At the moment, Bailar's not so much worried about a breach of NASDAQ's trading system -- a private network of computers secured behind a tank embankment wall -- but about the potential damage in dollars and investor confidence should one of the exchange's public Web sites go down.
Like many senior technologists, Bailar makes decisions about risk management every day. Unlike most CIOs, however, he's got the backing to make his decisions stick. Those resources include two dedicated security teams, a direct pipeline to national security personnel, armed security guards, and a total budget of $450 million.
|Links to Resources Mentioned in this Article|
People: Prof. Fred Schneider's homepage|
Asta Networks, the network security company founded by Savage and colleagues.
Emergency Response & Research Institute
National Infrastructure Protection Center (NIPC)
CERT OCTAVE Program
Studies: "Trust in Cyberspace"
Fred Schneider's book-length study published by the National Research Council.
University of California Study on Denial-of-Service Attacks
US General Accounting Office
Yet even one of the most highly developed security machines in the world is vulnerable. "As more and more of the nation relies on computer systems and communication networks, dependencies have crept into our infrastructure," says Fred Schneider, a professor of computer science at Cornell University and co-author of "Trust in Cyberspace," a 1998 study commissioned by the National Research Council and the Computer Science Technology Board. "The CIO is moving in a direction where he doesn't have control over a piece of the picture and that piece is getting bigger and bigger."
Network failures, and the impact of those failures, will likely get worse. In the meantime, he says, most companies aren't doing nearly enough to protect their networks from increasingly potent and global threats.
The Rising Threat
Public attention on cyber-security has focused on high-profile sabotage such as the denial-of-service attacks that shut down the likes of CNN, eBay, and Amazon in February 2000. Yet such attacks are far more common than most people realize. Researchers at the University of California at San Diego found that online vandals stage denial-of-service attacks 4,000 times every week, often targeting individual users and small businesses. "And that's a conservative estimate," says Stefan Savage, a UCSD professor who was involved in that research.
Denial-of-service attacks are only a small piece of the puzzle. Other forms of online mayhem include intrusion, defacing property, spreading viruses, stealing or changing data, or totally shutting down network capability. In the worst-case scenario, says Savage, it would be feasible to take down a power grid, alter a medical database, or knock out a couple of the high-level name servers that everyone on the Internet relies on. Telephone companies, electric utilities, banks, emergency services, and other essential infrastructure components have all publicly acknowledged that their systems may be at risk.
Denial is rampant among corporations, many of which fear negative publicity should a security flaw be exposed. "A lot of this stuff is not widely reported," says Schneider. "The most attractive targets for hackers are financial and military institutions, and neither has any incentive to publicly report when a site has been compromised." Without access to such information, he says, CIOs may find it difficult to build realistic risk models.
Who are these cyber-criminals? They range from greedy employees and contractors to individual hackers to well-funded organized groups engaged in what some might call cyberwarfare, says Savage. In the wake of recent high-tech layoffs looms a new threat: disgruntled employees who break into the system to steal data, harass colleagues, or otherwise embarrass their former employers.
The Government Responds
So far, the aim of these groups has been primarily mischief, but that may be changing. At least 20 countries are developing offensive and defensive cyberwar capabilities, says Clark Staten, executive director of the Emergency Response and Research Institute in Chicago. "China has pledged to create a fourth division of its military dedicated solely to cyberwarfare and is already developing a battalion of US hackers," Staten claims. Indeed, Bailar reports that about half of NASDAQ's attempted break-ins come from overseas, mostly China. Those threats could be part of an ongoing cyberskirmish between Chinese and U.S. hackers, who have been defacing each other's government and corporate sites following the U.S. spy-plane incident in March.
The government is well aware of the problem. According to Staten, a confidential 1997 report issued by a presidential commission on IT infrastructure protection acknowledged major vulnerabilities in today's networked infrastructure. Air Force Gen. Robert Marsh, who chaired the commission, stressed that the lack of information-sharing between the public and private sectors was a major obstacle to security. Due to the cascading effects of an infrastructure blockage, says Staten, many businesses -- not just the intended targets -- could be at risk in the event of such an attack.
In February 1998, President Clinton created the National Infrastructure Protection Center (NIPC) to function as an early-warning system and liaison between corporations and the government. Nevertheless, industry and government remain at odds. Companies hesitate to report intrusions to the FBI for fear that proprietary information will be made public. In addition, industry and government continue to battle over issues ranging from regulation of computer products to the use of encryption. (As a possible sign of their disconnection from the public, officials at NIPC, a division of the FBI, failed to respond to repeated requests to be interviewed for this article.)
In the end, it may be economic pressures, not government intervention, that will force companies to shore up security. Already some insurance companies are charging differential rates based on security measures in place. And, as Bailar points out, potential bottom-line risk is a great motivator for senior managers.
Studies on information security risk conducted by the U.S. General Accounting Office show that senior management sponsorship is a critical element of success in building a company-wide security strategy. As a result, the CIO's first job may be to convince senior management that such a strategy is needed at all.
