A gathering of info-security luminaries this week demonstrated not only how complex the corporate security picture is, but how completely experts on the subject could disagree.
Microsoft Corp. this week sponsored SafeNet2000: Policy Practice in the Internet Age.
The two-day event drew 250 information security luminaries, lawmakers, academics and auditors who formed working groups to try to hash out guidelines for tough issues including national infrastructure protection, global vulnerability and attack reporting structures.
But the group couldn't come to consensus on just how to get private-sector companies to build critical security functions into their infrastructures, and how to get them to report threats and vulnerabilities without risk of exposing themselves to unwanted outside attention.
Possible incentives included tax relief for companies that set minimum levels of security, to appealing to their better corporate natures.
"We want to impose upon people the need to contribute to the greater good to all the people who share the common communications infrastructure," said David Jerrell, director of the Federal Computer Incident Response Capability (FedCIRC). "We must convince people that viewing the bigger picture is the first step toward active defense."
Easier said than done, countered Harris Miller, president of the Information Technology Association of America (ITAA).
"Boards of directors aren't convinced there's any return on investment on information security and risk management," he said. "We've not been able to capture the minds and hearts of the CEOs and boards of directors about the importance of these issues."
Miller also suggested that companies will continue to be reluctant to report successful hacks because they're afraid of information leaks.
"The risks out there are clear: the fear of negative publicity, proprietary information shared in court, loss of public confidence or reduced trust in the economy itself," he said.
Microsoft also introduced two nascent products designed to address security from both the personal and corporate perspective.
Microsoft CEO Bill Gates demonstrated a Windows-compatible smart card that works as an access control on both the PC and physical building entryways. The smart card, now being pilot-tested at Microsoft, logs users off when the card is removed to go elsewhere in the building. Microsoft plans to release it sometime next year, but privacy advocates don't like the smell of it.
"That smart card would be very intrusive in terms of following the employees' movements around the building, even into the bathroom," said Barry Steinhardt, associate director of the American Civil Liberties Union.
Microsoft's second tool, P3P (Platform for Privacy Preference) client and server software, takes a more personal approach.
The software is designed to help users protect their own privacy by having the browser monitor what a Web site is configured to do with their information. If the privacy settings on a Web site don't match those the user has set on the browser, a red or yellow light goes on, depending on how severe the conflict. Microsoft plans to deliver this tool as part of its Internet Explorer 6.0 browser software when it releases its next new operating system, probably around the holiday season of 2001.
John McCarthy, group director at Forrester Research Inc., suggested that the flashing red and green lights on the tool bar may actually impede consumer confidence .
But Barb Lawler, customer privacy manager for Hewlett-Packard Co. in Palo Alto, Calif., thinks the tool will have a positive impact on consumer confidence.
"In spite of what Forrester says, P3P will fundamentally change the balance of power to the consumer," she said. "I like the idea of the browser interpreting what the Web site is doing with the user's personal information."