America fails on information security

18/09/2003 Written by Ken Silva, CNET News.com

COM­MEN­TARY – In 1932, Franklin Delano Roo­sevelt, newly elected pres­i­dent, pledged to cre­ate a “new deal for the Amer­i­can peo­ple.” Designed to help the United States out of its worst eco­nomic depres­sion, the New Deal was an oppor­tu­nity to rebuild the Amer­i­can infrastructure.

An unprece­dented amount of leg­is­la­tion was passed estab­lish­ing agen­cies to rebuild America’s high­ways, dams and bridges – the vast major­ity of which are still used and depended on every day. That invest­ment in phys­i­cal infra­struc­ture was our great­est ever, and it’s now time for a sim­i­lar invest­ment in the Internet’s infra­struc­ture – both in shoring up actual under­pin­nings and in teach­ing peo­ple how to be more cyber­aware.

Astound­ingly, even two years now after the Sept. 11 ter­ror­ist attacks, Amer­ica has still failed to secure our vital infor­ma­tion infra­struc­ture. Yet we’ve all seen the mass dis­rup­tion caused by the recent Sobig, Nachi and MSBlast worms. Even though these worms were con­sid­ered “unsuc­cess­ful” because they did not destroy data, they cost Amer­i­can busi­nesses over $3.5 bil­lion in August alone – a cost our econ­omy can­not sus­tain. The Inter­net is attacked vir­tu­ally every minute of every day, and many of us still take this amaz­ing sys­tem for granted.

Esti­mates put the deploy­ment of base­line secu­rity across all North Amer­i­can users at $450 bil­lion, roughly equiv­a­lent to the annual value of the “infor­ma­tion econ­omy.” Fed­eral Reserve Chair­man Alan Greenspan and oth­ers rightly attribute our enor­mous pro­duc­tiv­ity gains in the past decade to the explo­sion of infor­ma­tion tech­nol­ogy in our econ­omy. But with these gains comes the price of secu­rity. While this mas­sive net­work­wide invest­ment will require many groups com­ing together in con­cert, clearly we can no longer under­es­ti­mate the impact of these attacks and write them off as nui­sances.

Nor should we place blame on ven­dors in the larger Inter­net com­mu­nity. With­out a doubt every oper­at­ing sys­tem, Web browser and e-​mail client appli­ca­tion used today could have ben­e­fited from addi­tional secu­rity fea­tures embed­ded in it before it was released. But finger-​pointing and the blame game will get us nowhere, espe­cially when should be busy installing the patch man­age­ment options avail­able from ven­dors to fix these secu­rity gaps.

And let’s not for­get that worms and viruses don’t launch them­selves. Our adver­saries prey not only on the weak­nesses of soft­ware and oper­at­ing sys­tems, but on the pre­dictabil­ity of human beings. Even now, despite all the press, Sobig con­tin­ues to get relaunched by unwit­ting indi­vid­u­als every day – all the more rea­son we need to con­tinue edu­cat­ing peo­ple about how to use the Inter­net respon­si­bly.

The Inter­net is a com­mu­nal net­work – it ben­e­fits every­one, and every­one has a respon­si­bil­ity to pro­tect it:


• For home users, that means chang­ing pass­words often, using antivirus soft­ware and turn­ing off DSL and cable modems when not in use.


• For gov­ern­ment agen­cies, that means demon­strat­ing full com­pli­ance with patches and serv­ing as a role model for good secu­rity prac­tices.


• For ven­dors, it means mak­ing secu­rity a fore­most thought when design­ing prod­ucts.


• And for crit­i­cal infra­struc­ture providers, it means tak­ing that oblig­a­tion very seri­ously and invest­ing sub­stan­tial amounts in hard­ware, engi­neers, and research and devel­op­ment to stay at the fore­front of cyber­se­cu­rity.


There are no magic solu­tions or sil­ver bul­lets that will shore up cyber­se­cu­rity in a day. But there are steps that, taken over time, will improve the over­all health, secu­rity and via­bil­ity of the Inter­net.

Recent steps by the gov­ern­ment are encour­ag­ing. Con­gress has begun to inves­ti­gate the issue, and the Bush admin­is­tra­tion is expected very soon to nom­i­nate a cyber­se­cu­rity chief, who hope­fully will begin exe­cut­ing on the rec­om­men­da­tions out­lined in the National Strat­egy to Secure Cyber­space released ear­lier this year. More gov­ern­ment lead­er­ship, infra­struc­ture invest­ments, greater action from indus­try and increased cyber­aware­ness among Amer­i­cans will go a long way toward improv­ing the resilience of the net­work to attacks.

Orga­nized crime, ter­ror­ists and bored teenagers have taken advan­tage of the weak­nesses in our cyber­in­fra­struc­ture for long enough. These adver­saries under­stand our grow­ing depen­dence on the Inter­net and are exploit­ing these vul­ner­a­bil­i­ties to harm Amer­ica. If we don’t strengthen our cyber­in­fra­struc­ture and increase our level of cyber­aware­ness, it will only get worse.

His­tory has proven that invest­ing in our infra­struc­ture is money well spent. With America’s national secu­rity and eco­nomic via­bil­ity at stake, it’s time to up the ante and begin invest­ing in the Internet’s infra­struc­ture.

Biog­ra­phy:

Ken Silva is vice pres­i­dent of net­works and secu­rity at VeriSign. His respon­si­bil­i­ties include over­sight of the tech­ni­cal and net­work secu­rity for the defin­i­tive data­base of over 27 mil­lion Web addresses in the .com and .net top-​level domains. He was pre­vi­ously exec­u­tive tech­ni­cal direc­tor of the National Secu­rity Agency.