Hackers and criminals have already hit government intranets hard. Mark Mottershead, MD of computer security specialist MIS Europe, argues for greater vigilenceSecurity threat graphs
As New York sleeps, a team of hackers - cyber terrorists - send a virus logic bomb that breaks through the password and encryption defences of the Wall Street stock market computer system. As the next day's business proceeds, the logic bomb awakens to change, corrupt and destroy data causing the market to crash. At the same time, the terrorists hack into the computer systems of the City of London causing a devastating run on the banks after customers' accounts have been plundered.
This nightmare scenario of cyber wars is being taken very seriously by governments. It is a known fact that the information systems of the CIA, the FBI and even the Pentagon have all been breached. It is now an increasing priority of government agencies to respond by establishing security standards for computing/communications and to research and implement the strongest defences.
Clearly these scenarios are extreme but there is no doubt that computer crime is on the increase and the criminals' methods are becoming more sophisticated. All government departments - central and local - are being targeted. 'Mission impossible' feats are regularly reported of criminals breaking into establishments by scaling high walls, jumping between buildings and squeezing through narrow skylights to make off with computers or their components. With illicit gains worth, in one reported case - £750,000, the 'rewards' for such daring are clearly very attractive. In the UK, government departments lost in excess of £1 million worth of equipment during 1996, through theft and mismanagement.
Far more importantly, the most damaging and costly crimes are perpetrated on-line via the Internet, intranets and e-mail by hackers and viruses. If a 16 year old English boy can hack into American Air Force computers and Croation teenagers hack into Pentagon computers, decipher codes and gain access to the database of a US military installation, think what the real professionals could do in Whitehall and in the City of London - and their equivalents around the globe!
In the US, the current estimate of the world-wide computer theft problem is $8bn and this figure is expected to rise to $200bn by the year 2000. A recent FBI computer security survey, in America, revealed that of the 563 companies responding, 49 per cent had been attacked in the past year, up from 42 per cent in the previous year and that Internet breaches had risen to 47 per cent from 37 per cent in the same period. Financial losses totalling $100 million (£61 million) were incurred by 59 per cent of the firms. Furthermore, the US magazine PC Week graphically described the dangers : 'Fifty per cent of all businesses which have had to operate without their critical data for ten days or more have been forced into bankruptcy.'
Vulnerable to attack
Messages and data files, transmitted across the Internet, can easily be accessed by even a moderately skilful hacker Even private intranets are as easy to breach as tapping a telephone line - and desktop access control is powerless in these cases. There is also the danger of web spoofing, whereby hackers access a Web site to alter the data so that visitors read inaccuracies which, for government, could be critical.
However, it has to be recognised that the Internet is becoming an essential tool. Electronic commerce is growing rapidly. It has been estimated that by the year 2000 there will be 14 million business users and 32 million home users of the Web. When one considers that the cost of shopping over the Net is a fraction of the cost of high street shopping, the whole concept of electronic commerce must be an irresistible lure to both merchants and banks. But the banks have often been successfully targeted by hackers - a German bank spectacularly so on live television!
E-mail messages are equally easy to hack. Confidential messages and documents can be read and altered in transit. It is thought that all e-mail will be encrypted in the next few years to protect its security.
Need for Strong Encryption
The need for strong encryption of data is recognised, particularly with the explosive growth of the Internet and intranets. There has been a lot of comment about how security breaches have increased the pressure on the US Government to relax restrictions on encryption exports (there has hitherto been a ban on issuing export licenses for 40-bit encryption which is necessary for even reasonable protection). After a coalition of Internet suppliers blamed these restrictions for holding back burgeoning electronic commerce, the US Government has backed down insofar as allowing three favoured US security vendors to export stronger 56-bit encryption technology, providing that they incorporate key recovery techniques. European developed security systems, however, can offer much stronger encryption. There are now systems available that are easy to install, and easy to use and maintain, that utilise 1,200-bit key lengths that will deter even the most persistent hackers because it would take enormous computing power and hundreds of years to crack this complexity of code. More effective European encryption standards could threaten the US dominance of Internet traffic.
This fear for the vulnerability of data prompted the previous Conservative British Government to propose that trusted third parties would hold copies of users' encryption keys and allow law enforcement agencies to access them on production of a warrant signed by the Home Secretary. This controversial proposal would necessitate changing encryption systems to Key Escrow by departments holding sensitive and/or personal information such as Health - much to their concern. The policy of the new Labour Government, on the other hand, is more sympathetic to the viewpoint of privacy campaigners. The new administration wants to give authorities the right to insist that subjects of an investigation decode any material they have encrypted - and not to have their coded communications surreptitiously intercepted. In the US, there is contention about the issue of civil liberties and freedom on the Internet, on the one hand, and the unresolved debate as to whether the state should be allowed to interfere in electronic commerce. It will be interesting to see how this issue is resolved both in the US and in the EC.
Viruses and the Year 2000 Problem
Viruses are one of the major causes of security breaches. They are frequently introduced (sometimes quite innocently) via the floppy disk drive. The difficulty is that there are new breeds of viruses being created all the time. Some are not necessarily destructive but are capable of causing tremendous harm. They can enter a system, collect information and then re-route themselves out again without anyone being aware of them. In a government department with thousands of PCs, that risk needs to be taken very seriously.
The Year 2000 time bomb has to be a security issue. Most of us now know that we have to ensure that our computers will recognise the date 01 01 00 and not confuse it with January 1st 1900. But what may not be appreciated is that every computing device could be affected, including PCs and the embedded microchips in everything from hospital monitors to cars and washing machines. This is a vital issue and it should be remembered that if systems hold personal data, there is a legal responsibility for the preservation, storage and communication of that data through to the next century - clearly this requirement will have a major impact on human resources and health applications. It has been estimated that the UK taxpayer will have a bill for a £1bn for fixing all government department IT systems by the year 2000.
The only solution to the problem of security is a total solution, preferably based on the BS7799 recommendations. The need for a tested computer security strategy, including data classification and designation of responsibilities, cannot be emphasised too strongly. Human error might well be accounted for too since it contributes to so much computer mayhem (according to a Business & Technology magazine survey, 47% of the respondents claimed that innocent, accidental errors was a significant security problem). Contributions of contracted third parties, however well-trusted, should also be accounted for in the security plan - as well as laptop computing resources.
Ideally, a computer/communications security officer should be appointed - preferably with reporting responsibility to the highest administrative level. It is also recommended that the advice is sought of experienced, knowledgeable and dedicated consultants in computer security and data protection.
The best of these consultants should be able to provide a total security solution. They should conduct a thorough audit of present security arrangements including, as appropriate, penetration tests of key secure information. A professional consultancy company will identify all the potential problems and make their recommendations accordingly, which could include disaster recovery programs and training programs programmes as well as systems and products.
Today's packages are very sophisticated and developed up to military standard. They are low-cost, easy to install and user-friendly. MIS Europe is currently recommending SeNTry 2020, a new fail-safe, real-time hard disk encryption system for Windows NT which not only makes encryption easy but also keeps hard disk data completely private, even if the PC itself is stolen. Another recommendation is F-Secure, a comprehensive family of cryptography software products that enables you to build secure world-wide computer networks. Also J/CRYPTO that offers Java application developers full strength encryption and signing facilities to develop the highest level security systems.
With determination and vigilance, allied to a planned and continuously tested security programme, computer crime can be marginalised.