|
 |
 |
Will you be liable for IT�s �dirty little secret�?c|net news.com on August 14, 2002 In late July at a technology conference in the nation's capital, President Bush's top cyber-security adviser, Richard Clarke, said the technology industry was acting irresponsibly by selling computer network devices that remain remarkably easy to attack. "It is irresponsible to sell a product in a way that can be so easily misused by a customer in a way that jeopardizes their confidential and proprietary and sensitive information," Clarke said. In fact, it's the industry's "dirty little secret" that if you use your company's networks or the Internet, your daily online communication activities - from sending and receiving email and instant messages, to using the Web - can be trivially monitored by others, and in all likelihood are. Toward what end? Think about it. When I was a boy, my friends and I would occasionally play tricks on girls in our neighborhood - quietly sneaking over to their homes, opening Ma Bell's little gray box mounted on the side of their parents' home, and tapping into their nightly gab-fests with a telephone that we'd brought over. Just mischievous kid stuff? Dream on. Industry pundits found it quite unsettling at a conference recently when, without permission, Web images being received by their wirelessly-connected laptops were grabbed "off the air" and displayed on-stage, live. It also works for wired networks: programmers have been building "sniffers" such as dsniff and etherpeg for years - for law enforcement, amusement, and profit. Your company's network administrators can watch anything you do that flies by on their wires. So can the men and women who keep the servers and routers running all night long at your Internet service provider. But they wouldn't do that, would they? In order to protect you, corporate IT administrators are hard at work solidifying the "great firewall" around your organization - keeping the outside out, and the inside in. But at the same time, you need to work from home. And increasingly, you need to work closely with business partners and customers, but the IT group won't give them VPN access because doing so would expose too much. So how do you get your work - Microsoft Office documents and presentations - through the firewall? Many of us send them home as email attachments. Or, like John Deutch, we take them home on memory cards. And how safe is the confidential information on our laptops? Once many years ago, in Paris, I walked into my hotel room and found the chambermaid moving nervously away from my computer. "Je jouais le Solitaire", she said. Hmm. So how did we get ourselves into this situation, and what should we do about it? Surely the industry can and should take a good share of the blame, as should the government. Internet pioneer David Reed recently pointed out that in the early years, efforts to incorporate end-to-end encryption into the base standards of the 'net were reportedly discouraged - for reasons of national security. But "weak encryption" is no longer a reasonable excuse for unsecure systems. It's clear by now that real security comes not just from strong crypto, but by recognizing and embracing human strengths, frailties, and common behaviors in building, managing and using complex systems. People are always the weakest link. The industry also needs to explore new approaches to secure systems. Although PKI works within a well-managed enterprise environment, work relationships now commonly span across enterprise boundaries, into domains of questionable trust. And third party "notaries" don't help much; they introduce significant risk: When VeriSign was fraudulently duped into issuing Microsoft certificates to an unknown party in early '01 - with little reported recourse - utopian visions of "outsourcing identity and trust" crumbled. Enterprises need, and must demand more "cellular" approaches to trust and secure information sharing, such as peer trust, webs of trust, and fine-grained federated trust. The "great wall" approach is outdated; with the distinction between "inside" and "outside" becoming blurred, we need alternatives to the firewall and VPN models of protection. But there's no need to wait: there are practical actions that can be taken immediately and inexpensively -- today. For example, Windows XP supports an Encrypting File System that is very useful for laptops; buy the upgrade, turn it on, and password-protect the computers. Both Microsoft Exchange and Lotus Notes support enterprise message encryption - if IT departments would simply use it. These are just a couple of alternatives. We've been through years of asbestos and tobacco liability suits; will liability for IT complacency be next? Someday, some shareholder is going to lose quite a bit of money because an electronic message was "sniffed", or "spoofed". Someone's health or financial records are going to get into the wrong hands. A design will be compromised; someone will get hurt. And at that point, network television cameras are going to be focused on a lawyer who's asking a company executive, or a government official, "Sir, were there reasonable alternatives at the time?"
|
