Computer Security

7372

7379

INDUSTRY SNAPSHOT

As businesses, individuals, governments, and institutions grow into an increasingly interconnected web of computer networks, computer security has become a rapidly growing concern in the twenty-first century. By the middle of the century's first decade, an inestimable volume of crucial transactions—financial and otherwise—were transmitted over the Internet and other networks every day, and the effects of a disruption to any one of these networks threatened to ripple through the wider economic and social fabric.

Heading into the second half of the decade, information was among the most valued assets a company could claim. As such, the protection of that information was of primary concern to owners and managers, who eyed, with worry, reports of the damages stemming from data theft. During that time, some reports estimated the costs of data theft were more than $10 billion annually.

Internet-based fraud, sophisticated viruses, illicit network access, and computer-network-based sabotage were among the industry's chief enemies. Worms, viruses, malicious codes, security breaches, and cyber-attacks grew stronger and more sophisticated each year, with no end in sight. Providers of computer security software and services found themselves in a sort of arms race with hackers, online thieves, and others seeking to invade or disrupt the operation of computers and networks. Moreover, following the security shock of the terrorist attacks in New York and Washington, D.C., on September 11, 2001, intelligence reports revealed the burgeoning interest among terrorist groups in computer networks in the United States. Thus, computer and network security measures were increasingly folded into broader national security efforts, including measures embedded in the Homeland Security Act.

According to the 2005 CSI/FBI Computer Crime and Security Survey, conducted by the Computer Security Institute (CSI) and the San Francisco Federal Bureau of Investigation's (FBI) Computer Intrusion Squad, computer crime cost organizations more than $130.1 million in 2005 alone. At nearly $42.8 million, viruses caused the greatest dollar loss, followed by unauthorized computer access ($31.2 million), and theft of proprietary information ($7.3 million). However, these figures only tell part of the story. In a separate survey of 2,000 public and private organizations, the FBI revealed that 10 percent of known attacks were not reported to authorities.

While the impact of computer security breaches at the organizational level is significant, consumers also suffer substantial losses—especially in the case of cyber scams. In its April 3, 2006 issue, Business Week Online cited a report from the research firm Gartner indicating that financial losses related to the theft of personal or financial information totaled $1.5 billion in 2005, up from $690 million in 2004. Heading into the later years of the decade, computer criminals were becoming more sophisticated, using blackmail and other psychological tactics to trick individuals into releasing money or financial information. Such non-technical methods made the job of security professionals harder than ever before.

ORGANIZATION AND STRUCTURE

The field of computer security is extremely diverse and thus opportunities are abundant for those with a wide range of skills. There are three main levels of computer security: physical, software, and administrative controls. Each level is addressed by a different specialist using different skills.

Physical security addresses problems such as fire, theft, sabotage, and malicious pranks. Systems analysts and security officers can address these types of problems.

Software security involves factors such as accidental disclosures caused by partially debugged or poorly designed programs and active or passive infiltration of computer systems. Active infiltration includes such activities as using legitimate access to a system to obtain unauthorized information, obtaining identification to gain access through improper means, or getting into systems via unauthorized physical access. Passive infiltration includes activities such as wiretapping on data communications lines or databases and using concealed transmitters to send or retrieve data in central processing units, databases, or data communications lines. People involved in software security include analysts, network administrators, programmers, auditors, and security officers.

Administrative controls involve issues such as controls on personnel for fraud protection, controls on sensitive programs, security of remote terminal access, software security, and file reconstruction capability. Auditors, programmers, systems analysts, security officers, and network administrators are involved in addressing the development and implementation of administrative controls.

While different specialists often address all of these security issues, the need for multilevel controls is increasing as the number of computers grow—one more indication that additional computer security is a continuing demand. The industry will no doubt grow to accommodate the problem.

Most applications and systems software—Web browsers, e-mail programs, operating systems, databases, and the like—have historically provided only rudimentary security at best and are often easily vulnerable to devastating attack or misappropriation. While security in ordinary desktop applications is improving, to help users withstand such intrusions, computer security companies market a diverse range of products and services to combat fraud, sabotage, and other unauthorized uses of computer resources. These consist of security consulting services; virus detection software; firewall hardware and software; encryption software; intrusion detection and analysis software; and specialty devices for user authentication (biometrics, voice recognition).

Computer Security and the Law

One of the unique aspects of the computer security industry is its connection to the criminal justice system. Many of the activities computer security deals with are illegal. Thus, these activities fall under the broad heading of computer crime.

There are three primary areas of computer crime: data security and integrity, national security threats, and protection of software copyright. Currently, there is a technological gap between the criminal justice system and the enforcement of laws designed to prosecute computer criminals. This lag opens the door for more computer security experts among attorneys, law enforcement agencies, the military, and government organizations.

In August 1998, the nation's top anti-terrorism chief discussed the threat of computer warfare that could cripple the United States. Potential targets included banks, airports, stock markets, telephones, and power suppliers. Richard Clarke, the first national coordinator for security, infrastructure protection, and counter-terrorism, proposed backup plans and vigilance to foil a coordinated multi-pronged attack from a foreign military, terrorist, or intelligence group.

On the legislative front, the controversial Cyberspace Electronic Security Act, under consideration since 1998, was finally passed by the Senate as an amendment to the Homeland Security Act in November 2002. The bill, a counterpoint to the Clinton administration's easing of encryption software exports in 1999, gave law enforcement new powers to access encrypted information and conduct electronic searches. In 2003, the White House augmented this legislation with its National Strategy to Secure Cyberspace, which listed a series of recommendations to businesses and network administrators detailing needed system improvements and strategies. In addition, in the wake of the e-commerce explosion, a slew of privacy, data integrity, and other federal and international computer security laws and regulations sprang up to enforce minimum security standards to protect the flow of information through and between industries and networks.

BACKGROUND AND DEVELOPMENT

Computers for commercial use date back to the 1940s. Since that time, computers have evolved from gigantic board-wired, cathode-ray-tubed, card-deck-operated machines that literally filled climate-controlled glass houses into desktop machines that are many more times powerful than their larger predecessors.

By the 1990s, people in every walk of life were using computers to perform a variety of tasks ranging from mixing recipe ingredients to desktop publishing. In many cases, they were tied into networks such as wide area networks, local area networks, and the Internet. The increasing reliance on networks has created a greater demand for security since networks allow for more opportunities to compromise files and databases.

Businesses in particular have been using more powerful computers for every function possible. Naturally, the almost infinite growth in data processing has led to computer-related problems such as crime...