The Hindu Business Line : `Cyber security practices need improvement'

Coimbatore April 29 If cybersecurity has become a major issue in recent years because of the risk associated with attacks, the problem "stems primarily from lack of proper engineering focus in the design, development and operation of the cyber systems in use," according to Mr Edward Amoroso, Senior Vice-President and Chief Security Officer of AT&T.

"The software, computers and networks have been built so poorly that cracking them is a big yawn," he says in his book titled Cyber Security.

Comparing the engineering focus in construction of transportation bridges vis-à-vis software, Mr Amoroso states that the latter is rarely designed using mathematical models or engineering thinking.

"Unfortunately, none of the engineering considerations are true for the software, computers and networks that exist across the globe. The software is rarely designed using mathematical models and the result - systems we use every day fail before our very eyes. When this happens, we just dismiss it as a system crash."

Cautioning users against downloading free attack tools from the Net and ignoring the seriousness of the Net being down for a few hours, he says: "The cyber security practices of the Government, business and citizens have been uniformly abysmal, virtually across every sector of every country across the world."

According to him, poor cyber security practices fall into three categories - software practices, involving poor processes leading to vulnerable code, system administrative practices including inadequate administrative processes for application and infrastructure components, and security practices, involving improper use of explicit cyber security protection.

Most software, whether purchased off the shelf or custom-designed by a software firm, work well but contain several bugs that might or might not be found.

If such bugs are nothing more than a nuisance, they can be dealt with via patching. "But since malicious individuals and groups can remotely exploit bugs, it is truly a big deal."

According to him, cyber security seems to be at a crossroads, with possibly three futures or paths that appear anything but equal.

"There is continued uncertainty about everything cyber-security related, stemming from ignorance and naiveté that exists around such risks."

He refers to the second path to `Digital Pearl Harbour,' as it would involve future collapse of critical computer and network infrastructure. Consequences of such attacks can be worse.

The third one, `Enlightened Global Security,' is a future divorced from current national infrastructure security approach, requiring dramatic changes and investments in the infrastructure security approach.