Is cyberterrorism a real threat? Are there really gangs of high-tech criminals preying on our computers? Can we use technology to fight back?
Faced with chairing two upcoming international summits on cyber crime and cyber security for the U.S.-based National Institute for Government Innovation, I decided to consult some of the top guns in the field.
Jeff Wacker is an EDS Fellow and futurist, and CIO/CTO for all the EDS global industry groups. He says the world woke up to security in a big way after the terrorist attacks in the U.S. last fall.
“I have a theory that a lot of technologies advanced five years in people’s minds on Sept. 11, especially those associated with sensing technologies and biomonitoring technologies. Things that were on the edge of everybody’s radar screen went dead centre on that day.”
He cites the example of the Ben Gurion Airport in Tel Aviv, Israel, one of the most security-conscious places in the world.
“We designed a ‘Trusted Traveller Card’ that allows you to tie your identity to your body. Then you prove that identity by standing up at a special kiosk, putting your hand into a small slot along with your card, and having a camera take your picture. The biometric being used there is hand geometry, which is probably one of the most reliable, next to fingerprinting.
He predicts that we’ll see a lot more of this technology as airports around the world wake up to threats.
He also notes that it’s not a panacea. “Right after Sept. 11, the International Biometrics Association posted a disclaimer on its web page saying that biometrics would not have stopped these attacks.”
Fingerprint-reading technology has even reached down into the junior high school age group. In a pilot project in Welsh Valley near Philadelphia, almost 700 kids have been fingerprinted.
Now, instead of carrying lunch money, they just put a finger down at the lunch line and the cost of their food is deducted from their accounts.
Apparently, this is a boon to kids who were losing their lunch money to bullies, and it also helps get those rowdy young teenagers through the lunch line faster. A few families have refused the fingerprinting out of concern for privacy, but most felt the benefits outweighed any risks.
Wacker describes a technique called Zephyr Analysis, which evaluates different biometric techniques on accuracy, cost, effort and intrusiveness. The conclusion, according to Wacker, is that there’s no perfect biometric, and it is best to use a combination of technologies to authenticate users. Being in the business of selling technology, you’d expect him to say that.
Another oracle I consulted is Ira Winker, author of two security-related books as well as chief security strategist for HP Consulting, North America.
He feels that many people are being alarmist about the risks to critical infrastructure, such as air traffic control systems.
“Every attack I’ve ever investigated,” he says, “has been accomplished not because of big sophisticated plans, but because a lot of little issues weren’t addressed. I can train anybody to break into a computer in four hours by taking advantage of problems built into software programs. All software has security bugs.”
He advises people to pay regular visits to the vendor websites to download and install patches for security-related problems.
“Most people don’t even know these exist. For example, take the latest Windows XP security problem. Even though Microsoft has supposedly sold 23 million copies of Windows XP, I would doubt that more than two or three per cent of the people have actually downloaded the fix, and if you don’t have the fix, you’re vulnerable to anybody on the Internet to attack your computer.”
In a sense, what Winkler is saying is that there are certainly problems out there, but it’s our own laziness or ignorance that puts us at risk.
He says the best way to understand security vulnerabilities is to view them from a business perspective.
He cites a very large U.S. company that had hired several security consulting firms, each of which came back in a few weeks showing how they had seized complete control of the company’s network.
The CEO said: “Now let me understand this. I have been one of the most profitable companies in America, and I have been vulnerable. I will continue to be one of the most profitable companies in America, and I will continue to be vulnerable. What’s the problem?”
Winkler was brought in, and within three days he produced critical business files.
“We showed them their executive compensation schedules, their merger and acquisition plans, and certain of their critical technologies, and said: ‘Oh, by the way, we have complete control of your entire network.’ The security budget was bumped up $10 million dollars within a week.”
Over the next few months, the University of Calgary will be presenting several short courses to help Canadians understand the challenges of security.
These include a unique program held in collaboration with the Calgary Police Service. Cybercrime Prevention for Law Enforcement and Security Professionals will bring police and civilians together for four days of intensive training in April.
Another highlight will be Privacy in the New War Era, a one-day briefing on May 7, which will feature Federal Privacy Commissioner George Radwanski, as well as other experts in this field.
The gurus all tell us that if we take reasonable security precautions, our computer systems will be safe.
Then again, none of the experts predicted Sept. 11.
* International Summit on Cyber Crime: Providing law enforcement officials with the tools to monitor, investigate and prosecute cyber criminals, March 18-20, 2002, Las Vegas, Nev. Web: www.nigi.org/h0177.htm
* Cyber Security: Practical tools and techniques to ensure maximum protection of your agency’s critical infrastructure, April 22-23, 2002, Las Vegas, Nev. Web: www.nigi.org/h0173.htm
(Keenan is dean of the Faculty of Continuing Education at the U of C)