Security gurus: Cooperation is paramount
'Computer security is getting worse faster than it can ever be fixed,' Jeff Moss said at the recent Sector5 cybersecurity conference in Washington.
Moss, a self-described former hacker and now chief executive officer of Black Hat Inc. of Seattle, said, 'We have to figure out a way to live with it.'
Living with'and surviving'chronic vulnerabilities requires more cooperation between government and industry, and between law enforcement and IT users, other speakers said.
'Money talks,' said Richard H.L. Marshall, principal deputy director of the Critical Infrastructure Assurance Office. 'Put your money where your mouth is, and you're going to have good behavior. Make vendors be responsible for security.'
Customer demands are just beginning to affect product design, said Howard A. Schmidt, vice chairman of the president's Critical Infrastructure Protection Board. Vendors such as Microsoft Corp. and Sun Microsystems Inc. have decided that 'security will trump feature sets' in future products, Schmidt said.
There are ways to fix the vast majority of security vulnerabilities, panelists said, but it's more cost-effective to prevent trouble than to recover from it.
'Pre-incident is where your efforts should be,' said Secret Service agent Bob Weaver, who heads a New York electronic crimes task force.
The Secret Service is turning away from its traditional posture of secrecy, which did not work well in the war on drugs, another agent said.
'Enforcement controlled the agenda, and prevention was a small part,' said special agent John Frazzini, the service's representative in the Nationwide Electronic Crimes Task Force.Keeping an eye out
Enforcement efforts won't work either, Frazzini said. 'We're not going to arrest our way to security,' he said. 'The concept of the task force is analogous to the Neighborhood Watch program,' in which local residents look out for one another.
The USA Patriot Act of 2001 mandated the national task force, modeled on a multiagency, public-private effort that has been successful in New York. Washington has a similar task force.
Sharing information about breaches is a touchy subject. The government has encouraged the formation of information sharing and analysis centers for the IT, telecommunications, financial services and electric power industries. But security data gets sanitized before distribution to ISAC members, and there is no formal mechanism for disseminating it to the government or the public.
The Secret Service has not completely foregone secrecy in its quest for public cooperation, either. Weaver said, for example, that a large brokerage was shut down temporarily by a logic bomb planted in its systems over a dial-up connection.
'The reason you haven't heard of this is, we can keep a secret,' he said.