Tech Security Goes From Bad To Worse

Mr. Briney cited figures showing that security vulnerabilities have risen by 124 percent over the past two years. Actual virus infections increased by 15 percent from 2000 to 2001, while some 200 new viruses are seen each month, he added.

He pointed out that in four days, the Melissa Virus caused some $400 million in corporate losses worldwide, and in just five hours, the Love Letter Virus racked up losses between $8 billion and $15 billion. The Code Red Virus, meanwhile, brought down some 520,000 servers and caused $2.6 billion in losses, he said.

According to Gene Hodges, president of Network Associates Inc., based in Santa Clara, Calif., three things one can be sure of are "death, taxes and escalating attack rates." He also noted that there has been a strong trend toward targeted cyber-attacks that demand a higher skill level.

One problem the panelists pointed to in defending against outside attacks is the high number of security "patches" that software manufacturers send to their customers.

According to Bruce Schneier, founder and chief technology officer of Counterpane Systems, based in Minneapolis, there are "20-to-30 security patches per major product per week."

Panelists pointed out that most companies don't have the time and resources to keep up with installing the patches, and that some patches require system shutdowns. "The notion that we can find stuff and fix it has failed," said Mr. Schneier.

"We need to move to the philosophy that we will never make our networks safe," he continued. "As a scientist, I can tell you that we have no clue how to write secure code." He added that all software bugs that become security vulnerabilities are "mistakes."

"The reason software isn't secure is because the companies producing it don't care," Mr. Schneier said, drawing spirited applause from the audience. Microsoft and other software producers, he explained, are judged by speed of product release. "If Firestone produces a tire with a systematic flaw, they get sued. When Microsoft [produces a flawed product], they don't."

"Every software vendor here could do a better job of protection," Mr. Hodges agreed.

According to John Weinschenk, vice president, Enterprise Services Group, for VeriSign Inc. in Mountain View, Calif., "The challenge is that the attacks are more and more sophisticated. The best you can do is try to minimize your risk." He also recommended that companies formulate specific plans to deal with the possible consequences of cyber-attacks.

Mr. Briney also pointed out that security concerns are "the number one barrier to the deployment of wireless [technologies]."

"The threat is serious," agreed Dan MacDonald, vice president, Internet Communications, of Nokia, Tokyo, Japan. Corporations, he said, need to be aware that wireless networks "could be dangerous to their corporations." The solution, he noted, is strong authentication (making sure a user is who he or she claims to be) and encryption (encoding data so that only authorized persons can read it). "That is best practice these days," he observed.

Mr. Schneier characterized wireless communications as being "robustly insecure," adding that "the people who designed the [wireless] protocol did a horrible job on security."

The panel pointed to a widespread trend of individuals bringing their own wireless devices to work and linking into their corporate networks. Among such "rogue" wireless users (those whose links are not set up by the company's IT department), most are vulnerable to attack, the panelists agreed.

Mr. Briney also noted that, in his research, 48 percent of European companies have said that security worries keep them from adopting Web services. Mr. Schneier, however, disagreed that such worries will slow Web services growth.

"The key to Web services is making a profit," Mr. Schneier explained. "Web services will be deployed with not-good security, with half-assed security. If you can make more money than you lose, you'll do it.

"Security is a nice thing to have," he continued, "but when you're making money, get that thing out of the way."

When it comes to spending on security, Mr. Weinschenk said that regulated markets (such as insurance and financial services) are spending money on it, "because they have to."

Mr. Briney noted that IT spending devoted to security is showing a 21 percent compound annual growth rate among all companies, but Mr. Schneier argued that "the average company spends more on coffee than on security."