Financial Daily from THE HINDU group of publications
Monday, Jun 27, 2005
eWorld
Features
Stocks
Port Info
Archives

Group Sites

 eWorld - Security
Info-Tech - Insight
Columns - Security Musings


Panic moves won't pay

R.K. Raghavan

Attacks on security in cyber space don't mean you stop playing - or spend beyond an optimum investment to protect yourself. Moderation is the key.

Anyone who tries to entice you with promises of absolute security or safety is pandering to your fears... ... There is no single level of security; how much security you have depends upon what you're willing to give up in order to get it. — Bruce Schneier in Beyond Fear

THE National Infrastructure Security Coordination Centre (NISCC) of the UK has sounded an alarm that East Asian hackers are planning a Trojan horse attack on parts of the country's Critical National Infrastructure (CNI).

This could infect the e-mails and Web sites of the nearly 300 targeted organisations, including government departments.

The suspected location of the aggressors should interest those of us in India. Strong indications suggesting this have been in evidence for several months. Undoubtedly, the warning has to be taken seriously.

But then, what more can a country or private industry do to protect its assets? The existing precautions include employee background check, severely restricted access to buildings and computers, closed-circuit TV monitors, firewalls, Intrusion Detection System (IDS), and anti-virus software, all of which together have been regarded as reasonable measures against mischief-mongers in the cyberspace.

Interestingly, the findings of the just-concluded Gartner's 11th Annual IT Security meet in Washington DC confirm that corporations are not going to spend anything less than previously to protect their systems.

While viruses and worm are top in their agenda, cyber terrorism ranks as low as 11th of the known threats. Where do the NISCC's warning and the Gartner conclusions leave us?

If you would ask the articulate computer security specialist Bruce Schneier, he could surprise you with a mere broad sceptical smile.

Mind you, Schneier is no cynic but a pragmatist who would plead for moderation and would spurn the excesses he sees in the security business.

He perceives an optimum in investment, beyond which individuals and companies will opt for a trade-off that will cut down costs even if it imperilled security.

This is the `sensible security' that provides the title to the first part of his book Beyond Fear (2003, Copernicus Books, New York) that I happened to read recently.

While this deals generally with security, portions of it refer to the limitations of all that we can do to guard our systems, whether it is aviation or cyber security.

Read in tandem with his earlier work Secrets and Lies (2000) there is a lot of distilled wisdom. I would strongly commend both books to my readers.

One convincing argument these days against huge spending on security is the fallibility of even what are considered the best practices against the might of sheer numbers and growing guile of present-day hackers.

The hundred per cent success of the 9/11 operation - all the four targeted aircraft were hijacked, although one of them did not crash against the building targeted - is often cited to prove the vulnerability of most security measures and the futility of stepping up investment in security guards and gadgets.

In the eyes of some, the response to 9/11 was hysterical. I remember being questioned, in the weeks following 9/11, by the Amtrak Police, the moment I got off a train in New Haven where I had gone to deliver a talk at Yale.

I was furious. The provocation for the gentle questioning was, I learnt later, my walking up and down the aisle of a train, certainly a legitimate and innocent act, during the journey from Boston. This was to go to the loo and also in search of a cup of coffee!

A passenger, who considered my behaviour odd and possibly got frightened, had tipped off the police by cell-phone!

I was amused how I was being profiled! But then this demonstrated how all of us could react in panic. This applies equally to computer security experts many of whom lose their nerve the moment they see unusual activity in cyberspace.

There is a strong school that considers the entire plea for more security as hogwash. In support, it cites the false alarms that are now so much a part of security. (My New Haven experience is relevant here.)

Take, for instance, the alerts that an IDS sends. Once the alerts become too frequent, as in the present turbulent times, certain lethargy and indifference sets in, which negates the whole rationale of spending on security.

This is why many individuals and corporations are hesitant to step up security budgets and are prepared to live with trade-offs. This is the theme that runs through Beyond Fear.

The key is how can we manage fear and what are the sensible precautions we can take? When we read Schneier along with his earlier work Secrets and Lies, we find a strong case for moderation in responding to fears about security, both in the real and virtual world.

To put in simple terms, risk taking is the name of the game. Extreme trade-offs like banning all commercial flights after a hijack or a mid-air collision and barring most Web sites just because they could inject viruses into your system are a juvenile reaction to possible threats.

Schneier draws a clear distinction between `real threats' and `perceived threats'. Providing for what is theoretically possible or securing ourselves against a one-time horrendous experience of aircraft being used to bring down buildings, would be not merely costly.

Such paranoia could lead to ludicrous situations — such as stripping every passenger who got on to your aircraft (whereby you can lose all your business) or barring access to the Internet in your home or office computer just because children or employees are prone to browse pornographic sites!

In the final analysis, sensible security is a blend of realism and prudence. As Schneier would say, what we can do as precaution should focus on accidents.

This is because we can do only much less when someone is determined to attack us. Is this being defeatist? Does it cut at the roots of the whole concept of security as we know it? I leave the answers to my dear readers.

The writer is a former CBI Director who is currently Adviser (Security), TCS Ltd.

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Right Florists

Stories in this Section
Wait, there's more coming

What's brewing?
Want a different view?
Unable to browse Internet
Safety tips
Incomplete installation
From lab to customer
A CEO thinks aloud
Not as big as it seems
Panic moves won't pay
Unfair lift-off
Quiz
Mobilise - strategically
Cartoon

The Hindu Group: Home | About Us | Copyright | Archives | Contacts | Subscription
Group Sites: The Hindu | Business Line | The Sportstar | Frontline | The Hindu eBooks | The Hindu Images | Home |

Copyright © 2005, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line