Mr. President, What Are You Going To Do About Our Present State of Cyber Insecurity?
But there has been for our industry (financial services and information security in particular) a really big hanging chad question since Bush took office back in 2001. What does our country need to do better when it comes to information security? And what role should the government take in creating change, or is it up to the individual?
In our industry, we're seeing the lack of direction in protecting our resources (and assets) hitting our pockets almost daily in the form of our customer's drained checking and debit accounts. The DHS Cybersecurity "Czar," Rod Beckstrom, who was appointed to the post earlier this year, pledged to do more to quell the growing online criminal aspect of the Internet....hmm, is this the 5th guy so far? I remember the fourth one, Amit Yoran (a nice, smart guy, but he wasn't given enough muscle power to effect change and left, frustrated after a year.) The others, well. I guess those in power in the DHS executive offices decided that information security is not that important.
Many unaware private users (and even aware ones) are only one click away from handing their machines, information and even their identities over to an online criminal.
Our industry and the larger IT industry have been addressing the problems of information security for a long, long time, much without any government help. There has been work done, but more is needed -- much more. So why should we be worrying about stopping these criminals and making the Internet a more "orderly and safe place" to do business? Take a look at the last eight weeks of chaos, consumers' lack of confidence in the economy and the industry, and you start to see the answer.
Those of us who've been here in the industry since before the Morris worm (which just celebrated its ignoble 20th anniversary) remember that information security used to be a lot easier. Before, the company's networks could be locked down, firewall settings adjusted, tweaked every now and then, anti-virus and other malware detection software loaded, and then with proper monitoring of what was happening on your network, you could consider your network was fairly safe from the outside threats. That was 1995, when the Internet was just getting started as a business model and everyone still said "dot.com" with an optimistic gusto.
But this week's news from Microsoft and RSA point to a looming bank of dark storm clouds on the horizon. Are these reports a portent? Could these coming storm clouds mark the signs of a "cybergeddon?" One of my longtime friends in the industry wrote a book about an electronic Pearl Harbor more than 17 years ago that gave the premise that our country's computers and networks were poorly protected against an adversary. The Congress brushed off his warnings, as did Bill Gates. Now look where we are . . . the federal government spends billions on information security, and the federal agencies still earn failing grades for ineffective or outdated practice and infrastructure on an annual basis. Many unaware private users (and even aware ones) are only one click away from handing their machines, information and even their identities over to an online criminal. Read the MicroSoft report; it's a very thorough and eye-opening look at the state of our cyber (in)security.
It's just my view of this huge problem, but the fact we're allowing regular "joe-six pack" computer users to operate highly sensitive machinery on a superhighway where it takes only seconds to steal money (think of any crazy amount like $100,000 or more and you get an idea of the scope) -- it's like allowing a third-grade student to drive a Porsche or a Maserati on the Autobahn loaded with a big bag of money, without any seat belt or parental controls.
It is time for drastic action, but until that can happen on a government level, maybe it's time to take the charge of change upon ourselves in our own operations. I questioned in an earlier post whether financial institutions should decide if a customer is too dangerous to allow online transactions.
With the state and federal banking regulators breathing down institutions' necks about data breaches and detecting and stopping identity theft, how about requiring all customers who bank online to prove their machines are clean of crimeware? (The specifics on how to do this can vary from operating system or computer.) Add a strong dose of dual two-factor authentication with an IP address confirmation or a digital certificate that runs with an upgraded, secure browser that keeps the customer feeling good, and you know it's your customer you're dealing with today. These solutions aren't 100 percent infallible, but they're a start in the secure computing environment we'd like to see continue to develop and be encouraged, enforced (and followed?) by our government and others around the world.
Now as the new President, the institutions you do business with -- I'm sure they know who you are, and, well, the banker handling your business doesn't want you to end up like French President Sarkozky. [His bank account was hacked in September and the thief withdrew small amounts of money.] But maybe one of the first things you should look at when you're starting off in the Oval Office is setting a high standard for information security, thus ensuring this great country of ours is safe, both domestically and globally, from online criminals stealing our hard-earned money. Including yours, of course.