Who trumps bin Laden as a cyberthreat? Look in the mirror

April 8, 2008 3:51 PM PDT

Posted by Charles Cooper 24 comments
(Credit: Charles Cooper/CNET News.com)

SAN FRANCISCO--It turns out al-Qaida's leader and his cohorts aren't the biggest threat to our cybersecurity. You are.

Six years ago, Osama bin Laden represented the nightmare scenario for the computer security establishment. But more immediate cyberdangers lurk on the horizon. Experts attending the RSA conference that began here today say it's you--Mr. & Mrs. Computer User--who keep goofing up.

In fact, they contend, the future of cybersecurity hinges less on a latter-day version of spy-versus-spy against shadowy terror groups than on a more serious effort to instill best practices. Listening to their heeding was something akin to the scene in the movie Groundhog Day, where Bill Murray repeatedly wakes up to the same morning.

Security gurus have long urged the business world to turn network security into part of the corporate DNA. The message is not fully getting through. And now we're seeing the predictable results.

After listening to Symantec's John Thompson's morning keynote, I later kidded him about purposely scaring the hell out of people. He was a good sport about my joshing but pointed out that the information security landscape is increasingly punctuated by cases of data theft. He backed that up by reciting a litany of worrisome stats from his company's latest Internet security threat report. Truth be told, it makes for grim reading.

Symantec CEO John Thompson
(Credit: Charles Cooper/CNET News.com)

Among the report's highlights:

• 65% of the new code being released into the market is malicious

• The U.S. was the top country of attack origin in the second half of 2007

• The education sector accounted for 24 percent of data breaches that could lead to identity theft.

• Government was the top sector for identities exposed, accounting for 60 percent of the total

• Theft or computer loss resulted in the most data breaches that could lead to identity theft

• The United States had the most bot-infected computers worldwide

If the statistics are accurate, rank-and-file computer users are far from internalizing the security mantra. What's more, the findings suggest it will be quite some time before most people treat computer security as more than an afterthought. In the meantime, of course, Thompson didn't preclude the possibility of a terror or state-based organization launching a big cyber attack. But he believes the more likely danger to the nation's infrastructure will emanate from a different quarter.

"The threat landscape has changed," he said. "When people used to talk about the "Big One," they were thinking about that in the context of an attack on the infrastructure itself. That's still possible but less probable today because attackers have shifted to the information itself. They're much more stealth-like. Before, they wanted to become obnoxiously visible. Now they don't. They want to quietly penetrate defenses so they can sell what they steal in what's become a growing underground economy."

DHS Secretary Michael Chertoff
(Credit: Charles Cooper/CNET News.com)

(He's got a point. Symantec's report found that bank accounts are the most commonly advertised item for sale on underground economy servers, accounting for 22 percent of all activity tracked.)

In years past, Thompson and other computer security executives have pushed the idea of making cyber-security as familiar to most people as the fire prevention campaign underwritten by the government in the 1960s and 1970s. Considering the amount of money Uncle Sam is spending on cyber-security these days, that's a pipedream.

Department of Homeland Security Secretary Michael Chertoff, who also presented a keynote on Tuesday, offered litte indication Washington was about to ride to the rescue. In remarks during his prepared speech and subsequent press conference, Chertoff offered a dutiful recitation of what he described as the President's interest in shoring up the nation's digital security.

But despite Chertoff's repeated commitment to doing the right thing - including a call to arms inviting Silicon Valley's best and brightest technologists to come to Washington to work on cyber-security - I wonder how many industry skeptics he'll win over. Until recently, DHS couldn't get a cyber-security director to stay in what essentially was a figure-head job much longer than a year. Off-the-record interviews with people familiar with the goings-on there have described the situation to me as a bureaucratic mess.

DHS finally staffed up by putting in Greg Garcia, a former official with the Information Technology Association of America trade organization, as assistant secretary for cybersecurity and telecommunications. More recently, Rod Beckstrom, an author and entrepreneur best-known for starting business collaboration software maker Twiki.net, was in charge of directing a national cybersecurity center that operates inside DHS.

Give Chertoff credit for being candid about where DHS has come up short. He said the government needs to reduce its (literally) thousands of network access points to around 50. At the same time, Chertoff wants his department to faster detect and analyze computer anomalies. A big part of that will involve a revamp of U.S. CERT's early warning system

"Even giving an adversary one bite at the apple before we've figured out the meta data or (digital) signature is one bite too many," he said.

In the end, however, money talks and you-know-what walks. The feds only have a $115 million budget to work with. Chertoff's department has requested $192 million for the new fiscal year but that's still doing it on the cheap. By comparison, we spend $720 million in Iraq each day.