SAN MATEO (06/12/2000) - One denial of service and virus attack after another has snapped the federal government out of its complacency to realize that there is, in fact, a computer security problem.
Sen. Orrin Hatch, a Republican from Utah, has introduced a bill "to enhance the protections of the Internet and the critical infrastructure of the United States." The bill is S 2448 (Sec. 101, Deterrence and prevention of fraud, abuse, and criminal acts in connection with computers) and is under review by the U.S. Senate Judicial Committee.
We believe Hatch believes the bill will, at least in part, eliminate cybercrime. We admit that stiffer laws may reduce the number of defaced Web pages and casual hacking of DSL and cable modem users, but so what? Does anyone believe the casual U.S. teenage hacker is the real threat on the Net? Why attack the symptom when we really need to attack the problem: those vulnerable systems and networks?
The government keeps talking about stricter laws, longer punishments, and bigger fines to resolve the problem of cybercrime. Instead, why not spend money to create organizations that can provide proactive solutions?
The industry, and by extension we, would be much better off if the government spent one-quarter of its proposed crime-fighting budget on gathering an elite group of security experts. These folks would do nothing but research computer technologies, looking for security flaws and developing methodologies for hardening those products. Then they could educate the public about their findings.
The solution to all of what ails us is not a new law. Instead, we propose proactive steps. Train and educate industry professionals or at least the government agencies that fight cybercrime, such as the U.S. Federal Bureau of Investigation, to educate private industry on how to secure their systems before they get attacked. Then, at least, corporations might have some hope that their computer systems would be more difficult to access in an unauthorized and damaging manner.
Deterrents in the form of stricter punishments for cybercriminals are fine, but they don't discourage the real criminals, just as steering-wheel clubs don't eliminate determined car thieves. Cybercriminals who can do the most damage are the ones we need to prepare for, and they are the ones with the money and time to develop complicated and difficult-to-detect hacks that can cripple critical infrastructure. We're not talking just about eBay Inc.; we mean air traffic control systems, water and power plants, and oil refineries.
The criminals in this case are international terrorists and anti-U.S. governments that are salivating at the thought, if not the real possibility, of developing attacks so powerful and undetectable that they may never be tracked down. This real threat should motivate government and industry to put down the law books for once and start opening their pocketbooks. We need training, education, and industry motivation to make security the priority it needs to be.
Do we honestly wish to see 14-year-olds go to federal prison for as many as 10 years because they guessed that the root password on a system was blank? That's what this legislation will offer. Let us know your thoughts at firstname.lastname@example.org.
Stuart McClure is president and CTO and Joel Scambray is managing principal at security consultant Foundstone (www.foundstone.com). Their latest book, Hacking Exposed, has sold more than 100,000 copies.