BOSTON (05/10/2000) - Almost 100 corporate security managers met with politicians and law enforcement representatives yesterday in Menlo Park, California, to refine strategies for fighting computer crime.
Billed as the "Internet Defense Summit," the meeting featured an address by U.S. Senator Fred Thompson (Republican-Tennessee), who announced a bill calling for annual reviews of government security practices.
Attendee Gary White, a security research manager at BP Amoco PLC, said he was pleased to see the large turnout and the presence of government officials. "It is an indication that IT security is being recognized at high levels in corporations," White said.
The proposed Government Information Security Act, drafted by Thompson, was approved Tuesday by the Senate Government Affairs Committee that Thompson chairs. But the senator cautioned security managers that the federal government doesn't have adequate resources to prosecute security attacks and said Congress shouldn't pass legislation that forces companies to cooperate with investigations.
"We don't know yet how to run our own shop," Thompson acknowledged, adding that companies have to create their own security defense plans. He said the government could assist by providing grants for security research, granting tax breaks to companies that develop security tools, enforcing current laws and increasing the number of visas for high-tech workers.
Raymond Kendall, secretary-general of the Interpol international police agency, reminded attendees that national laws have limited jurisdictional power against the international nature of Internet crimes. Speaking via a satellite link from Brussels, Kendall said each country has to pass its own laws against computer crime and enforce them.
This issue has become keenly apparent during the ongoing search for the authors of the "I Love You" virus, because the Philippines - where the virus apparently originated - has no specific laws against writing damaging computer viruses.
Kendall also said most governments have neither the financial resources nor the technical know-how to stay on top of hackers and computer terrorists.
"The private sector must (provide for) themselves much of the action which is necessary to prevent attacks from being made on the Internet," he said. "It's no longer possible for governments to provide the kind of resources and investment necessary to deal with these kinds of issues."
The recent virus attacks were on the minds of attendees who discussed the value of various security systems and codes of practices for Internet defense.
Lawrence Brown of the Edison Electric Institute spoke for many security managers when he said better systems for exchanging security information between companies and law enforcement agencies are needed. "Part of the problem is lack of communication between government and industry," he said.
Dan Allison, an IBM Corp. employee, added to Brown's comments by noting that companies can help raise the security profile of their industries by insisting that the firms they do business with meet pre-defined security requirements.
IBM already has that kind of requirement in place, Allison said.
Jim Maloney, CEO at SecurityPortal.com, chaired a panel at the summit on Internet defense practices. Maloney said he's pleased that more companies are openly sharing security information with their supply-chain partners and at public forums - a trend he sees as evidence of a growing understanding that a security glitch at one firm reflects badly on an entire industry. "Security is not seen as a basis for competition anymore," Maloney said.
"I think it was very useful for people to meet to exchange ideas and best practices and things we can do as economic leaders," said Rhonda MacLean, a senior vice president at Bank of America's security division.
MacLean said the event helped expand the network of industry contacts with whom she can exchange security information and ideas. "There are lots of good opportunities to interact, and there are a lot of people here who don't attend these things very often," she said.
The summit featured a unique mix of government, industry and law enforcement attendees.
For example, Beth Dickinson, a chief in the Los Angeles County Sheriff's Department, said her computer crime unit often finds itself investigating not individuals but groups of people conspiring to commit security break-ins. The unit focuses on "major banking threats from institutions," Dickinson said. "We are targeting high-value crimes."
One of the sponsors of the conference, AtomicTangerine, an e-business spin-off of co-sponsor Stanford Research Institute (SRI), introduced a free security product called NetRadar that lets companies analyze publicly available security information.
Using artificial intelligence engines, the product can help warn organizations of impending attacks and allow managers to take offensive security positions, said AtomicTangerine CEO Jonathan Fornaci said.
Although some attendees said they appreciated the opportunity to gather security information and contacts, some were frustrated by what they said was a lack of deep expertise.
"What is missing here are the serious experts and knowledge of what the threats are," said Chris Vargas, president of Finland-based F-Secure Corp., which claims to have discovered the "I Love You" virus last week.
But Vargas said the summit could encourage companies to swiftly and efficiently exchange threat data and automatically trigger investigations into a cure before attacks can get under way. Last week's virus "was easy to write, and you have to be prepared for this," Vargas said. "It will happen again."
James Niccolai of the IDG News Service contributed to this article.