have very strong laws and very strong feelings about what rules need to be enforced in the course of public conduct. A taxi cab in Singapore - the taxi driver pops in his smart card and activates it. That is tracked; everybody knows it. That's just the way it's done. It's very efficient.
Is that what the bulk of the countries around the world are looking to do? I don't think so. You have to look at what's important to a society and make sure the technology flows that way.
Patterson: There has to be the understanding that everybody's country's laws are going to be a little different. You need to be able to look at their site and say, "These are the security practices that they follow. Do I choose to give them my credit card? Do I choose to send them a million dollars worth of goods in the expectation that they're going to mail me a check?"
The G77 (Trade Information Network, an association dedicated to building trade among developing nations) has a program now to help the group of countries that are not the typical big powerhouses to let them participate in trade. It's very hard for the average business or customer to determine if a company that is in Uganda, if they're real, if their quality is good, if they don't use slave labor, if they don't hurt the environment. So the G77 is stepping in to say, "OK, we've looked at them. We've issued them a certificate that says they do these do things and as of this time." Then I can make a more informed decision.
Kashmeri: I know of at least one company that's put off their plans to expand to Europe because they're not certain whether their payroll information will be locked out because of the European privacy laws. Are you saying that as each country develops their own laws, that is the price that business may have to pay?
Patterson: The companies need to understand what the rules are, make their own judgments and come up with ways to deal with it.
There's a whole new burgeoning business of certificate authorities. These are people that sort of hold the keys to transactions, setting up in offshore, small-island nations that don't have good conductivity and are subject to tidal waves and hurricanes. But they have a rule of law that says that the Justice Department, Janet Reno, can't come in and get the keys. So you keep your data in the U.S.; you keep your data in France. But the keys to that data to be unlocked are going to be offshore. It's a whole little cottage industry growing up for people trying to skirt those exact laws.
Other Threats
Raines: If you want to look at potential threats to the banking industry, that is one that I'm concerned about, is someone setting up a server in their basement and calling themselves - let's say Citybank spelled with a y, C-i-t-y instead of C-i-t-i bank. And someone was duped into giving them account information, maybe credit-card information, and money. And then they just shut off the server, and then they make off with it. So one of the efforts that I applaud is an effort to certify banks - that they are who they say they are.
Brill: But even legitimate people do silly things sometimes. There was a case recently of an actual bank that decided, as part of its e-commerce strategy, to allow you to initiate transfers from other accounts online. So if you gave the account number and the routing information, they would transfer the money, whether it was your account or not. It didn't occur to them that you might get somebody in there who had access to people's bank accounts numbers and would put in other people's accounts to transfer the money.
This roundtable was a joint effort by Computerworld and eBizChronicle, an online daily news service on e-commerce (www.ebizchronicle.com).