Agencies say goal of network security is a moving target
Ensuring that networks are secure for Internet transactions, either for commerce or just for the exchange of information, is an uphill battle, agency participants said Tuesday at a Federal Communications Commission conference.
Those trying to ensure network security "are operating on moving ground," said William Mularie, director of the Information Systems Office at the Defense Advanced Research Projects Agency. Technology and security officers are faced with very clever people who find ways around the security measures that are put in place, and "the world is not going to get any better," he said.
Mularie noted that he was sanguine about the business implications of the Internet because people always tend to do business with companies and people they trust--and the availability of e-commerce won't change that.
David Farber, FCC chief technologist, said keeping quiet about security measures is a bad idea because it generally means there are concerns about security risks. And it is necessary for companies that have been hacked into to "prosecute the hell out of" the criminals and not try to keep the security breaches quiet, he said, because sending a message that security breaches won't be tolerated can have a deterrent effect.
Rep. Tom Davis, R-Va., has introduced a bill, H.R. 4246, that would provide companies a limited exemption from the Freedom of Information Act to encourage them to share information about cyber attacks with the federal government. It would offer them protection against antitrust laws for the purpose of discussing ways to combat cyber attacks with other companies.
It is impossible for companies to address all of the potential security risks. They have to consider the potential threats, how likely they are to become real, what the potential damage would be and how expensive it would be to deter the threat. "It is a business decision," said Will Leland, chief scientist and director of network security research at Telcordia Technologies.
Mularie cited a recent study that found that most corporate executives felt safe with current security measures and saw no compelling business reason to additionally bolster their defenses to protect their customers. All the technology in the world doesn't matter unless people can be persuaded to use it, he said.
But even with the best technology, "we cannot see some of the things that are happening on our networks, so it is a limited club," Mularie noted.