Summary and Conclusions

In one of my recent presentations before an executive committee at a multibillion dollar corporation, I discussed the issues of protection in the national information infrastructure and suggested ways in which they might get involved from a business standpoint. At the end of the discussion there was a break, and the president of the company came over and told me that he liked the presentation, but that it would have been better if I would have included more examples of actual break-ins to give a better idea of the magnitude of the problem. He will get a copy of this book, and if nothing else, I hope that the examples of actual attacks will satisfy his desire for some hard data.

I haven't done a detailed analysis, but I am certain that this book documents at least $10 billion per year of firmly supported, publicly disclosed losses in the United States alone. It also supports the notion that there are many billions of dollars per year in less firmly tied down losses in the United States.

We should all agree that we already depend heavily on our information infrastructure, and that this dependency is increasing rapidly. With increasing dependency comes increasing potential for harm, so we should expect these figures to rise substantially over the coming years. The current loss from disruption is on the order of $100 per year per capita, and it would be reasonable to conclude that over the coming 10 to 20 years, this will increase by a factor of 10 or more. The increase will be due to our increased dependency and the increased use of the information infrastructure for perpetrating crimes. Protecting the NII properly would likely cost far less than $100 per capita.

There are clearly many ways to attack modern information systems, and interconnecting them to the information infrastructure substantially increases the potential for attack. This book documents quite a few vulnerabilities, but it also makes it quite clear that approaching protection from a laundry-list perspective is unlikely to be effective. This should be cause for great concern because the vast majority of people working in information protection today are taking the laundry-list approach, costing their organizations a lot of extra money, and not getting very effective long-term protection.

Current protection in most organizations is inadequate to the task. One reason we have inadequate information protection is neglect, and I hope that this book helps to reduce the degree of neglect. Another reason we have inadequate protection is the lack of adequate knowledge by most people involved in information technology. This is due, at least in part, to failures of our educational system, but government must also take responsibility and the computer industry is certainly not blameless in this area either. The responsibility for correcting this situation now lies firmly in the hands of the organizations that depend on information systems.

It would be nice if we could simply buy our way out of this situation, but unfortunately, that doesn't work for this particular problem. We have to think and work our way out of it. Like most challenges in modern society, it is not enough to just attain knowledge and skills. We have to go through an ongoing and unending process of adaption in order to keep up with the rapidly changing environment. And unlike most areas of information technology, we cannot simply push this one off on some technologist and say: ``Take care of it''. Information protection requires an organizational approach and participation by everyone involved with information technology.

Fortunately, by reading this book, you have taken one of the most important steps toward attaining information protection. You have started to educate yourself. The next step is to take the protection process by the horns and begin to actively pursue it.

fred at