Hacking’s Gift to I.T.

Edward Cone Avatar

Updated on:

Ed Amoroso knows a thing or two about security. As the senior vice president and chief security officer for AT&T Inc., he is responsible for shoring up all online operations at the $44 billion telecom giant. Amoroso outlined his security philosophy in his most recent book, CyberSecurity (Silicon Press, January 2007). Online Editor Debra D’Agostino chatted with Amoroso about the benefits of hackers, the risks of complexity, and what security will look like in five years. An edited transcript of his comments follows.

CIO Insight: How has the security challenge changed at one of the world’s largest communication firms?

Amoroso: When I started at Bell Laboratories 22 years ago, the security issues were mostly around pulling bugs out of UNIX systems, a very sleepy topic. Now we run so much business over the Web that you really need to think of the Internet as a utility, a necessary function. The notion of security has gone from an esoteric thing to unbelievably mainstream. Hacking has moved from basic defacements to far more significant threats based on financial incentives.

In your book, you mention that hackers can also provide value. How do you make the distinction between a good hacker and a bad one?

Of course, hacking is inappropriate. But in order to really understand something, you have to rip it apart, literally break it. When you bring your car in to have the transmission fixed, you trust the mechanic has had some experience pulling transmissions apart and rebuilding them. The original point of hacking was just a thirst to understand, to comprehend how something works. In an era where software engineering is still in some senses at a Neanderthal stage, it’s difficult for me to get angry at the person who wants to help consumers understand there may be some danger to using a particular technology.

That’s a little odd coming from a guy whose job is to make it safe for people to do business online.

I know. But maybe the original concept of hacking is a good thing. Kids know they aren’t supposed to jump onto someone else’s network, but when all you have to do is point a scanner and add an IP address into a little box—it’s very hard to resist. I definitely have a soft spot for someone in that situation. I think we vilify hackers to make them seem like cybercriminals, but in many cases they are actually doing us a favor by pointing to problems they’ve found.

It’s unreasonable to have all this fragile infrastructure out there where kids can just break in. Companies need to build more robust infrastructures. You can’t leave a rake in the yard with the prongs up, and then tell the guy who steps on it to be more careful. Don’t leave the rake there in the first place! And that raises the issue of complexity: The biggest problem I see is that everyone’s systems are just too complicated. You should always be thinking about simplifying. If I had just one dollar to spend on security, I would spend it on trying to reduce the complexity of our systems.

Are simple systems easier to protect?

Absolutely. Think about your home. You have a good idea of how to get in and out. How would you feel if you suddenly discovered a trap door somewhere you didn’t know about? You need to understand what you’ve got, from soup to nuts, so you have a basic understanding of what the security issues are. Complexity weakens a company’s ability to be secure.

How does AT&T approach complexity from a security perspective?

Let’s say you’re a systems administrator at some bank, and you have an antispam filter at your edge. You get 800,000 junk messages per day. Why not route those messages through your ops centers first, where they can go into a cloud and be filtered?

At AT&T, we have pushed this trend of putting more and more security into the network, and that’s by far the best trend I have seen in the last five years. Let the carrier handle the basic security functions, embed it into the infrastructure. In five years we will be laughing at how silly it was that we treated security as some separate industry. We will get to a point where the security risk is sufficiently controlled. It could put someone like me out of business.