"You have to take the time to gather the data to educate the board and the CEO on the business risks involved," says Bailar. "If the risks aren't that big of a deal from a business perspective, you should know that, too." Bailar says CIOs should be able to show, among other risks, "how many hacks you're getting, what they could do to your business, the appropriate time frame for getting back on line, and the risk to your customer base."
Bailar has identified two separate sets of risks for NASDAQ: one for its public Web sites, and one for its private trading network, which is not connected, even by a firewall, to the Web. "We're not so worried about a hack into the trading environment," he says, noting that a hacker would have to be sitting at the desk of a trader to even access an account. "The risks to the trading network are more along the lines of physical breakages or someone planting a bomb."
Each morning, Bailar receives security alerts from federal agencies and independent monitoring groups like CERT, as well as daily updates from his internal security teams. "For the Internet, we do raise our alerts when something is going on internationally, for example in Bosnia or Brazil, that could affect the Internet. In terms of physical security for the trading network, we're more concerned about terrorism that would happen on U.S. soil."
Of course, not all companies face such dramatic threats. The nature of threat is highly contextual, based on the way a company does business, what type of information it deals with, and where it is located, says Christopher Alberts, a team leader with OCTAVE, a new program being developed by the CERT Coordination Center (www.cert.org) at Carnegie Mellon University.
The program, which will be made available at the end of August, stresses a broad, self-directed approach to evaluating information security risks, which could range from an employee accidentally deleting an important file to generic threats such as viruses and malicious code. OCTAVE will provide worksheets and templates to help managers identify critical information assets and key risks, from insider manipulation and outsider hacks to environmental vulnerabilities such as floods, earthquakes, or tornadoes.
One obstacle to accurate risk assessment, Schneider says, is that vulnerabilities are typically invisible. "Let's say you're paranoid of losing phone connectivity with a branch office, so you contract with both AT&T and MCI to get what you think is redundant service. Yet the way the telephone paths are structured, both companies may be running circuits in the same piece of fiber owned by Sprint. You cannot say with certainty that you have contracted for two independent connections, and the phone companies are under no obligation to make that information available. In the same way, you don't know when you buy phone service whether that phone is dependent on the power grid."
That level of insecurity is inherent in networks, Schneider says. "CIOs are ultimately concerned about whether their systems are trustworthy, and the answer to that may be unknowable." Unfortunately, they do not have 30 years of research to lean back on. "It's only in the last five years," he says, "that computer security has moved away from a preoccupation with information secrecy and toward the integrity and availability of networks."
The issues are complex, but some companies have not taken even the most basic steps to bolster security. "One of the most common and avoidable mistakes is failing to upgrade," says Bailar. "A patch is delivered, but some people just don't install it. Or they update 10 computers and leave five to become the next Trojan horses on the Web." A recent case in point, the worm known as DoS.Storm, has been burrowing its way through corporate servers, despite the fact that the flaw in Microsoft's Web-server software has been known for some time and the company issued a patch in August 2000. On its Web site, CERT identifies failure to implement patches as the number-one security risk companies routinely assume. "You start by looking at your closest connection to the Internet and working your way back," says Bailar. Securing your e-mail systems, Internet servers, and firewalls should be top priorities.
It's also imperative to develop an action plan with your Internet service provider, says Bailar. "Find out how they monitor malignant intruders, what they can do to stop them, how they would handle a denial-of -service attack, and how long they would be down following such an attack. If you walk away from this conversation feeling they had no idea what you were talking about, you should probably move. A real professional in this space will probably have additional ideas for you."
Bailar shakes his head at the way companies leave themselves open for attack. But in a way it's understandable, says Savage. "A lot of traditional companies are still coming to terms with what it means to be on the network and they haven't internalized that they need cybersecurity the same way they need a security guard on the ground floor." In addition, he says, there's an acute shortage of trained security personnel who typically go to the "sexiest jobs" at major financial and e-commerce companies.
The shortage of trained security personnel is leading some companies to outsource security, a trend some observers predict will be the next hot growth area. Yet even companies that choose to outsource should take a self-directed approach to risk assessment and security management, says Alberts. "You want to leverage the existing abilities of people in an organization so that technologists and business people get together in interdisciplinary teams and solve problems from a business perspective. You are the experts in the way you do business. Even if you decide to acquire outside help, you can at least outline your requirements it in a more targeted fashion."
It's easy to overlook a theoretical threat and hard to justify -- both to investors and senior managers -- the additional money and time needed to effectively assess and mitigate the problem. But the risks are greater today too. "It used to be that companies worried about what would happen if there was a snowstorm and we couldn't get our products delivered," says Bailar. "Now the same risks are much more potent and centered on global information security."
Eva Marer is a freelance reporter based in New York who writes for CIN, an internet.com site where this story first appeared. She covers investments, personal finance, and corporate technology issues for a variety of trade and consumer magazines.