Jumat, 01 Mei 2009

US cyber-security 'embarrassing'



sign saying what's in your network
Experts say the threat is increasing fast


The criticism comes as President Obama prepares to release the results of a review he had ordered.

Tim Mather, chief strategist for security firm RSA, told BBC News: "The approach we have relied on for years has effectively run out of steam."

Alan Paller from security research firm SANS Institute said the government's cyber defences were "embarrassing".

The government review, which will outline a way forward, is expected to be opened up for public comment at the end of this month.

At the same time, President Obama is also expected to announce the appointment of a cyber-security tsar as part of the administration's commitment to make the issue a priority.

For many attending last week's RSA conference in San Francisco, the biggest security event of its kind, such focus is welcome.

"I think we are seeing a real breaking point in security with consumers, business and even government saying enough, no more. Let's rethink how we do this because the system is broken," said Mr Mather.

'Laws of procurement'

Over the past couple of weeks, the heat has been turned up on the issue of cyber-security following some high profile breaches.

One involved the country's power grid which was said to have been infiltrated by nation states. The government subsequently admitted that it was "vulnerable to attack".

US government computer
The review will provide a roadmap for tackling cyber-security

Meanwhile reports during the RSA conference surfaced that spies had hacked into the Joint Strike Fighter Project.

The topic is very much on the radar of politicians, who have introduced a number of bills to address security in the virtual world.

One includes a provision to allow the president to disconnect government and private entities from the internet for national security reasons in an emergency.

The latest bill, introduced this week by Senator Tom Carper, has called for the creation of a chief information officer to monitor, detect and respond to threats.

Mr Paller, who is the director of research for SANS, believes the government's multi-billion dollar budget is the most effective weapon it has to force change.

"The idea of cyber-security leadership isn't if it's the White House or DHS (Dept of Homeland Security). It's whether you use the $70bn you spend per year to make the nation safer."

He said the best way to ensure that was to require industry to provide more secure technology for federal acquisitions.

"If you want to change things, use the laws of procurement," suggested Mr Paller.

Hot seat

There is a growing view that the industry is also at a crossroads and has a responsibility to alter the way it operates.

fraud sign
There are 32,000 suspected cyber-attacks every 24 hours

"I think we are more aware of security than ever before," said Benjamin Jun, vice-president of technology at Cryptography Research.

"We are looking at risk in a new way and the good security practitioners are in the hot seat. It's time for them to do their job."

It is also time for them to come up with new technologies that can keep pace with, and move ahead of, the threats that affect the whole of cyberspace, says Asheem Chandna of venture firm Greylock Partners.

"For the evolution of the internet, I think we need the next wave of innovation. The industry clearly needs to step up and deliver the next set of technologies to protect people and stay ahead of the bad guys."

He also believes the smaller innovative companies in Silicon Valley could help the government be more productive if they were not effectively locked out of the process by the big established firms.

"We want smaller companies that are innovating in Silicon Valley to be given a better chance to help government agencies meet their mandate but the bureaucracy to do this hinders these companies.

"Instead they go to commercial customers because they see the value, they move fast, they see the return on investment and the competitive advantage it can give them. The federal government is more of a laggard in this area," said Mr Chandna.

'Silver lining'

There is undoubtedly a consensus that the security of the internet needs to be improved and that attacks are taking their toll on everything from banks to credit card companies and from critical infrastructure to defence.

sign who's your hacker
The president has likened the threat to the internet to that of a nuclear attack

"There is a silver lining to this dark cloud," said Mark Cohn, the vice-president of enterprise security at security firm Unisys.

"Public awareness, and that among the community and interested parties, has grown tremendously over the last year or two.

"Cyber-security affects us all from national security to the mundane level of identity theft and fraud. But that means society as a whole is more receptive to many of the things we need to do that would in the past have been seen as politically motivated."

For security firm VeriSign, a shift in how people practise security is what is needed

"Security is a state of mind," said the company's chief technology officer, Ken Silva.

"Up until now we have relied on the inefficient system of user names and passwords for security. Those have been obsolete for some time now and that is why our research is focused on making authentication stronger and user friendly."

To that end, VeriSign has introduced a security application that produces an ever-changing password credential for secure transactions on the iPhone or Blackberry. To date the free app has been downloaded more than 20,000 times.

"It's one thing to say security is broken, but the consumer doesn't care until it affects them," said Mr Silva.

"But if we as an industry want them to use stronger security measures we have to make it easy and more user friendly."

Indeed Mr Cohn believes everybody has to play his or her part as the online world becomes increasingly integral to our lives.

"It may seem like we are under attack and the world is more dangerous but in some ways the threat environment is shifting.

"Now the greater concern for people is protecting their information, their identity, their financial security as we move to put more information online like our health records and our social security records.

"We are at a crossroads and this should be viewed as a healthy thing," said Mr Cohn.