Patching and Praying
Before they buy and install new software, or agree to modifications, Humphrey suggests CIOs and system administrators ask vendors: Are your people trained to do quality work? Do you measure and manage quality? What quality measurements do you seek? How do you track performance against quality goals? What do you do if they're not met? What will you do if defects cause problems? Most CIOs, Humphrey says, "have no idea. Most of them don't even know it but they're suffering from software quality issues all the time."
The consequences can be severe. Software glitches are already "causing chaos and costing vast sums," he says. "You could go out of business over this. You could lose money, lose your competitive edge. If you don't pay attention to this, a lot of things could happen. Most companies today are in the software business, whether they know it or not-and to the extent they're dependent on the Internet, almost everyone is vulnerable."
Spafford agrees that CIOs need to do a better job boosting quality as a strategy to improve security. He also says he believes things are worse now than they have to be because most CIOs are "ignorant of the alternatives, the risk, and the bottom-line costs" of depending on inadequate software, systems and safeguards. "They aren't setting their priorities appropriately," he says. CIOs, he says, should be making purchases with "the whole picture in mind"-the stability, vulnerability and quality of the next generation of software under consideration.
But to secure systems correctly means having to spend more money, and often, it's not in a CIO's best political interest to do that. Meanwhile, convincing higher-ups that security is no longer just IT's responsibility can be difficult. More and more companies are shifting the security burden to specialists. International Data Corp. projects that aggregate global spending on IT security, already about $14 billion, will grow by nearly 37 percent annually, reaching $20 billion by 2004. In the U.S., the $3.4 billion e-security market is expected to exceed $8 billion over the next three years. Still, companies that outsource their security may be risking too much. "Why would anyone want to outsource the protection of their crown jewels?" says SRI's Neumann. "Whether it's outsourcing your code or your system administration or your management or your analysis, there are huge security vulnerabilities."
One way to get around the complexity-breeds-bugs problem, some security experts say, is the open-source movement, which draws programmers together from around the globe to continuously develop and debug major programs. The Net provides a platform for such collaboration and an instant feedback channel when things go wrong. But open-source server software like Linux, an increasingly popular alternative to closed-source Windows NT, for example, is no panacea. "It still requires all the discipline in software development and maintenance and administration and patching and all that stuff," Neumann says. "But it gives you a greater opportunity to fix things." In Neumann's view, it's better than proprietary code, which cannot be reviewed by a community.
Microsoft, for its part, insists that its products are kept "security strong" by patches and new versions of programs that correct old problems. And in fairness to Microsoft, experts say, quality comes at the cost of convenience to customers. Fixing all bugs before release would not only be impractical business-wise, but nearly impossible. "Tell someone at Microsoft to delay releasing a new product so that all the bugs can be worked out, and they'd promptly show you the door,"Schneier acknowledges.
Schneier suggests that a good insurance policy might well be the ultimate way to force fast improvements in software quality. "What will happen when the CFO looks at his premium and realizes that it will go down 50 percent if he gets rid of all his insecure Windows operating systems and replaces them with a secure version of Linux?" Schneier asked members of the Senate Commerce Subcommittee on Science, Technology and Space during a July hearing on infrastructure vulnerabilities in Washington. "The choice of which operating system to use will no longer be 100 percent technical. Microsoft and other companies with shoddy security will start losing sales because companies didn't want to pay the insurance premiums."
For their part, insurance companies are starting to step up to the plate-but so far, few businesses are buying. In 2000, Marsh, Inc. and Lloyd's of London began offering e-business protection policies in conjunction with American International Group Inc., Chubb Corp. and Zurich North America Surety & Financial Enterprises. The policies cover privacy, content and software code infringement, attacks, viruses, programming errors, theft of information and fraud. Lloyd's said in May that its business for its e-Comprehensive policy has almost doubled in the past year. Still, a July 2001 survey by the Human Resource Institute and Eckherd College for the industry shows that less than 24 percent of businesses polled have business-interruption insurance, and less than 13 percent of those have virus transmission coverage.
Even so, there's still no substitute for better in-house security strategies and better systems management. Schneier, who developed the widely-known Twofish information-scrambling security code, personifies that thinking. He started out believing technology could trump humans in the fight for better security, but decided that mathematical algorithms were no match for the chaos of human error. So he founded his own security consultancy, Counterpane Internet Security, to fight the problem on a broader front. "Concentrate on human solutions and you'll get better results from your antivirus efforts," says Schneier, now Counterpane's CTO.
But don't tell hackers like "Count Zero," who developed the "Back Orifice" Trojan horse program, which allows hackers to spy on any computer running Windows 95 or later. In the coming age of information appliances, he told PBS Frontline in a documentary on hackers in February, "everything becomes computerized. Your refrigerator will tell your watch that you need milk, and your watch will then speak to you and say, 'Hey, why don't you go and pick up some milk?' All of this will be part of a global conversation that happens in this digital world. That's the main reason I'm convinced that this Internet world is just going to come crashing down."
Bravado? Maybe not. Says Spafford: "We're heading into a future where every 30 minutes there's a new computer virus, where there will be dozens of networkwide denial of service attacks every day, and where your personal data isn't safe because the system gets broken into. It's not just business that's in for it, but government agencies and utilities. We're building up an infrastructure on an incredibly unstable foundation. And so far, we're lucky none of these people playing around are serious anarchists or criminals. But how long do you think that's going to last?"
Keith Epstein is a freelance writer based in Fairfax, Va. CIO Insight researcher Barbra Kiss contributed to this report. Comments on this article can be sent to firstname.lastname@example.org.