CNET también está disponible en español.

Ir a español

Don't show this again

Tech Industry

Ex-cybercop: Hackers not the only problem

Malicious intruders, corporate espionage and uneducated employees all contribute to make "network security" almost an oxymoron in today's wired world, experts agree.

Click here to Play

Should businesses still fear hackers?
Person on the street
SAN FRANCISCO--Malicious intruders, corporate espionage and uneducated employees all contribute to make "network security" almost an oxymoron in today's wired world, four security experts agreed at the RSA Data Security Conference.

But the lack of security on corporate networks and the Internet is more the fault of the victims--and the security industry--and not the attackers, Michael Vatis, the United States' former top cybercop, said during the Wednesday panel discussion .

"It's not just the hackers who are the threats but all of us who are part of the problem as well," said Vatis, former executive director of the federal government's National Infrastructure Protection Center.

Vatis joined three other security experts in a 45-minute panel to discuss today's threats to network security.

While not condoning the defacement of Web sites or penetration of networks, Vatis, now the director of the Institute for Security Technology Studies at Dartmouth College, said vandals have done some good.

"Hackers have done a lot in recent years to raise the awareness of the threat than" anyone in the government, he said.

That threat has only increased over the past few years, according to the latest study from the San Francisco-based Computer Security Institute.

In the study, released in March, more than 40 percent of companies surveyed said intruders had broken into their systems from the Internet, up from 25 percent the year before. Another 38 percent of the companies detected denial-of-service attacks, up from 27 percent, and 94 percent had a computer virus incident in 2000, up from 85 percent the year before.

"Everyone can understand the profits that you can make in cyberspace, but only a few people understand the losses that you can have," Richard Power, editorial director of the Computer Security Institute and author of the security book "Tangled Web," told the assembled security professionals.

Philip Reitinger, deputy chief of the computer crime and intellectual property section at the U.S. Department of Justice's Criminal Division, stressed that many corporate insecurities are caused by networks becoming much more complex.

"It's a bit like trying to spackle all the holes in a huge block of Swiss cheese," he told the gathered security specialists and system administrators.

Worse, he added, is that it's not just a single company's networks that a security manager has to worry about. The distributed denial-of-service attacks that halted traffic to Yahoo and others for several hours in February 2000 illustrated that the security of others' networks can affect everyone.

"Your security may depend upon others who you expect to be secure," Reitinger said.

Yet there is a corporate culture of ducking the problem, said Gregory Schaffer, director of PricewaterhouseCoopers' cybercrime prevention practice.

While government and law enforcement are looking to nail the intruder, companies just want to get their networks up and running after an attack.

"The private sector's not concerned with finding someone to blame," Schaffer said. "They just want (an attack) to stop."

The general consensus: Before networks can be secure, that myopia has to be corrected.