Numerous juicy nuggets of information and interesting facts were mentioned as asides or in passing by speakers at the CyberCrime 2002 conference, which concluded here Tuesday. The conference brought together academics, security professionals from the private sector, national, state and local law enforcement agents, including members of the U.S. Federal Bureau of Investigation, and representatives of government computer security bodies such as the National Infrastructure Protection Center. Though every interesting tidbit did not warrant its own story, presented here are some of the more choice statements, proposals, suggestions and facts.
Web site content and the U.S. antiterrorism campaignTwo strongly divergent opinions were offered about the role that information on company or agency Web sites could play in the U.S. government's antiterrorism campaign.
"I urge you very strongly to take a look at what you have available on your Web site," National Infrastructure Protection Center chief Ronald Dick cautioned attendees at his opening keynote on Sunday. "Is there information on your Web site that doesn't need to be there?"
While Dick said he wanted to maintain the freedom of information available on the Internet and in the U.S., he also said that companies and agencies needed to perform "a balancing act" between public information and public security when it comes to Web site content since, he said, there are "enemies of the United States" looking at Web sites for publicly available information and using it to plan acts against the U.S.
In the event's second keynote, Fred Cohen, a researcher at the Sandia National Laboratories, a professor at the University of New Haven, which is based in Connecticut, and a security consultant, urged attendees to an opposite course of action.
Cyberterrorism is being used as an excuse to shut down Web sites that express unpopular views, Cohen said, noting the closure of Muslim and anarchist Web sites, while radical right-wing sites remain online.
"This is the time for the United States to be highly open and highly transparent," Cohen said. "Today, most people don't see the oppressive effect that will come if we continue down this path."
John Kamp, a member of the law firm Wiley, Rein & Fielding LLP in the Washington, D.C. area, who previously served on a U.S. Federal Trade Commission panel on Internet privacy, gave companies a five point checklist for how to handle computer privacy issues with their customers.
1. Be aggressive. Do what you want to do well and do it aggressively, Kamp said.
"If we do what we do well, we probably don't need a lot of legislation (in the privacy area)," he said, adding that companies ought to also be aggressive when it comes to federal privacy legislation.
2. Be bottom-line oriented. Companies ought not collect personal information unless they're going to use it in a way that will directly contribute to their bottom line, he said. Otherwise, there is too much potential for trouble, he said.
3. Be truthful, straightforward and fully forthcoming. Even the appearance of wrongdoing can hurt how a company is perceived, Kamp said.
"Blow your privacy promise and you blow your brand," he told attendees.
4. Be careful. The law is changing all the time, so companies need to make sure they understand the law and that their actions abide by its spirit, not just its letter, he said.
"You can follow the law explicitly and still lose," especially in the public eye, Kamp said.
5. Be proud. The only visible privacy policies are those that fail or cause problems, he said. All privacy successes are invisible because they aren't noticed by the public or the press, he said.
And you thought spam was bad
About 12 percent of all bandwidth coming in to most companies is either an attack or is incorrectly formed and is therefore useless, according to David Aucsmith, chief security architect at Intel Corp.
Users connecting to the Internet over dial-up modems are attacked six times an hour, he said, showing that it's not just broadband users who are vulnerable on their home PCs.
Education is the key
More than one speaker at the conference commented on the need for more computer security education and a greater focus on the subject in schools.
Howard Schmidt, vice chair of the President's Critical Infrastructure Protection Board, said that he supports the teaching of computer ethics in schools, starting as early as grammar school. He also said there should be a computer equivalent of driver's education classes for older students to help them gain a better understanding of how computers work, what they are doing when they use them and how to use them safely.
"If you want to get an education in this field, there are very few people who can give you an education beyond a bachelor's degree," according to Fred Cohen, who used part of his keynote to decry the lack of attention and funding given to advanced degrees in computer security at the nation's college and universities. Though cryptography frequently is the focus of Ph.D. programs, other aspects of computer security are neglected in curricula, he said.
To underscore his point, Cohen said that when he received his Ph.D. in the 1970s (a Ph.D related to viruses; Cohen is credited with coining the term computer virus), he was the only person in the U.S. in five years to get a security Ph.D., excluding cryptography degrees.