Get systems secure
Remember the TV sitcom Get Smart, about
a bumbling spy?
For security, Agent 86 and his boss would enter a cone of silencebut they
couldnt hear each other. In one scene, the boss offered to write a note. Agent 86
cautioned that a note
could be stolen. The boss offered to swallow the note afterwards, but Agent 86 said his
stomach could be pumped by enemy spies. All right, Ill burn it, said the exasperated
boss. But our man warned that the ashes could be reconstructed. And so on went the goofy
Thats how it is with computer security. Its a seemingly intractable issue
that continues to grow for federal agencies and, indeed, for all of us. The world is
online to a much greater degree than even two years ago, yet most systems are still
maddeningly hackable. No encryption scheme has yet been found that cant be cracked
with enough computer horsepower.
Unfortunately, the need to fix systems for year 2000 has temporarily pushed aside the
raging debate over the administrations proposed Data Encryption Standardthe
one that many object to because they say that it gives law enforcement agencies a back
door to all encrypted data.
The result? Few agencies use any encryption to protect their own or citizens
data. Thats a mistake. DES may be dead, but not the need for encryption.
At a recent Washington conference, Ira Winkler, president of the Information Security
Advisers Group of Severan Park, Md., and a former National Security Agency analyst, noted
that even weak encryption is better than none. It might make hackers move on to another
system, much as a burglar will avoid a house with an alarm system.
Winkler said that too few systems managers figure the lifecycle costs of security.
Those costs include downloading and then testing the constant streams of bug patches and
service packs flowing from software vendors that periodically discover security holes in
their products. Often, Winkler said, hackers exploit holes that are years old but remain
unpatched by administrators.
One wonders how many agencies downloaded the recent e-mail security patches for
Netscape Communications Corp. and Microsoft Corp. Web browsers.
Security is the cousin of the date code remediation requirement. Both are born of
short-term cost avoidance. Neither is cheap nor optional. Think about that as your agency
scrambles for year 2000 fix-it funds.
Thomas R. Temin