Data on Internet threats still out cold

Although corporations and individuals are taking more measures to inoculate against computer viruses and online vandals, security experts disagree over whether they're stemming the tide or simply keeping heads above water in the face of a growing number of hackers and ever more virulent code.

Assessing the situation is tough, say experts, because of the lack of conclusive data about viruses and their effects.

"We need more data, better data and different kinds of data," said Richard Power, editorial director for the Computer Security Institute, which produces a yearly survey that contains some of the most often cited--and occasionally maligned--data on security incidents.

"Having the right data would help debunk a lot of the crap out there: predictions of an electronic Pearl Harbor and the waves of hype that follow virus attacks like I Love You," Power said, adding that CSI's poll can't be considered scientifically accurate.

Everyone agrees more needs to be done. Microsoft Chairman Bill Gates told his employees on Tuesday that security, not product features, will be the company's primary concern.

To some degree, the question of whether Internet security is improving is a matter of perspective.

Market researcher Computer Economics estimated that the impact from such digital threats as viruses, worms and Trojan horses dropped to $13.2 billion in 2001 from $17.1 billion the previous year. The I Love You virus caused the largest amount of pain--an estimated $8.75 billion--according to the company's 2000 estimates.

Such numbers support some virus researchers' conclusion that a combination of security measures--the digital equivalent of a drug cocktail--has helped make the Net more secure.

"Corporations have gotten better at handling viruses," said Vincent Gullotto, director of computer software maker Network Associates' antivirus emergency response team. "They have an infection here and there, but (the viruses) are not penetrating." Gullotto also said security has been helped by a faster response to crisis situations on the part of antivirus-software makers.

Yet, a second opinion--and data to support it--is only a click away.

E-mail service provider MessageLabs saw the occurrence of hostile e-mail attachments, such as worms and viruses, triple during the last year. The U.K.-based company analyzes e-mail in real time on behalf of its customers, filtering out potential viruses, junk mail and inappropriate content.

In the early months of 2001, only one out of every 1,053 e-mails traveling through the company's gateways had a malicious attachment. A year later, the frequency had jumped to one out of every 325 e-mails.

"Our data is telling us that this problem is worse, not better," said John Harrington, director of marketing for the company's U.S. subsidiary.

A third set of data lends support to that position. The Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University--a clearinghouse for information on Internet threats--saw reports of security incidents climb to more than 56,000 in 2001, a jump of 160 percent from the previous year.

Yet the group doesn't explicitly track viruses and doesn't categorize the number of threats.

Who's right?

Who knows, answered Roger Thompson, technical director of malicious-code research for security-services company TruSecure. Thompson bemoans the lack of good scientific data.

While Thompson has a hunch things are getting better, he said the need for data "is great. I just don't know if we are going to get much more than we've got."

Even Michael Erbschloe, vice president at Computer Economics and the author of the company's estimates of the amount of damage done by viruses, admits the numbers are, scientifically, just a few steps up the evolutionary ladder from a guess.

"We benchmark cleanup cost repeatedly and constantly, and we do as well as we can to calculate the number of hits," Erbschloe said. "It's less than perfect, but (it's) the best we can do with the resources we have."

These types of studies and estimates don't seem to take into account such basic factors as, for example, the increase in PCs connected to the Internet. Almost 377 million computers worldwide were connected to the Net, and thus susceptible to attack, by the end of 2001, according to market researcher IDC. That's up from 241 million in 1999 and is expected to reach 704 million in 2005. By those numbers, reported attacks could proportionally stay constant but double in actual volume by 2005.

Another problem, said Power, is that many companies never mention attacks they've suffered. And that leaves decision makers--ranging from corporate execs to senators--listening instead to the hype in the industry.

The conflicting data and lack of guidelines leave security professionals with only their own anecdotes to convince executives to boost security, said Greg Shipley, chief technology officer with network protection firm Neohapsis,

For example, Shipley voiced incredulity at Computer Economics estimates that pegged the I Love You virus at 14 times more damaging than the September attack of the Nimda worm. "Nimda scared us the most," he said, adding that the company spent days cleaning up clients' computers after Nimda. I Love You, on the other hand, was far easier to mop up after.

"When you have to sell management on why they should be shelling out serious bucks for security, you need hard numbers--or at least harder numbers than we have now," Shipley said.

Rob Rosenberger, a hoax debunker and virus historian for the Virus Myths Web site, went a step further, calling the science behind the scarce data currently available "napkin math."

In the end, he added, while companies need more information to track the threats and help them make budgeting decisions, security companies might not need--or want--better data.

"It's an interesting philosophical question," he said. "It would be like tobacco companies saying we don't even want to do tests to see if smoking is bad."