MENLO PARK, CALIF. (05/09/2000) - Leaders from industry, government and law enforcement hunkered down for a day of closed-door meetings here today to brainstorm about the difficult task of protecting the world's computer networks against cybercriminals.
One theme to emerge early on at the event, billed as the Internet Defense Summit, was that governments have neither the financial resources nor the technical know-how to stay on top of hackers and computer terrorists.
"The private sector must (provide for) themselves much of the action which is necessary to prevent attacks being made on the Internet," Raymond Kendall, the secretary general of Interpol, said in a speech at the start of the day's activities.
"It's no longer possible for governments to provide the kind of resources and investment necessary to deal with these kinds of issues," said Kendall, who spoke via satellite link from Brussels.
The summit, which took place at the Stanford Research Institute's (SRI) leafy campus, attracted more than 100 chief information officers and other top executives from companies and organizations including IBM Corp., Microsoft Corp., Visa International Inc., the U.S. Postal Service and the Los Angeles County Sheriff's Office.
Meetings were held behind closed doors to encourage candid discussion about security problems and the ways participants have learned to cope with them. The event took place in the shadow of the I Love You virus, which emerged last week and has wreaked havoc in public and private computer networks the world over.
"There won't be a lot of resolutions passed here today, but the key is to get the dialogue open and to get CEOs interested in providing their customers with protection," William Crowell, president and CEO of Cylink Corp., which provides security products and services for businesses, said in an interview.
"There are no cookie-cutter solutions; every network is different," he added.
At the top of CIOs' concerns here was denial of service (DoS) attacks, he said, which earlier this year brought Yahoo Inc., Amazon.com Inc., eBay Inc. and other high profile Web sites to their knees. DoS attacks are a key concern because the only way that is currently available to prevent them is to catch the perpetrators, Crowell said.
Second on the list of concerns were attacks that reach into networks to steal valuable corporate data. Firewalls are the best way to prevent data theft that originates outside of a network, while cryptography can help to protect data from internal theft, he said.
Selwyn Gerber, a managing partner with offshore banking firm PrimeGlobal USA LLC, said his company considers the Internet so insecure that it won't use it at all to transmit sensitive customer data.
"We're back to using faxes, and we find that much more secure. We use FedEx. In fact, if there were ponies still travelling across Europe we'd probably use those too," Gerber said, speaking at a lunch event here that was opened to reporters.
While the business leaders seemed focused on computer hackers, Interpol's Kendall said there is a "real danger" of terrorists and hostile nations using computer networks to wage international warfare.
"We know already... that most of the major terrorist organizations have their own Web sites, and therefore have the facility to carry out the same sort of action that we've seen carried out over the last week," Kendall said, referring to the I Love You virus.
Cyberterrorism can be "more effective and more costly" to governments than "the classic methods of bomb attacks and assassination." Kendall said. "It is really a serious threat to all of us and all of our societies."
Solutions seemed harder to come by today than the problems discussed.
Governments, businesses and research institutions must band together to find the best technologies and courses of action to defeat cybercrimes, the participants said. And companies must be more willing to invest in security systems to protect their networks.
A few participants called on software companies and service providers to make their products more secure. Default settings for software products sold to consumers should be at the highest level of security, they said.
"You wouldn't build a swimming pool in the center of town and not put a fence around it, and I think that's what the software companies are doing," Glenn Tenney, a director with Pilot Network Services Inc. in Alameda, California, said during the luncheon.
Although security firms have financial incentives for promoting security issues, for the average corporation, the benefits of spending millions of dollars to bolster security in networks aren't immediately obvious, making them slow to act, others said.
"If you have a choice of spending a million dollars on getting 250,000 new customers, or a million dollars on serving the ones you already have, better, that's a difficult value proposition," Cylink's Crowell said, suggesting that most companies would take the additional customers.
But the severity of attacks could get worse, and businesses would be wise to make precautionary investments now, he said.
"I think we've been lucky so far," Crowell said.
SRI International, which cohosted today's summit with its consulting arm, Atomic Tangerine, used the event to launch a new software component for Sun Microsystems Inc.'s Solaris servers. Called Emerald, it is designed for network surveillance and intrusion detection.
In addition, Atomic Tangerine took the wraps off of a new technology, NetRadar, that uses sophisticated network agents to reduce the threat of attacks before they actually occur, according to Atomic Tangerine.
SRI International, in Menlo Park, can be contacted at +1-650-859-2000 or on the Web at http://www.sri.com/.