I got a letter the other day from Time Warner, where I briefly worked some years ago. It was a sincere-enough-sounding note just to let me know that the guys in the data center may have inadvertently let my Social Security number and other private information fall into unknown hands. No need for me to take it personally—the company had done the same thing to some 600,000 present and past employees when it lost a boxful of backup tapes from a truck.
Companies seem to be surrendering a lot of valuable data these days to hackers and other miscreants, at least when they're not busy fending off the latest crippling virus or worm. What can you do about it? I'm not going to give you the standard lecture on the importance of protecting your computers. I bet you're a little tired of hearing that sort of thing. Instead, I'm going tell you something different about computer security—something you won't hear from vendors, IT whizzes, or even security professionals. You're not going to like it, but you need to understand it.
First, a little background: In 1992, a troubled, profoundly untalented young hacker known as Phantom D managed to tear through at least 1,000 computer systems over the course of a year, including those at military weapons research laboratories, leading computer vendors, and ATM networks. I know a thing or two about the case because journalist Charles C. Mann and I wrote a book about Phantom D in 1997. What we learned at the time from some of the world's leading security experts was that breaking into even the most sensitive sites on the Internet was a cinch—so easy that anyone with time on his hands could do it. Our prediction: The situation wasn't going to get better. Indeed, it would probably get worse—no matter how much effort people made to stem the tide.
This is not the sort of thing that Web surfers and corporations want to hear, and the computer-security community all but conspires to oblige them. Think about it: If you're a security consultant, a corporate IT honcho, or a law enforcement official paid to make computing safe, how quick are you going to be to shout from the rooftops that there's no way to get the job done? For that matter, how willing are you to accept this fact yourself?
Which brings me back to Time Warner. There's no need to pick on the media giant; it's been in great company in recent months, most recently CardSystems Solutions, where a hacker attack in June exposed 40 million credit cardholders to a risk of fraud. Bank of America, Wachovia, ChoicePoint, and LexisNexis also have been stung recently.
People read these stories and shake their heads over the lax security at the target companies. It may even make you think about calling up your IT director and beefing up your own company's computer security. But that reaction is part of the problem. The fact is, companies like Time Warner and Bank of America have been doing a pretty good job of meeting or exceeding industry standards for protecting their computer systems and data. And it's not like IT bosses everywhere else are asleep at the wheel. Barry MacQuarrie, the CIO for Xpitax, a tax outsourcing firm in Braintree, Mass., notes that security consistently ranks as the top priority in surveys of accounting industry CIOs. "We have three levels of passwords, we filter all e-mail twice before it reaches our firewall, and we run antivirus on everything internally, MacQuarrie says.
So do plenty of other firms. And yet the hackers keep getting inside, the viruses continue to rage, and data disappears. What's the problem? The world's faith in the holy trinity of computer security—firewalls, intrusion-detection systems, and antivirus software—is misplaced. Jim Settle, the former head of the FBI computer-crime squad and now a computer-security consultant in Haymarket, Va., offers this assessment: "They don't work. Duh. Sure, they'll keep out casual hackers who get discouraged easily or don't have the latest tools, but that's about it. Settle is often hired to test computer-security systems by trying to break in, usually just after a few million dollars' worth of state-of-the-art security software has been installed. In nearly 50 efforts, he's never failed to get inside, and only once was he even detected.
Managers ask the question: Is our data safe? Any honest expert can give you the answer—without knowing a thing about your systems. No, your data is not safe.
Managers ask the question: Is our data safe? In fact, there's really no need to wonder about that. Any savvy, experienced, and honest security expert can give you the answer—without knowing a thing about your company's systems. No, your data is not safe. And here's that thing I promised you wouldn't want to hear: There's nothing you can do about it.
Why? First of all, the very thing that makes the Internet so useful, exciting, and transformational—it connects everyone to everyone else, it's anonymous, and it's controlled by no one—is what makes it so easy for some jerk in Latvia to hook into your PC in Topeka. Completely protecting a network would require anticipating an essentially infinite number of techniques that might be used to break in; hackers, on the other hand, need to discover only one. What's more, when security experts discover a new vulnerability, they usually try to keep it a secret, for obvious reasons, which hampers the development and distribution of fixes. Hackers, by contrast, not only share information freely, they also widely and immediately distribute tools that automate the hacking process so any of a vast army can join in on the fun. You could hardly design a more hospitable environment for hackers if you tried.
That's not to say you can't lower your risks slightly. One cheap and easy technique is to encrypt everything on your network. It will slow performance, and it won't keep hackers from stealing your data, but any lost data will be scrambled and worthless. Another technique is to enforce a draconian password policy—reject any password that's a name or a word, even if spelled backwards; force password changes every 30 days; make it a serious offense to write down a password in the workplace.
Of course, even if you did all this and more, someone in your company could still cough up a password in response to an e-mail from a skilled "phisher, or take work home on a disk and get hacked on his home computer, or simply lose a laptop computer full of sensitive data—like the laptop lost by a Virginia travel agency in May containing account information on 80,000 Justice Department employees.
I think the smartest move is simply to accept the excellent chances of getting hit, no matter how safe anyone tells you your network is. That will get you thinking about what kind of data you collect, how long you keep it, and what you'll say to employees and customers if it's lost. If your computers contain any account information, documents, or e-mail that could, in the wrong hands, bring down your company, then you're sitting on a time bomb. Unless, that is, you're pretty sure you can do a much better job of protecting data than the U.S. government has in protecting the top-secret nuclear weapons information on its computers.
Meanwhile, do me a favor, will you? If someone whispers to you that he wants to sell you something that fell off the back of a truck, let me know—it could be my Social Security number.