January 27, 2004

Even before the Internet, computer security was a problem. In the 1986 movie War Games, we saw a young Matthew Broderick hacking his way into the computer that controls the U.S.' nuclear command and control. Today's hackers are the phone freakers of the 1980s, emulating telephone noises to obtain free long-distance calls. Viruses and worms have been part of the background noise of cyberspace since its earliest days. So what's new?

Well, the numbers tell the tale. In 2000, there were 21,000 reported virus incidents. Three years later, the number was more than six times higher. In 2002, the worldwide cost of worms and viruses was estimated at $45 billion; August 2003 alone saw costs of almost the same magnitude, while the annual cost will rise 300% year over year. Twenty-seven million Americans have been the victims of identity theft in the past five years, but one-third of that total were victimized in the past 12 months. Patches to correct the kind of commercial-software vulnerabilities that hackers target most frequently were once issued at a rate of maybe 10 per month. In 2002, they appeared at a rate of dozens per week. And in 2003, worms that used to take several days to travel around the globe spread to more than 300,000 systems on six continents in less than 15 minutes from launch.

The implications are huge for corporate America. Five years ago, U.S. corporations spent 2% to 3% of their IT budgets on security; now that portion is roughly 8% to 12% (see chart at left). And the worst is, it hasn't helped. In recent months, even the most security-aware companies have been victimized. These include airlines, large banks, electric utilities, investment houses, railroads, and other critical infrastructure enterprises that have developed IT security policies and spent lavishly on defensive technologies. Put simply, it's becoming easier--and more profitable--to be a hacker, and harder--and costlier--to defend an enterprise. We'll describe the problem and offer a 10-point road map to keep your security spending on track.

There was a time when a hacker had to spend years learning how to write and read complex computer code. Once in a great while, a hacker would discover a software vulnerability--read "glitch"--and then spend weeks developing an exploiter, an "attack script," that could take advantage of the vulnerability to permit unauthorized entry into a network. Then, after getting privileges--such as "system administrator" access--the hacker would install a Trojan, or "back door," breach and spend additional weeks exploring the network. It's much more sophisticated now. A hacker can go to a Web site to develop a virus or worm by piecing together downloadable scripts that can be easily tailored for specific targets. One recent version of the Sobig virus went after Internet addresses belonging only to banks and other financial institutions.

Hackers have programs that scan the Microsoft, Bugtrack, and CERT Web sites to notify them when a new software vulnerability is announced. Then they spring into action, often using prewritten code as a platform for new exploits. Often, within hours, a new attack code is developed and tested. Once perfected, the blended virus-worm is launched into cyberspace in a "fire and forget" attack. The attack script takes on a robotic-like life of its own, wandering for months in cyberspace looking for victims. Code Red, a virus-worm launched in July 2000, still comes alive once a month to search for unpatched computers.

The difficulty of defense

IT executives used to think that computer security was about establishing a virtual perimeter, a medieval castle in cyberspace protected by firewalls and "demilitarized zones." To get inside, team members had to stand at the gate and speak their password. It's clear now that concept is about as modern as the walled town.

Free software allows just about anyone to crack most passwords in seconds. Many enterprises have opened holes in their firewalls for road warriors who slip into the fortress by tunneling through virtual private networks. Unfortunately, the road warriors are usually using unclean laptops that allow viruses and other malicious code to burrow in along with them. Networks also open the gates to itinerant traders, called consultants, supply-chain partners, or customers, that are allowed on your network and into your systems--that's at the heart of collaboration. Or sometimes you eject a town member from the community, but the person copies the key to the gate before leaving. These are disgruntled employees or those recently fired. So much for the perimeter-defense theory.

Software protection isn't much better. Where you used to run an operating system with 8 million lines of code, you now run one with 40 million lines or more. Now think about a recent Carnegie Mellon University study that found that most computer program writers make an error every thousand lines of code, and you begin to see why there are so many vulnerabilities and patches.

