The Code Warriors

(3 of 3)

Unfortunately, most business customers don't know how to determine their own security risk. "They just wing it, largely," Vatis said. Companies such as AIG and Chubb offer cyberinsurance, but the industry lacks the actuarial data it has for traditional lines. Large companies can't just redesign products with more deeply embedded security features, because customers don't take well to mandates to completely trash their old systems for new ones. "It would be considerably easier if I were allowed to start from the ground, build a secure system and deploy," said Aucsmith. Until that happens, the data we entrust to companies might be guarded by the cyberequivalent of a dozing senior citizen with a fake cop badge.

Cybernational Security
"As long as the state of security remains where it is today, the government will never have attack-response capabilities. We will remain too much of a target-rich environment." --Michael Vatis

Put more bluntly, our country's critical data systems are the World Trade towers, and the hijacked planes are heading in their direction. Criminals have discovered how much easier it is to rob banks with a keyboard than a mask and gun. Will terrorists figure out how to shut down the banking system and strangle the economy? Information technology controls the nation's physical infrastructure — nuclear plants, air-traffic control, water systems — like a central nervous system. "Hits against the IT network will cascade to the other critical infrastructures," Stolfo said. (Consider the cascading effect of this year's blackout.)

A 2002 National Academy of Sciences report stated that our willingness and ability to deal with threats relative to their magnitude had grown worse since the organization's first report in 1991. "Nobody owns the problem," Stolfo said. Professionals for Cyber Defense, Stolfo's group, and Vatis have independently called for a Manhattan Project for security that would take responsibility for safeguarding these critical networks.

That's an awesome task, and it won't be completed overnight. "These threats are not new," asserts Robert Liscouski, Assistant Secretary of Homeland Security, who is shuffling several far-flung federal agencies into one National Cyber Security Division (NCSD). He says "digital Pearl Harbor" scenarios are exaggerated: "That's a bit of an overplay for me, and I get paid to worry about this stuff." In October, Amit Yoran, a former vice president of the Internet security firm Symantec, became head of the NCSD, which will attempt to seek and destroy vulnerabilities in cyberspace, issue warnings in real time and foster communication with the vast private sector, which owns 85% of the infrastructure.

The Federal Government is nipping at the problem elsewhere. Hard-core technophiles get queasy at the notion of Congress creating laws that tell them how to do their arcane jobs. Yet three of the most significant laws of the past 10 years — the Health Insurance Portability and Accountability Act (1996), the Gramm-Leach-Bliley financial-modernization law (1999) and last year's Sarbanes-Oxley corporate-reform act — all have mandates to protect and secure data. Still needed, Geer argued, are laws that hold companies liable for holes in their security that make us vulnerable to attacks from elsewhere. Responsibility for passive negligence "might be better than, God help us, the U.S. Senate imposing an argument about what the limits of liability should be," he said.

Generals, the saying goes, are always fighting the last war. With the nation understandably focused on aviation security and biological, nuclear and chemical threats, technologists hope their message — that network vulnerabilities are real and that a significant failure could muck up everything else — is getting through. Security risk is a shifting balance between individual and institutional responsibilities and vigilance. Or, as Geer succinctly put it, "The price of freedom is the probability of crime."