U.S. computer systems are increasingly vulnerable to cyber attacks, partly because companies are not implementing security measures already available, according to a eport released Tuesday.
"From an operational standpoint, cybersecurity today is far worse than what known best practices can provide," says the Computer Science and Telecommunications Board, part of the National Research Council. "Even without any new security technologies, much better security would be possible today if technology producers, operators of critical systems, and users took appropriate steps."
Experts estimate U.S. companies spent about $12.3 billion to clean up damage from computer viruses in 2001. Some predict viruses and worms could cause even more damage in 2002.
The report says a successful cyberattack on the U.S. air traffic control system in coordination with airline hijackings like those seen on Sept. 11 could result in a "much more catastrophic disaster scenario."
To avert such risks, the panel urged organizations to conduct more random tests of system security measures, implement better authentication systems and provide more training and monitoring to make information systems more secure. All these measures are possible without further research, it says. Investments in new technologies and better operating procedures could improve security even further, it adds.
Herbert Lin, senior scientist at the board, says information technologies are developing at a very rapid rate, but security measures have not kept pace. In fact, Lin says, recommendations for improving security made by the panel a decade ago are still relevant and timely.
"The fact that the recommendations we made 10 years ago are still relevant points out that there is a real big problem, structurally and organizationally, in paying attention to security," he says. "We've been very frustrated in our ability to get people to pay attention, and we're not the only ones."
Use Tokens, Not Passwords
Increased security concerns after the Sept. 11 attacks on New York and Washington could provide fresh impetus for upgrading computer security, Lin says.
But he warns against merely putting more federal funds into research, noting that it is essential to implement technologies and best practices already available.
"The problem isn't research at this point," Lin says. "We could be so much safer if everyone just did what is possible now."
For instance, the report notes that passwords are the most common method used today to authenticate computer users, despite the fact that they are known to be insecure. A hardware token, or smart card, used together with a personal identification number or biometrics, would provide much better security for the computer system, the report says. The report urges vendors of computer systems to provide well-engineered systems for user authentication based on such hardware tokens, taking care to make sure they are more secure and convenient for users.
In addition, it says vendors should develop simple and clear blueprints for secure operation and ship systems with security features turned on so that a conscious effort is needed to disable them.
One big problem is the lack of incentives for companies to respond adequately to the security challenge, the report says. It says one possible remedy would be to make software companies, system vendors and system operators liable for system breaches and to mandate reporting of security breaches that could threaten critical social functions.
Copyright 2000 Reuters Limited. All rights reserved.
Republication or redistribution of Reuters content, including by framing or similar means, is expressly prohibited without the prior written consent of Reuters.
Reuters shall be not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.