Complexity compounds the problem. The sleepy guard on the wall tower of our medieval fortress can't be relied on to see the attack coming and to respond. Indeed, no longer can your staff alone handle IT security in a 24/7 environment where new attacks can sweep the globe in the time it takes to page you. "Whenever a risk appears in one area, it has the potential to infect and seriously hamper another," says a spokesman at the Chubb Group of Companies in Warren, N.J. "It's imperative that operational, information-technology and financial managers across the enterprise join together to assess and mitigate their organization's most serious exposures." That's the model Chubb follows as it builds up its security team.

IT security audits can no longer be an annual event by an outside team that charges $100,000 and is gone in two weeks. Such audits must be automated and continuous. Knowing the password and yelling it up at the guard shouldn't be enough for him to drop the gate over the moat. Access and authorization to enter the network can't be limited to the password on the yellow stickie under the mouse pad. Perimeters must be created within perimeters, so the enemy can't waltz into the gold vault and the courier who's intercepted outside of town doesn't reveal his message. Firewalls and anti-virus programs have to run on desktops. E-mail, hard disks, and storage should be encrypted.

One approach to cyberspace security involves arrests and rewards to catch the bad guys. Microsoft has offered up to $5 million for information leading to the arrest and conviction of hackers who attack vulnerabilities in its software. This is about .1% of the cost of damages caused by viruses and worms launched against Microsoft software in August 2003.

Clearly, helping law enforcement catch hackers is necessary remediation of cyberspace. But it's just a small part of the overall solution. Few hackers have been caught despite the efforts of the FBI, CIA, NSA, and other three-letter entities. The major attacks of the past few years are, almost without exception, open cases.

The real answer lies in designing safer software. Products already exist that help software developers scan code for common errors. New products are coming that let enterprises lock down code that's been tested and certified, preventing any subsequent insertions (back doors) without multiple authorizers' approval. Until they arrive, the best solution is "defense in depth." This mission, however, can't just be handed to the town's watchman. Those who come to trade their wares must accept a little added scrutiny. And, the funds allocated to the defense of the town must keep pace with the threat outside the walls.

If we could line up all of the lessons learned since the initial Morris Worm attack in the mid-1980s, we could draw several conclusions about the challenge:

* Risk managers must integrate IT security across major corporate functions. Human resources, business continuity, and operations don't generally meet around the water cooler, but managing risk demands cooperation across these and other disciplines.

* The challenge is far more complex than initially assumed. Standards are lacking not only in various areas of IT security, but also for calibrating IT performance and financial returns.

* Finally, managing risk demands a long-term strategy. The road map for success is steeped in business process as well as awareness, education, and training. Successful strategies must motivate employees, as well as vendors, suppliers, and others not controlled by the corporation.

Cybersecurity road map

Our security road map has 10 components that operate across corporate functions, technologies, cultures, and business processes. It will help you think of this large-scale implementation in manageable steps as follows:

* Establish a governance structure that resolves complex security risks, educates corporate communities, and involves senior decision makers.

Good security starts and ends with governance. These processes also let risk managers resolve complex issues that affect multiple segments of the company such as integrating IT concerns into outsourcing considerations.

One positive trend in the past several years is the creation of corporate security councils comprising representatives from key business functions. The council's role is to review strategic issues unique to cybersecurity and provide input into corporate decisions.

* Create policies for the full scope of IT security; where such materials already exist, ensure that processes are in place to update policy statements and guidelines on an ongoing basis. IT security should incorporate management expectations and orchestrate corporatewide behavior. In creating or updating such policies, consider the following:

- Do policies adequately capture relevant business considerations, such as supply-chain management and business continuity?

- Do they take into account tangential issues such as training, awareness, and resource limitations?

- Are policies enforced consistently; if not, why not?

- Do policies reflect management's orientation toward such issues as tolerance for risk?

- Do policies extend to suppliers, customers, and business partners?

* Develop a risk-assessment program. There's nothing new about having to perform risk assessments. What has changed, however, is the complexity, scope, and cost of these assessments, and that they may not always be timely or conducive to making good business decisions. Congress now requires federal agencies to perform criticality assessments in addition to threat and vulnerability reviews. Risk managers should consider following suit and establishing their own criticality reviews.

* Extend business-continuity and disaster-recovery planning to IT assets. Risk managers should review the extent to which emergency planners have fully integrated IT systems into their recovery strategies. This includes restoration strategies as well as long-term recovery programs.

