Web edition: August 29, 2008
Eugene Spafford is executive director of Purdue
University’s Center for Education and Research in Information Assurance and
Security, one of the world’s leading centers for information security. His
research focuses on issues related to securing computers, networks and their
data against criminal activities and failures. He has testified before various
congressional committees, advised agencies within the executive branch and
worked with the
You’ve been tracking computer security breaches for 30 years. What trends have you seen over that time, and what new problems are emerging?
The change in the computational environment has led to changes in what we’ve seen as “incidents.” In the 1990s, most of what we saw as “untoward behavior” was neither malicious nor criminal. Some of it came from individuals who were new to the Internet and didn’t have a complete handle of what it was they were doing. Others — the classic hackers — did it for bragging rights or to prove to others their skill.
We’re now seeing a tremendous amount of criminal fraud perpetrated through the Internet, and much of it organized with an international reach. Things like credit card fraud and phishing for identity theft fall into this category. We’re also seeing greater sophistication in … theft of intellectual property and information by trans-national organizations and governments. Here we’re talking about the invasion of corporate and government machines to steal advanced designs, or to extract political and personal information.
Who’s policing the Internet and how is that being done?
It isn’t, and that’s part of the problem. I’ve been working with some law enforcement agencies trying to track down fraud that appears to be coming from other countries. Some of it may be originating in those other countries, but some of it may be originating down the street where somebody is using a computer in another country as a way of hiding their participation.
Whichever is the case, traditional law enforcement is strongly bound to physical national boundaries. These distinctions really don’t exist on the Internet, so that makes law enforcement by local agencies very difficult.
What action needs to be taken to make information more secure?
As a society, we haven’t been particularly willing to pay the extra required to actually build in good security. In addition, we’ve been very forgiving of the flaws and incidents that have occurred. For security to get better, both of those things need to change.
In some cases, we’re using systems and protocols that were never really designed to be secure. E-mail, for example, evolved as a means of sharing and was designed before there was commercial use of the Internet. Spam and phishing — e-mail that looks like it came from your bank or some other known source — are examples of ways that criminals can exploit weaknesses in the system to get information from users. We have to find ways to increase accountability, authenticity and attribution without doing away with some of the freedom of expression that is part of the benefit of having the Internet.
The probable direction we’re going to have to go in is to build very robust, highly protected enclaves, or protected systems of computers.
How vulnerable are the computers that we use at work and at home?
In the worst case, the systems have already been taken over by the bad guys through the use of botnets or spyware, and the owners of the systems don’t know it.… The software gets inserted automatically into someone’s system and is under the control of a remote operator.… These programs can be used to steal information or to disable a system.
What challenges lie ahead?
We now have a more global network, so we see a lot more individuals with a broad range of ideologies and motives. As the use of the network spreads, we encounter more and more users whose cultural outlook and political and economic motivations differ from our own.
This gives rise to some challenges. For example, where some
people might view the ability of the citizens in
Right now, we have a lot of people who aren’t thinking globally when they put things out online. As computers get smaller and phone networks converge with the Internet, so that everyone’s walking around with a connection in their purse or on their belt, it will just further add to the concerns we have.