Improve Internet Security or Face the Music

At a news conference Wednesday, the Federal Bureau of Investigation said that it is mounting a worldwide hunt for those responsible for a wave of cyber-attacks against major Web sites.

The FBI was responding to the third full-scale hacker assault in as many days, as online broker E*Trade and a number of other sites had traffic disrupted by a coordinated distributed denial-of-service (DoS) attack from multiple Internet addresses.

While causing little actual damage in terms of stolen files or damaged systems, the attacks sparked a broad Wall Street sell-off on Wednesday, according to some analysts. The attacks also attracted the attention of numerous U.S. government officials, including President Bill Clinton.

While Nasdaq, which lost 65 points on Wednesday, made a full recovery by jumping 122 points on Thursday, the Dow fell an additional 55 points — calling into question whether the DoS attacks will have a lasting impact on Wall Street.

Running Every Lead Down

“We’re running every lead down,” said Ron Dick, chief of computer investigations at the National Infrastructure Protection Center, an FBI office that monitors cyber terrorists.

In an exclusive interview with the E-Commerce Times, FBI special agent Charles Neal, who heads the Los Angeles computer crime squad, said that while it is difficult to catch such criminals, it is certainly possible — especially if an individual or small group is responsible.

No Big Deal?

Some analysts, such as Forrester Research, Inc., are dismissing these attacks as little more than minor irritations.

“Unlike attacks aimed at firms like CD Universe, these attacks aren’t from hackers after a financial windfall or malicious destruction — rather, they’re just after 15 minutes of fame,” Forrester said in a brief published Wednesday.

“Although these attacks have captured the public’s attention, they will fade like all other attacks before them,” the brief added.

Not a Show-Stopper, But Still Serious

While this type of analysis may be correct in terms of assessing actual damages, it seems to badly miss the point — especially if the attacks are being orchestrated by real terrorists that are trying to disrupt our economy.

Internet pioneer Vinton Cerf told the E-Commerce Times, “Reliable service is an important aspect of customer expectation, so dealing with these kinds of disruptions is important. The Internet is so valuable and useful, though, that I think these will be considered annoyances, but not show-stoppers.”

“I don’t mean to minimize the effects on the parties attacked,” Cerf added. “It is serious. I hope that the perpetrators can be found and prosecuted, because this amounts to interference with critical infrastructure. We’d be up in arms if people jammed the telephone network or wrecked the power networks, for instance.”

Security Structure Rotten at the Core

“The real problem is that the Web is rotten at its core in terms of security,” Argus Systems Group president and CEO Randy Sandone told the E-Commerce Times. “What needs to happen is that we must redress systemic problems of security. It starts at the core, which is computer operating systems.”

“No matter what you do in application space, security can be bypassed in some way,” Sandone added. “That’s what we have out there today. Rotten apple dipped into caramel. Until such problems are addressed, we’ll be having this discussion continually.”

Argus Systems develops “trusted” operating systems that have beefed up security capabilities. While Argus Systems and other firms with related security products have an obvious conflict of interest when making such claims — and have been warning of such security vulnerabilities for several years — they may well be right.

Until the security improves in operating systems that power Internet servers, the best we can do is learn to live with such attacks. It’s a bad way to live.

Lawsuits: Another Reason To Improve Security

The good news here is that security can be improved in these operating systems. In the past, it simply did not pay to spend the extra money to beef up security. While this dynamic is already changing, guess who will add even further incentive to beef up security? You got it. Lawyers will undoubtedly pounce on any well-known company that “negligently” allows its computer to become a part of a DoS or similar attack.

Ultimately, companies must go beyond the illusion that they are secure by putting up a firewall and encrypting credit card data. They must begin with their operating systems to protect the integrity of the systems that drive the Internet — and add more security from there.

If we ever get to that point, a lot of these problems that take up so much time and money will be controlled. Nobody believes they can be fully eliminated.

What do you think? Let’s talk about it.