In conducting this review, managers should take a broad-based approach. In the aftermath of 9/11 and the August 2003 blackout, for example, power shortages created computing problems, and many network administrators and computing professionals were unable to get to work. Planning should include these and other contingencies.

* Enhance business-case arguments and capital planning for IT goals and objectives. Last August's blackout reinforced the need to recalibrate cybersecurity-investment arguments. According to the Michigan State Public Service Commission, the Slammer attack significantly undermined efforts to restore electric power. More generally, the need to reboot plants and factories after power was restored caused further delays.

The Michigan report reveals the importance of planning and funding appropriate IT projects. There will no doubt be follow-on cyberattacks and additional blackouts. Absent changes in the pattern of capital planning, damages can show up as a restatement of earnings or an unwelcome confession in a financial-disclosure statement. When articulating your business case and capital requirements, state the ROI in terms that are meaningful to the board. Balance prudent security with limited resources.

* Integrate IT and physical security planning. Risk managers should ensure that security plans include both physical and virtual assets. At many companies, physical and cybersecurity programs are completely separate. In other cases, security planners assume that mainframes should be protected, but fail to extend their planning to other assets that provide essential services.

* Let audit professionals enhance controls and compliance objectives. Security planners should use internal and external auditors to help define cybersecurity objectives and review progress against those objectives. In defining objectives, audits should take into account standards and other requirements, such as The Sarbanes-Oxley Act of 2002.

* Heighten security vigilance through education, publicity, and training. The best way to capture a fortress is from within. But spies and saboteurs aren't the only danger; corporate dupes are an even greater liability. Take advantage of pre-existing internal communications and education programs to increase preparedness, familiarize employees with security procedures, and improve compliance throughout the enterprise.

* Work with corporate counsel to address compliance and liability issues. Sarbanes-Oxley is only part of the story. Cybersecurity requirements for the electric power, banking, and health-care industries are well-known, but regulators are also insisting on rules that mandate IT integration capabilities for things like cross-border trade and port security--both of which require secure electronic messaging and resilient communications.

By meeting regularly with corporate legal counsel and including its representative on the corporate security council, risk managers can ensure they're in compliance and avoid being blindsided by new requirements.

* Prioritize IT assets and the essential services they support. Managing infrastructure risks means prioritizing the business services that are essential to the company and the IT resources on which they depend. In addition to mission-critical information systems, essential infrastructure services include electric power, telecommunications, transportation, banking, and others that the company often takes for granted. Risk managers should identify which information services are vital to the company's core services and place special emphasis on ensuring that those assets are secure.

This 10-point game plan will push the risks and liabilities associated with cybersecurity to the forefront of the corporate agenda and help to dramatically increase your preparedness. But this program won't remove the threat or eliminate the need for strong walls until the technology industry puts better weapons at our disposal. For now, a truly secure enterprise remains the Holy Grail.

Richard Clarke is chairman of Good Harbor Consulting LLC, specializing in homeland security. Lee Zeichner is an attorney and publisher of a newsletter covering risk-management laws and policies.

Please send comments on this article to optimizeletters@cmp.com.

------------------------------------------------------------------------

The 90-Day Plan

True cybersecurity requires that financial, IT, and operational managers from across the enterprise--and outside it--come together to assess and guard against their company's most serious risk and exposures. This three-month plan will get you started.

First month: Update, review, and set up new processes

* Update and implement an enterprisewide governance program or begin one if it's not already in place.

* Establish processes for creating cross-enterprise cybersecurity policies and begin a risk-assessment program with definite expectations.

* Review IT disaster-recovery and emergency planning if you haven't done so recently.

Second month: Focus on ROI and objectives

* Calculate capital requirements and security ROI to the extent possible. Then, create processes to protect your most important--and costly--cyberassets.

* Conduct a review of audit and control objectives.

Third month: Fill security holes and spread the word

* Identify areas of security noncompliance. Launch an internal PR campaign to heighten awareness and improve performance at all levels of the business.

* Meet with corporate legal counsel to review compliance requirements and be sure you're up-to-date on new regulations.

* Prioritize and focus on those IT assets that support mission-critical services.

This article originally appeared in the January 2004 issue of Optimize magazine.