21
Thu, Nov
1 New Articles

Fear, Uncertainty, and Doubt About Global IT Security

Commentary
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

If you were to play Dr. Phil with your management, what do you think its greatest anxiety would be?

In this era of hurricanes, war, and terrorist attacks, you might believe that the greatest fears would be the physical security of the IT infrastructure. Or you might believe that companies in the global economy are most afraid of losing their competitive edge as they struggle to keep legacy software up-to-date with demands. If you are currently seeking work in the field of IT, you might even hope that they were worried about replacing the IT talent that is scheduled to begin retiring over the next decade.

Yet, according to a survey conducted by IBM last March, cyber-crime is probably your company's Number 1 fear: Management feels less than confident that it has a cohesive and coordinated plan to address the threat. Moreover, it has begun to recognize that whatever plan it implements will soon be outdated as organized crime becomes increasingly savvy with advanced IT technology.

IBM Quantifies the Fear

With input from 600 CIOs or other qualified individuals, the IBM survey revealed that 84 percent of IT executives of U.S. businesses believe that organized criminal groups possessing technical sophistication are replacing lone hackers in the world of cyber-crime. Moreover, almost 75 percent of the respondents believe the threat from unprotected systems in developing countries is an uncontrollable problem. Finally, 74 percent say that threats to corporate security are now coming from inside their own organizations.

Jurisdiction

Perhaps the most difficult problem addressing the issue of cyber-crime is identifying who is responsible for protecting IT assets and enforcing the laws that are already on the books.

According to the Department of Justice (DOJ), "The primary federal law enforcement agencies that investigate domestic crime on the Internet include: the Federal Bureau of Investigation (FBI), the United States Secret Service, the United States Immigration and Customs Enforcement (ICE) , the United States Postal Inspection Service, and the Bureau of Alcohol, Tobacco and Firearms (ATF) ." However, if a crime is committed, in addition to these federal agencies, you are also required to file a complaint with both local and state law enforcement as well as international agencies, depending on the scope of the crime.

For instance, the DOJ says that crimes associated with hacking should be reported to the local office of the FBI, the U.S. Secret Service, and the Internet Fraud Complaint Center. Internet fraud and spam should be additionally reported to the Federal Trade Commission and the Securities and Exchange Commission. If there is suspected trafficking in child pornography, the U.S. Postal Inspection Service should also be notified. If there is a bomb threat sent via the Internet, the ATF office should be notified.

Each of these agencies has its own forms and procedures that must be followed to initiate an investigation.

Coordination for Cyber-Crime Lacking

The DOJ has not identified a specific agency to handle corporate identity theft on the Internet, one of the most frightening crimes for CFOs. (For recent articles on identity theft in MC eServer Insight, see "Evil Ones Lurking" by Carol Woodbury and "Corporate Identity Theft" by Thomas M. Stockwell). No specific agency has been identified to handle the theft of data itself, such as vital corporate employee or payroll records.

Yet, according to the survey conducted by IBM, nearly 60 percent of U.S. businesses believe that cyber-crime is more costly to them than physical crime. In these executives' minds, it's as though they are conducting business with a warehouse of goods that is sitting unprotected by local and federal law enforcement. No wonder they are concerned.

Handling the Threat

According to the IBM survey, 83 percent of U.S. organizations are responding to the increased/changing threat of cyber-crime in a number of ways:

  • Seventy-three percent are upgrading their virus software.
  • Sixty-nine percent are upgrading their firewall.
  • Sixty-six percent are implementing intrusion detection/prevention technologies.
  • Fifty-three percent are implementing vulnerability/patch management systems on their networks.

This is old news to IT professionals, but is it really enough to stem the flow? It's hard to say because, with so many federal and local agencies involved, there is no centralized database of cyber-crime statistics.

What We Know About the Problem

The last DOJ effort was a pilot survey conducted in the second half of 2002. In that pilot, consisting of 500 sampled companies, less than half responded to the survey. Of that number, 75 percent reported that they had detected at least one incident of ciber-crime. Fewer than 12 percent reported the incidents to law enforcement. Yet 68 percent of those that indicated they had experienced an incident said they had incurred losses. The total losses reported were more than $68 million.

