Where am I? >
Home >
News >
Hacking

US computers still vulnerable to attack

Basic security being ignored, says new report

Written by Jonathan Collins in New York

vnunet.com, 09 Jan 2002

Despite repeated warnings, US computer systems remain vulnerable to cyber attacks, according to a report released on Tuesday.

Cybersecurity Today and Tomorrow found that, while the threat of malicious attacks has increased, security precautions available for years are still not being implemented.

The report, produced by the Computer Science and Telecommunications Board (CSTB), which has been warning of computer security flaws for over 10 years, said that its advice has gone unheeded.

"Even without any new security technologies, much better security would be possible today if technology producers, operators of critical systems, and users took appropriate steps," the report said.

The problem, according to the CSTB, stems from the cost of deploying security which, by its nature, is only of value if an attack is known to have occurred. This means that "people tend to use as little [security] as they think they can get away with", the report argued.

But short-term cost should not be a factor, said Herbert Lin, senior scientist at the CSTB, and one of the authors of the report. "You either pay now or potentially pay a great deal more later. It's a gamble," he explained.

Some estimates put the cost to US corporations for clean up damage from computer viruses at around £8.5bn ($12.3bn) last year. That figure has been forecasted to rise in 2002.

The increasing cost and focus on computer security has led some analysts to maintain that chief information officers (CIOs) are increasingly likely to be held accountable for security breaches.

Lin explained that he welcomed that trend. "It is a good thing that jobs should be on the line over security. We won't know if security is really being taken that seriously until we start seeing CIOs fired over breaches," he said.

According to the report, operational security can only be maintained by systematic and independently conducted 'red team' attacks and the correction of the defects they reveal.

Red teams are independent security specialists hired to try and find the security flaws in any system by first breaking into the system.

The report also recommends that vendors of computer systems start providing well-engineered methods for user authentication, employing hardware tokens, such as a smart card, instead of the weaker password systems.