The New Insecurity
Since the terrorist attacks on September 11, 2001, computer security has taken on some new meanings. The first is positive. As part of a global tightening of belts and rolling up of sleeves, there emerged several outreaches designed to provide security training and certification to folks in all walks of life, from the consumer being alerted about identity theft, to the soldier and sailor and weapons scientists taking greater precautions with items of national security, to the common person on the street gaining a heightened awareness of hackers and crackers and cyber attackers. Gradually this new emphasis on computer and network safety has percolated down to the ordinary user’s computer in the den or living room. And because it really is a small Internet, and what affects one usually affects all, the safer individual users are, the safer the Net is for everybody.
Unfortunately, in return for a perception of security, both physical and on the Internet, some computer users have begun to accept unprecedented compromises in privacy as being part of the price to be paid to counter an envisioned terrorist threat associated with computer usage. In return for a feeling of “protection” with vague ties to national defense, more and more of what used to be private data and folks’ own business is now available for inspection by corporate and legal observers. Giving up the proven checks and balances that are the underpinnings of a free society may do more harm than good. Recent reports, such as a summer 2003 incident in which one or more airlines turned over to a contract firm working for the Department of Defense the transaction records of a half million passengers for use in an experiment on database profiling, have demonstrated that relaxed restraints against law enforcement agencies can lead to egregious actions. Numerous press reports have indicated that the expanded powers granted to law enforcement agencies in the name of homeland defense have resulted in those powers being used increasingly to investigate and prosecute crimes under laws not related to homeland defense at all. This, in turn has resulted in a mini-backlash designed to rein in the security promoters, heightening the debate.
Possibly in response to a perceived decrease in privacy, a large number of new laws have come into play that attempt to protect individuals against widespread dissemination of personal information and regulate the creation and exchange of financial information regarding corporations. These new laws have long names, such as the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley, and the Family Educational Rights and Privacy Act (FERPA). These laws make it a crime to reveal personal information gathered in the course of doing business, and often require the reporting of computer crimes that were formerly swept under the carpet to avoid embarrassing the agency or company allowing such a lapse.
The ordinary user, such as the salesperson or secretary who logs on in the morning and shuts down at night, would rather not think twice about security. In fact, she might not think of it at all until a worm or some other attack affects the machine on which she has to work.
Some of the most invasive computer attacks against individuals may not involve infecting a computer, but merely listening to one. With machine patience, sniffers and database programs can accumulate data about people—lots of people—over as long a time as is needed to gather enough information to make an attack. Usually, the attack takes the form of making credit card purchases, or applying for credit in the name of the victims whose details have been pieced together. Such crimes, often called identity theft, can be devastating. It is not that the victim is always left liable for the fraudulent purchases; consumer protection laws and the rapid closing of accounts help a great deal to prevent that. It is that the victim may be left unable to exercise his own credit, or establish more because vendors can’t easily be sure if any new transactions after the Ill theft is reported are being made by the customer or by the thief. And it is highly likely that the victim will be unaware of any of these activities until the damage has been done.
Now that it increasingly impacts the average user, public awareness of computer security has risen dramatically. Computer security has hit the newsstands, with more and more articles warning the public about viruses and other perils. The media also describes an increasing array of preventatives, ranging from changing network habits to adding firewalls and intrusion protection systems. Mix in the specter of terrorism, and the stakes get even higher.
Who You Gonna Call? A new generation of security consultants—what Business Week once termed “hacker-busters”—have hung out their shingles. A number of organizations stand ready to provide expert assistance in case a computer virus outbreak threatens the Internet:
- Funded by the Defense Advanced Research Projects Agency (DARPA), the Computer Emergency Response Team (CERT) at the Software Engineering Institute at Carnegie Mellon University was created to provide information and support against any Internet crises, cyber attacks, accidents, or failures. Now officially named the CERT Coordination Center, this clearinghouse is the mother-of-all-CERTs, and regional and corporate incident response centers are springing up to handle crises locally.
- The Federal Computer Incident Response Center (FedC1RC) is the federal government’s trusted focal point for computer security incident reporting, providing assistance with incident prevention and response. In 2003, the liedCIRC officially became part of the Department of Homeland Security’s Information Analysis and Infrastructure Protection (IAIP) Directorate. IAIP will continue to provide the FedCIRC services.
- The Department of Energy has also established a Computer Incident Advisory Capability (CIAC) oriented to its own agency needs, including a “hoaxbusters” page dedicated to helping users recognize which attacks are real and which are based on hysteria. The gentle gags clog up networks as users frantically alert their friends and neighbors of the supposed hazard. The vicious gags encourage users to take “protective measures” that might actually damage their own computers in an attempt to avoid worse calamity.
- US-CERT is a partnership between CERT and the U.S. Department of Home-land Security.
Other national incident response teams have been formed in many countries:
- In the United Kingdom, there is the National Infrastructure Security Coordination Centre (NISCC), pronounced “nicey”, which is charged with protecting essential system and services known collectively as the Critical National Infrastructure (CNI).
- AusCERT (Australian CERT) monitors and evaluates global computer network threats and vulnerabilities.
- CanCERT is Canada’s first national Computer Emergency Response Team.
- CERT Polska deals with security-related incidents related to Polish networks.
- SingCERT (Singapore CERT) serves Singapore and parts of Southeast Asia.
- SI-CERT is the Slovenian Computer Emergency Response Team, a service offered by ARNES (Academic and Research Network of Slovenia). In addition to government response organizations, many commercial providers of security services and virus protection systems have also set up organizations that are prepared to come to the aid of any customers who find security holes or face attacks.
- OXCERT provides CERT services for Oxford University in the United Kingdom.
- Linux and Unix users have ample organizations that report new exploits and post cures for easy update.