Barbarians in the gate
Thomas R. Temin
Computer and data security as it is practiced today resembles nothing so much as the Cold War.
Consider its emphasis on passwords, encrypted tokens, firewalls and physical protection of hardware. Current practice assumes major threats will originate as either brute force or stealth assaults from outside. The proverbial teen-aged hacker with a notebook PC is what keeps the country's best security minds awake at night, they say at conference after conference.
This paranoia is understandable. After all, there really are constant attacks against government systems. The Defense Department records tens of thousands of them a year.
But the fortress approach is most effective for buildings. Between the World Trade Center and Alfred P. Murrah Federal Building bombings, to name two, there is plenty of cause to worry about outside attacks. Even the newly refurbished Washington Monument has been surrounded at its base by a ring of concrete barriers designed to keep vehicles at a safe distance.
The recent spying charges brought against FBI agent Robert P. Hanssen, however, illustrate a different kind of systems vulnerability: trusted insiders who go bad. It shows how the fortress approach addresses only half the problem when it comes to systems and the data they hold.
The FBI's systems bristle with security to keep outsiders out. So do those at the Energy Department and Pentagon. Yet they've all been compromised in recent years by trusted insiders.
Corporate systems, whether government or industry, are like battleships'heavily armored, strategically important and vulnerable to blowing up from within if their explosives magazines are put in jeopardy.
Agencies have paid scant attention to the matter of compromise by insiders. One reason is that the technologies to monitor use patterns for anomalies are not as widely understood as, say, firewalls. Another is that secret or even ordinary work requires collaboration, data sharing and freedom of movement among those you trust.
No pat answer exists. But agencies must squarely face the fact that security really does start from the inside.Thomas R. TeminEditorial director
E-mail: [email protected]