Get systems secure

Remember the TV sitcom “Get Smart,” about
a bumbling spy?


For security, Agent 86 and his boss would enter a cone of silence—but they
couldn’t hear each other. In one scene, the boss offered to write a note. Agent 86
cautioned that a note


could be stolen. The boss offered to swallow the note afterwards, but Agent 86 said his
stomach could be pumped by enemy spies. All right, I’ll burn it, said the exasperated
boss. But our man warned that the ashes could be reconstructed. And so on went the goofy
dialogue.


That’s how it is with computer security. It’s a seemingly intractable issue
that continues to grow for federal agencies and, indeed, for all of us. The world is
online to a much greater degree than even two years ago, yet most systems are still
maddeningly hackable. No encryption scheme has yet been found that can’t be cracked
with enough computer horsepower.


Unfortunately, the need to fix systems for year 2000 has temporarily pushed aside the
raging debate over the administration’s proposed Data Encryption Standard—the
one that many object to because they say that it gives law enforcement agencies a back
door to all encrypted data.


The result? Few agencies use any encryption to protect their own or citizens’
data. That’s a mistake. DES may be dead, but not the need for encryption.


At a recent Washington conference, Ira Winkler, president of the Information Security
Advisers Group of Severan Park, Md., and a former National Security Agency analyst, noted
that even weak encryption is better than none. It might make hackers move on to another
system, much as a burglar will avoid a house with an alarm system.


Winkler said that too few systems managers figure the lifecycle costs of security.
Those costs include downloading and then testing the constant streams of bug patches and
service packs flowing from software vendors that periodically discover security holes in
their products. Often, Winkler said, hackers exploit holes that are years old but remain
unpatched by administrators.


One wonders how many agencies downloaded the recent e-mail security patches for
Netscape Communications Corp. and Microsoft Corp. Web browsers.


Security is the cousin of the date code remediation requirement. Both are born of
short-term cost avoidance. Neither is cheap nor optional. Think about that as your agency
scrambles for year 2000 fix-it funds.


Thomas R. Temin
Editor
editor@gcn.com

inside gcn

  • firefighters

    National system to help firefighters quickly locate nearby resources

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group