"They spend all their money on firewalls, but that will never solve their whole problem. The big challenge is plugging holes in huge networks," he says. "Far too many companies and government agencies believe that firewalls and customized security devices will solve their enterprisewide security problems," Van Dyke says. "But they don't come close. You don't just take a device, attach it to the system and have system security."
So what do you have? Extremely tight security for part of your system. Or fairly tight security for most of your system. Or perhaps fairly loose security for all of your system.
Any of those options may fool some of the hackers all of the time, or all of the hackers some of the time. If you're looking for a panacea, though, don't bother. There isn't a product around that stops all of the hackers all of the time. Witness the embarrassing intrusion April 21 by the hacker group known as the Masters of Downloading who broke into the Defense Department's Defense Information Systems Network.
But there's evolution in the air, particularly among government practitioners. James Massa, director of Herndon, Va.-based federal operations of Cisco Systems Inc., says the gap between thinking about systems security and implementing those applications is shrinking.
Some Make the Leap
"The closer you are to working with bad guys or finance, the faster you're moving toward overall systems security," Massa says.
Some agencies, such as Treasury and Justice, are more aggressive than Agriculture or Transportation, he says. However, each agency is proactive to the level of sophistication needed to secure its network.
"Thinking about that always has been leading edge. Implementation always has been trailing edge. But now there's an exponential surge in implementation," he says. "Many agencies are finally addressing the problem [of thinking maximum and acting minimum] and actually making the leap."
The non-civilian entities, such as the intelligence community, the military's global complex and the energy-focused, are traveling at a fast clip. The civilian agencies for which systems security is not life and death are moving at a more moderate pace.
But that can be a quantum leap for an organization that didn't know how to jump.
"Before we got Cisco's NetSystem 5500, we had nothing," says Keith Scott, network manager for the Pentagon's On Site Inspection Agency. "We did network management on the fly and by the seat of our pants. We could accidentally take down a port to Europe with a typo and not know we did it until later."
That was hardly sturdy system security for a joint-service Department of Defense organization responsible for implementing inspection, escort and monitoring requirements under verification provisions of U.S. international arms control treaties and confidence-building agreements. This agency also represents the United States on U.N. arms inspection teams.
Deciding it was way past time to really manage his network, Scott - a die-hard Bay Networks 5000 booster - last year began a six-month, high-speed network study among the big four equipment providers: Cisco, Cabletron, Bay Networks and 3Com. The one that best answered his big four requirements - event notification; performance monitoring and analysis; configuration management; and resource management - would leave the others in its dust.
"They were [all] pretty equal on specific requirements, such as packet throughput and manageability," Scott says. "But Cisco blew everyone away on cost. It was easy to install. And securitywise, I'm covered."
Well, almost. Scott gives himself a seven on a scale of 10 for overall systems security. But as soon as he finishes installing Cisco's NetRanger and NetSonar intrusion devices - that number will be nine.
"Until we switched to a totally switched network from a totally shared one, I don't think we realized the network is so important to the business process that we can't live without it," Scott says. "Information lends a big part of our mission success. It's very, very important to get the information to the inspectors actually doing the work. And it's absolutely critical to keep that information secure."
So the network is supported by firewalls. And when the NetRanger and NetSonar are installed, remote access will be more difficult than ever for those without an invitation. Users of the ISDN-based system will be given token-based authentication so the system knows they are who they say they are. Users will be admitted based on something they have and something they know.
And for those thinking about just dialing in and getting a user ID and a password, forget it. Scott's been there and done that, and he's not going there again.
Neither is Alan Dahl, chief of technical infrastructure affairs in the consular systems division of the Bureau of Consular Affairs at the State Department.
The bureau's central IT shop began the ALMA (A Logical Modernization Approach) program in 1995 because its infrastructure was so old that the vendor, Wang Global, Billerica, Mass., no longer manufactured the products.
And since the legacy system was not year 2000 compliant, the bureau literally walked into its Y2K solution.
There are not many people out there building visa systems, Dahl says.
"It's not something that people really will buy out there. But we do get inquiries from other governments, particularly the Aussies and the Canadians, who are in the same league,'' he says. "And we're very serious about security."
The Bureau of Consular Affairs doesn't have a choice. Even though its information is sensitive but unclassified, the State Department's Certification Advocate works closely with Dahl and his colleagues to assuage the pain of obtaining the advocate's approval. If that official says no, the application doesn't go.
So should there be this much blood, sweat and tears over the names of passport applicants and those seeking U.S. citizenship? Dahl says an average hacker would find the information dull. But, he adds, certain criminal elements might find some of the information useful.
"If they knew the contents of the name-checking database, it might give them ideas about identities or aliases not to use," Dahl says. "That's always a problem in intelligence agencies, of course. But we're doing some work on that. We think we've established a security posture that basically tells a hacker that the data he'll get isn't worth the effort to break down our system's security. "
Consular Affairs has accomplished that by building security into systems as they develop and by putting the topic high on its employees' radar screens. ALMA isn't just about upgrading boxes and enhancing networks; it's about a new attitude.
"Security isn't an afterthought for us," Dahl says. "Between us and the department, we spend a lot of time and energy accounting for the security of our system. We don't want to engineer something later because we forgot about it earlier."
Dahl isn't the only one thinking about doing it to them before they do it to us. Even the government gets that message.
According to Input, a market research firm in Vienna, Va., the government's security expenditures will rise to $827 million by fiscal year 2002 from $638 million in fiscal 1997.
That's a very healthy 5.3 percent compound annual growth rate. Also, these figures do not include spending on classified security systems.
But that rate trails the compound annual growth rate for overall government information technology spending, which Input projects at 5.9 percent for the same period, culminating at $30.1 billion in fiscal 2002.
The security projections did not include all expenditures by the Pentagon, which, as spokesman Ken Bacon told the Associated Press in April, will spend $1 billion annually for the next several years to improve its classified and unclassified computer security.
Other security pieces of the IT market also are rising. A Volpe, Brown and Whalen study says that by 2000, virtual private networks will be in and firewalls will be out.
The firm projects virtual private networks spending will rise to more than $4 billion that year from less than $1 billion in 1997. By comparison, firewall spending in 2000 will hit $2.5 billion from 1997's $1.6 billion, which isn't exactly chopped liver.
The fuel for the spending fire is business-to-business electronic commerce, which the Yankee Group of Boston predicts will grow to $171 billion in 2000 from the comparatively puny $7 billion in 1997. That's more than a 24-fold increase.
Business Boom
More electronic commerce means doing more business over the Internet. Nothing could be lower in most government and commercial IT organizations' business plans.
Mike Kearney, a security specialist in IBM's SecureWay group, says the "tremendous wariness" about Internet business among his government customers hinders development of state-of-the art applications because security-conscious employees just won't go there.
"No one wants to be the first to put a national program at any security risk," he says. "To do serious business on the Net requires a very critical look at security."
The view is hardly spectacular. But it may brighten considerably with the emergence of public key infrastructure, a digital certification procedure that its growing number of proponents claim will truly secure system security.
