Want CNET to notify you of price drops and the latest stories?

The myth of cybersecurity

Groove Networks' CEO Ray Ozzie calls it the industry's dirty little secret: If you use a company network or the Internet, some snoop is likely monitoring your daily communications.

4 min read
In late July at a technology conference in the nation's capital, President Bush's top cybersecurity adviser, Richard Clarke, said the technology industry was acting irresponsibly in selling computer network devices that remain remarkably easy to attack.

"It is irresponsible to sell a product in a way that can be so easily misused by a customer in a way that jeopardizes their confidential and proprietary and sensitive information," Clarke said.

In fact, it's the industry's "dirty little secret": If you use your company's networks or the Internet, your daily online communication activity--from sending and receiving e-mail and instant messages to using the Web--can be, and in all likelihood are, trivially monitored by others.

Toward what end? Think about it.

When I was a boy, my friends and I would occasionally play tricks on girls in our neighborhood, quietly sneaking over to their homes, opening Ma Bell's little gray box mounted on the side of their parents' home and tapping into their nightly gabfests with a telephone that we'd brought over. Just mischievous kid stuff?

Dream on.

Industry pundits found it quite unsettling at a conference recently when, without permission, Web images being received by their wirelessly connected laptops were grabbed "off the air" and displayed onstage, live. It also works for wired networks: Programmers have been building "sniffers" such as Dsniff and EtherPEG for years, for law enforcement, amusement and profit.

Your company's network administrators can watch anything you do that flies by on their wires. So can the people who keep the servers and routers running all night long at your Internet service provider.

But they wouldn't do that, would they?

People are always the weakest link.
In order to protect you, corporate information technology administrators are hard at work solidifying the "great firewall" around your organization--keeping the outside out, and the inside in. But at the same time, you need to work from home. And increasingly, you need to work closely with business partners and customers, but the IT group won't give them VPN (virtual private network) access because doing so would expose too much.

So how do you get your work documents and presentations through the firewall? Many of us send them home as e-mail attachments. Or, like former CIA Director John Deutch, we take them home on memory cards.

But how safe is the confidential information on our laptops? Once, many years ago in Paris, I walked into my hotel room and found the chambermaid moving nervously away from my computer. "Je jouais le solitaire (I was playing solitaire)," she said. Hmm.

So how did we get ourselves into this situation, and what should we do about it?

Surely the industry can--and should--take a good share of the blame, as should the government. Internet pioneer David Reed recently pointed out that in the early years, efforts to incorporate end-to-end encryption into the base standards of the Net were reportedly discouraged for reasons of national security.

But "weak encryption" is no longer a reasonable excuse for insecure systems. It's clear by now that real security comes not just from strong crypto, but from recognizing and embracing human strengths, frailties and common behaviors in building, managing and using complex systems. People are always the weakest link.

The industry also needs to explore new approaches to secure systems. Although Public Key Infrastructure (PKI) works within a well-managed enterprise environment, work relationships now commonly cross enterprise boundaries into domains of questionable trust. And third-party "notaries" don't help much; they introduce significant risk: When VeriSign was fraudulently duped into issuing Microsoft certificates to an unknown party in early 2001--with little reported recourse--utopian visions of "outsourcing identity and trust" crumbled.

Enterprises need, and must demand, more cellular approaches to trust and secure information-sharing, such as peer trust, webs of trust and fine-grained federated trust. The "Great Wall" approach is outdated, with the distinction between inside and outside becoming blurred. We need alternatives to the firewall and VPN models of protection.

Someday, some shareholder is going to lose quite a bit of money because an electronic message was "sniffed" or "spoofed."
But there's no need to wait. There are practical actions that can be taken immediately and inexpensively. For example, Windows XP supports an Encrypting File System that is very useful for laptops; buy the upgrade, turn it on and password-protect computers. Both Microsoft Exchange and Lotus Notes support enterprise message encryption--if IT departments would simply use it. These are just a couple of alternatives.

We've been through years of asbestos and tobacco liability suits. Will liability for IT complacency be next? Someday, some shareholder is going to lose quite a bit of money because an electronic message was "sniffed," or "spoofed." Someone's health or financial records are going to get into the wrong hands. A design will be compromised; someone will get hurt.

And at that point, network television cameras are going to be focused on a lawyer who's asking a company executive, or a government official, "Sir, were there reasonable alternatives at the time?"