Computer Security in Flux

CIO Insight Staff Avatar

Updated on:

Dr. Peter G. Neumann, principal scientist at SRI International’s elite Computer Science Laboratory, is a world-renowned expert on computer security, privacy and systems. Last year he was awarded a contract by the Defense Advanced Research Projects Agency to help ease extensive security problems in the nation’s data infrastructure. He was given the National Institute of Standards and Technology and the National Security Agency’s 2002 Computer System Security Award this past June. His book, Computer-Related Risks, is in its fifth printing.

CIO Insight:What impact has Sept. 11 had on the way organizations look at security?

Peter G. Neumann:I think there’s a great deal of confusion as to what to do. When people don’t really understand the detailed risks they’re facing, they tend to dither. In this particular case we’ve been attempting to throw some high-tech solutions at problems that don’t easily respond to high-tech solutions. There are a great many things that technology can do, but the reliance on technology as a solution to non-technological problems is inherently risky. So I think in the absence of specific understanding of what might work and what doesn’t work, there are a lot of organizations with their heads in the sand.

In the Clinton administration, the President’s Commission on Critical Infrastructure Protection came to the conclusion that pretty much all of our critical infrastructures are at risk. When we extend that to corporate America, the same conclusion can be drawn: For anybody who has extensive pieces of their business accessible from the Internet or accessible by remote telephone dial-up or accessible by wireless modems that are not adequately protected, their entire enterprise is at risk. The challenge here is to recognize what the risks are and to act accordingly.

CIO Insight:What impact does that have on corporate strategy?

Neumann:The question is, where does one most effectively put resources? And the resources are people and money. There are a lot of organizations that are saying, oh, don’t worry, we’ve got everything under control; we have all of the risks covered, and we’ve protected ourselves. Anybody who says that is either incredibly naive in believing that their own spin is going to protect them. This is sort of security by obscurity, with heads in the sand and pretending that everything is now OK.

From what we’ve seen in computer security, everything is vulnerable, and the extent to which it’s vulnerable may vary a little bit from one organization to another, but basically all of the mass-market computer software that’s out there is riddled with security vulnerabilities. So the question is: How are you using it and how are you interfacing with the rest of the world?

CIO Insight Staff Avatar