Return-Path: <sentto-279987-3935-1006753323-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Sun, 25 Nov 2001 21:45:07 -0800 (PST) Received: (qmail 20578 invoked by uid 510); 26 Nov 2001 05:42:28 -0000 Received: from n21.groups.yahoo.com (216.115.96.71) by all.net with SMTP; 26 Nov 2001 05:42:28 -0000 X-eGroups-Return: sentto-279987-3935-1006753323-fc=all.net@returns.groups.yahoo.com Received: from [10.1.1.224] by n21.groups.yahoo.com with NNFMP; 26 Nov 2001 05:37:37 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_0_1); 26 Nov 2001 05:42:03 -0000 Received: (qmail 31932 invoked from network); 26 Nov 2001 05:42:02 -0000 Received: from unknown (216.115.97.171) by m6.grp.snv.yahoo.com with QMQP; 26 Nov 2001 05:42:02 -0000 Received: from unknown (HELO red.all.net) (65.0.156.78) by mta3.grp.snv.yahoo.com with SMTP; 26 Nov 2001 05:42:02 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id fAQ5hdC11194 for iwar@onelist.com; Sun, 25 Nov 2001 21:43:39 -0800 Message-Id: <200111260543.fAQ5hdC11194@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Sun, 25 Nov 2001 21:43:39 -0800 (PST) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:Congress.Awakens.to.Net.Security] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Congress Awakens to Net Security By Paul Coe Clark III, The Net Economy, 11/20/01 Theneteconomy.com Congress is, finally, getting a bit of a clue on computer and Internet security. At the least, that is, legislators are awakening to the idea that there are long-term, pervasive weaknesses in our digital infrastructure that could be exploited by terrorists. That is not to say that most legislators understand those vulnerabilities, or that Internet security has become a priority on the Hill yet. On Thursday, I attended a hearing on private- sector efforts to address cyberthreats. The hearing, in the House Commerce, Trade and Consumer Protection Subcommittee, took place at the same time as separate hearings on bioterrorism and airport security, and it was clear that Net security was (perhaps naturally), considered the least important, or the least pressing, of the three. Witnesses at the hearing included Howard Schmidt, the chief security officer for Microsoft; Mary Ann Davidson, director of security-product management at Oracle, Dave McCurdy, a former member of Congress and president of the Electronic Industries Alliance; and a host of execs from companies specializing in security. Members of the subcommittee focused on the fact that the perpetrators of the Sept. 11 attacks used the Internet as a means of communication, and on the possibility of digital identity theft. The witnesses, however, turned the focus of the hearing onto the weaknesses of the Internet and other digital networks, which run on a plethora of layered protocols, many of which have inherent security weaknesses. For common sense (as it appears to anyone who follows computer- security issues closely, which I do), you had to turn to Oracle's Davidson, who (rather too) gently upbraided the government and other large purchasers of digital infrastructure for not demanding secure server, desktop and communications products. "Consumers of information technology need to be discriminating," Davidson said. "They must make security a security a purchasing criteria and hold vendors accountable through independent proof of information assurance, such as formal security evaluations. "They must create a 'culture of security' within their own organizations, so that security is not diminished by the 'weakest link' of a careless or unknowing employee." Hear, hear. For my money, the legislators should have been grilling Schmidt, as the top security man for Microsoft, whose products have done more to make networks insecure than any other company. I spend a lot of time talking to security experts, and, almost invariably, they cite Microsoft products as the weakest link in the security chain. Many of the worst virus and denial-of- service attacks have been practically invited by Microsoft, through boneheaded design decisions like activating Windows Scripting Host by default on millions of machine. This is not to belittle Schmidt, who seems like a serious security expert with gold-plated credentials. He's worked with the U.S. Air Force, the FBI and a host of private-public security associations, and was called up for active duty after Sept. 11 to work with the Department of Justice and the FBI's National Infrastructure Protection Center. He's earned my respect, and I won't say a word against him. But for too long, computer security was entrusted, first to dumb luck and obscurity of network weaknesses, then to loose information sharing of the sort pioneered by the public-private CERT center at Carnegie-Mellon university. Thousands of system administrators and coders have worked hard to keep software patched and hardware configured to prevent breaches. But the time has come to demand high, and independently attested, to use Davidson's term, security standards in purchasing software. Schmidt was careful in his testimony to cite non-Windows security breaches, such as the Trinoo attacks on Solaris and the Ramen and Lion worms on Linux. It's hard to avoid the fact, however, that, through market share alone, Windows is the first line of defense at the desktop and server levels. "These attacks did not occur because the extremely innovative engineers creating the underlying codes disregarded security," Schmidt said, and that's largely true. They occurred because Microsoft marketing types, answering what they almost invariably claim is a wave of demand from consumers, bypass knowledgeable coders and include insecure features in software. They also occur because large purchasers (and the government is the largest), have to date had insufficient, contradictory and incoherent demands when it came to security standards. It's ironic that the government, which has been suing Microsoft on antitrust grounds for years, has at the same time blithely been buying insecure Microsoft products. I don't want to continue to berate Microsoft for its past sins, however; there are signs that the company is starting to get it when it comes to security implementation Its newer products are much more secure than its wont and its vulnerability-reporting and patching process, although still quite closed, is improving. There are also signs that the government is waking up to its responsibility to demand secure products. Rep. John Shimkus (R-Ill.), who I don't usually think of as one of the most tech-savvy legislators on the Hill, made a telling statement about the relationship of security to the tech industries. It's a statement I've heard echoed by many security firms, both before and after Sept. 11. "Done right, there should be a value-added aspect of controlling your own databases and having security on your systems," Shimkus said. In other words, security adds value to systems and the companies that operate over them. It also is a growing value-added product-and-service arena throughout the communications and computing industries. Public-private partnerships are spreading, and are needed, such as the Information Technology Information Sharing and Analysis Center and CERT. The government is also moving to strengthen laws against computer intrusion. In the latter regard, it may be moving TOO far; the recent antiterrorism bill makes all garden-variety computer hacking acts of terrorism. Davidson added another note of sanity to the discussion when she pointed out that 95 percent of hackers are either ethical, or relatively harmless. In our rush to pass new laws, we shouldn't equate them with the 5 percent that are genuinely dangerous. It was clear that few of the legislators understood the history of hacking, which arose among the same coders and engineers who gave us computers and the Internet. Such ethical hacking, has, true, given way partly to script kiddies and genuinely bad actors, among whom terrorists will turn out to be the worst. Our law should still make an effort to distinguish the intent of a "hacker" (using the old sense of the word), rather than painting all inquisitive network users as terrorists. Not every port scan is a terrorist attack. The threat of genuine cyberterrorism is very real, however. It's good to see the government waking up to that possibility. I just hope legislators don't submit to the perpetual temptation to pass new, excessive laws before they learn the subject well enough to craft them properly. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Universal Inkjet Refill Kit $29.95 Refill any ink cartridge for less! Includes black and color ink. http://us.click.yahoo.com/bAmslD/MkNDAA/ySSFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:59 PST