That survey was conducted almost five years ago, and the odds are that—considering the level of sophistication that organized crime is believed to have achieved—the losses today have not decreased, but have increased substantially.

Federal Priorities

Given the potential threat against the U.S. economy, one would suppose that cyber-crime would be a hot topic at the Department of Homeland Security (DHS), but unfortunately the job of assistant secretary for cyber-security and telecommunications remains open, as it has been since secretary Michael Chertoff created it last October.

According to reports from Capitol Hill, members of congress are very upset about the lack of movement by the DHS, and their concerns became known when the House Homeland Security Committee began finalizing the Homeland Security Science and Technology Enhancement Act of 2006 (HR 4941). An effort by the committee's Democratic members to specify $50 million for cyber-security upgrades failed on a party-line vote of 15 to 13, and unfortunately this will force the determination of the priority of the department's spending on the appropriations committee, which is less familiar with the issue.

"The lack of progress on cyber-security is of grave concern," said Rep. Zoe Lofgren (D-CA). Lofgren believes it's vital to elevate the post of secretary for cyber-security within the DHS.

Other members of Congress agree. Representative Loretta Sanchez (D-CA) has said, "There is very little leadership coming out of the department on cyber-security." Sanchez was the sponsor of the amendment to HR 4941 that would specify an amount for additional cyber-security spending.

A Defense Issue

Instead, Congress has moved money to the Department of Defense (DoD) to spend on cyber-security. "In the Defense budget, we have put hundreds of millions of dollars in for information dominance," Rep. Curt Weldon (R-PA) said. He also said that the Pentagon now has programs to fund universities to launch cyber-security study centers and to expand the military's own cyber-security programs. In addition, the committee sent to the House a bill that directed DHS to launch several cyber-security efforts, including mitigation and recovery technologies; modeling, test-bed, and data set development for cyber-security research; secure Internet protocols; and voluntary standards for critical infrastructure systems.

In other words, the extent of the DHS involvement has been lowered to that of a funding mechanism for basic cyber-security research, with no law enforcement capabilities.

What the DOJ Is Doing

Meanwhile, the DOJ does what it can on the cyber-crime front. On its Web site the department lists its latest successful convictions:

Florida Man Sentenced for Causing Damage and Transmitting Threat to Former Employer's Computer System (July 13, 2006)
Former Technology Manager Sentenced To A Year In Prison For Computer Hacking Offense (June 23, 2006)
North Carolina Man Charged with Illegally Accessing American College of Physicians Database (June 15, 2006)
Former Federal Computer Security Specialist Sentenced for Hacking Department of Education Computer (May 12, 2006)
"Botherder" Dealt Record Prison Sentence for Selling and Spreading Malicious Computer Code (May 8, 2006)
California Man Pleads Guilty in "Botnet" Attack That Impacted Seattle Hospital and Defense Department (May 4, 2006)

Considering the scope of the problem and the potential threat to the U.S. economy, it's important to note that all of these convictions were the result of local and regional efforts on the domestic front.

The last globally reported arrest of individuals involved in international cyber-crime was the capture in 2005 of the authors of a Windows 2000 worm called Zotob. In that case, the authors were physically located in Turkey and Morocco, and the FBI chose not to extradite the offenders. Even so, it is doubtful that the FBI would have located them had Microsoft not provided them—through its analysis of the worm code—with the precise location of the criminals. Since then, few reports of law enforcement success on an international level have been reported.

U.S. vs. International Business Concerns

In this regard, it appears that U.S. firms concerned with cyber-security are forced to go it alone until the government begins to treat the threat with more sensitivity.

Yet, in a global economy, the issue of cyber-crime knows no boundaries. According to the IBM survey, the U.S. and international business communities share the same concerns when it comes to the key costs associated with cyber-crime. Both groups indicated that loss of revenue (63 percent U.S. versus 74 percent international) and loss of current customers (56 percent U.S. versus 70 percent international) would have the highest cost impact should their organizations fall victim to a cyber-crime.

Damage to their brand/reputation is of much higher concern to international businesses than those in the U.S. Over two-thirds (69 percent) of international businesses cited this to be a key cost associated with cyber-crime, compared to only 40 percent of U.S. businesses.

U.S. businesses are equally concerned about the loss of their current and prospective customers (56 percent for each) compared to the international community, which is more concerned with losing current customers (70 percent) and less concerned about losing prospective customers (33 percent).

FIRST.org

Yet, despite the lack of interest in Washington, the requirements for international cooperation for cyber-security are wel- known. In its white paper "International Coordination for Cyber Crime and Terrorism in the 21st Century" the Computer Emergency Readiness Team (CERT.org) identified the challenges of creating a framework by which international technical and law enforcement communities could approach the issue on a global basis. "There is an urgent and ongoing need to provide a global infrastructure to provide a fast, effective, and comprehensive response to computer security incidents on a local, national, and international scale. At this time, there is no infrastructure to support a coordinated global incident response effort," CERT says.

In the 1990s, such concerns led to the establishment of the Forum of Incident Response and Security Teams (FIRST.org), which now has over 170 members. FIRST.org was designed to act as an international clearing house for technical threats from cyber-crime, such as viruses, worms, and Trojans. FIRST.org has representatives from 19 countries and provides a closed forum for teams to share experiences, exchange information related to incidents, and promote preventive activities.

However, though DoD and the U.S. Postal Service are active members, no representation from the DOJ is currently present, and the reporting mechanisms that emanate from FIRST.org focus on computer threats such as rapidly spreading viruses.

Recent FIRST Initiatives

On June 21, 2006, FIRST.org sponsored a conference in Baltimore, Maryland, in which Brian Nagel, assistant director of the U.S. Secret Service Office of Investigations, presented the keynote address "Building Effective Relationships between CSIRTs and Law Enforcement." Yet during the keynote, the conflict of focus between roles of the law enforcement community and the technical community became widely talked about, and it became clear that better coordination between the two was required.

Directions

Certainly, we are living and operating our businesses in a truly global cyber-space in which our advancing technologies have opened doors and windows to opportunists who will take advantage of their sophisticated knowledge to rob our enterprises. How extensive this trend has become is still not known, though the extent of what has been reported publicly is sobering. Business reputations and profitability are at stake, yet the federal government in the U.S. does not yet have a comprehensive law enforcement strategy. The results of its efforts are now focused upon finding the low-hanging fruit: the least-sophisticated offenders, who are easily identified when incidents are reported.

Federal policy currently seems to currently consider the threat of cyber-crime only insofar as it impacts the national security of the country. It does not seem to be aimed at coordinating international efforts to reduce levels of cyber-crime that will impact our business enterprises.

Technical communities have made strong efforts to alert businesses to potential threats and to reduce the technical vulnerabilities within our organizations. These same technical communities are working overtime to identify threats and fix software, in both the open-source environment and at the commercial software front. However, attempts to coordinate its knowledge with law enforcement officials have been hampered by a lack of agency funds at every level of government.

Meanwhile, business leaders who still fear this unseen threat must spend sleepless nights wondering who is accessing the company's data, who is stealing its secrets, and who is selling access to vital information that is stored in their systems.

In IT, we tend to see this first as a technical problem that requires our stringent attention, but it is more than that. It is an international epidemic of crime that is awaiting the right moment to inflict its impact upon our economy.

Are we truly secure? Of course not! Is our management aware of the threat? Certainly! Are we taking whatever actions we can to protect our organizations and our livelihoods? Yes! But it will take more than our individual efforts.

Industry experts analyzing the traffic on the Internet report that over 80 percent of what is being transmitted is spam. When a new virus attack commences, our organizations have literally seconds to identify and quarantine the offensive rogue agent. We are operating our businesses on the edge of catastrophic security meltdown, and we need coordinated federal and international assistance.

Where will we find it?

Thomas M. Stockwell is Editor in Chief of MC Press Online, LP.

Thomas Stockwell

Thomas M. Stockwell is an independent IT analyst and writer. He is the former Editor in Chief of MC Press Online and Midrange Computing magazine and has over 20 years of experience as a programmer, systems engineer, IT director, industry analyst, author, speaker, consultant, and editor.  

 

Tom works from his home in the Napa Valley in California. He can be reached at ITincendiary.com.

 

 

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: