The Changing Business and Government Environments

Many of the changes in the world environment are the basis for the rapid shifts in the way we do business, both nationally and internationally. Businesses can, and do, adapt to these changes quite rapidly. However, in government agencies, these changes come more slowly, and sometimes threaten the agencies' very existence. For example, a day may come in the not too distant future when the post offices of the world will be unnecessary. E-mails may take the place of letters even for the poorest people of the world, as they will have access to Internet networks. As for packages, commercial firms such as DHL, FedEx, and UPS have already been providing that service for some time.

Clear examples of these changes are the "global marketplace," as well as business-to-business networks (b2b), electronic commerce, electronic business, and the like.

Massive, growing networks such as the Internet, NIIs, and GII are adopted, and must continually be adapted, by businesses if they are to maintain a competitive advantage—or at least compete—in today's marketplace. As an ISSO, you must find ways to facilitate such growth in a secure and yet invisible manner. That is a challenge for all of us in the profession. As an ISSO, if you try to slow down this phenomenon, you will be run over by "progress" and will soon be updating your resume. Business comes first, and if you don't provide a professional InfoSec service that supports and enhances the business, what good are you? After all, business is about profits—and remember, you are a "parasite" on the profits of most companies, since your function is identified as an overhead cost.

As an overhead cost, you do not have direct, hands-on experience in building your company's widgets, for example. Yeah, yeah, yeah, we all have tried to explain that without InfoSec and us as professional ISSOs, companies can lose their business and their competitive edge through loss of trade secret information, etc. However, the bottom line is that it appears that most of today's business executives are in it for the short term, not the long term. Their concern is the "bottom line" for the next quarter to one year. They can easily terminate an InfoSec program and take their chances by having auditors audit for compliance with laws and policies and recommend InfoSec policies that information technology (IT) people can write. Then they can just buy insurance to cover any potential losses. So, as today's ISSO, you must do a better job of making yourself part of the "company team" and finding ways to provide value-added and integral services to the company.

In the private sector, telecommunications businesses have become Internet providers. As we look into the future, we see more and more people making use of the long-distance voice telephone capabilities of the Internet, at very little additional cost. Perhaps one day the need for a separate telephone in the home or office, as we now know it, will be a thing of the past.

Speaking of Internet service providers (ISPs), let's take a moment to look at this new business born out of the Internet and see how well it is supporting InfoSec and InfoSec standards. ^[2]

For some reason, one of the least talked about InfoSec related topics is InfoSec applied to ISPs. Well, it's about time there were more discussions on this topic and something done to enhance their InfoSec—and by the way, all you ISPs, please don't even mention self-policing! You had your shot at that and did little if anything to protect our information, our privacy!

First a little history of how we got to where we are: The Internet was born in the 1960s and arose out of projects sponsored by the Advanced Research Project Agency (ARPA) in the United States. It was originally a project to facilitate the sharing of computer resources and enhance military communications. As the Internet was maturing, there were conflicts between the "haves" who had the use of the Internet and the "have-nots" who did not. The haves were computer scientists, engineers, and some others. They argued that the Internet should not be made available to the public. Well, they lost that battle, especially after the business sector found out what a lucrative marketing and public relations tool the Internet could be for reaching potential customers, suppliers, etc. Thus, the ISPs were born.

From that time until now, the Internet has rapidly grown from an experimental research project and tool of the United States government and universities to the tool of everyone in the world with a computer. It is the premier global communications medium. With the subsequent development of search engines and of course, the World Wide Web (Web), the sharing of information has never been easier. For example, Google.com states that they search more than 3 billion Web pages!

Using the Google search engine, I searched for "Internet service providers" and got 1,330,000 hits in a search that took, according to Google, 0.20 seconds! Through a process of elimination, I then clicked on Google's Web Directory and got 16 ISP categories. I clicked on the Business category and got 49 categories, one of which was Internet and had 11,930 hits. Clicking on Access Providers, I got 721 hits. That led me to AOL (46); By Region (343); Cable (30); CompuServe (6); Cooperatives (6); Directories (17); DSL (121); Free Internet Access (18); Resources for ISPs (56); Reviews (41); Unix Shell Providers (72); and Wireless (41). Clicking By Region (343) I found Africa (8); Asia (9); Caribbean (1); Central America (5); Europe (41); Middle East (3); North America (263); Oceania (2); and South America (2).

In other words, there are many, many ISPs operating and connected all around the globe. We all should know by now that our e-mails don't go point-to-point, but hop around the Internet, where they can be gleaned by all those with the resources to read other people's mail, steal information in order to commit crimes such as identity theft, collect competitive intelligence information, etc.

So, what's the point? The point is that there are ISPs all over the world with few regulations and absolutely no InfoSec standards. So, some ISPs may do an admirable job of protecting our information passing through their systems while others may do nothing. Furthermore, as we learn more and more about Netspionage (computer-enabled business and government spying), we learn more and more about how our privacy and our information are open to others to read, capture, change, and otherwise misuse. In addition, with such programs as SORM in Russia, Internet monitoring in China and elsewhere, global Echelon, and the U.S. FBI's Carnivore (still Carnivore no matter how often they change the name to make it more "politically correct" or try to "hide" it from the public), we might as well take our most personal information, tattoo it on our bodies, and run naked in the streets for all to see. Although that may be a slight exaggeration, the point is we have no concept of how well ISPs are protecting our information.

Now, we are quickly expanding into the world of instant messaging (IM) through ISPs. After all, the more rapidly our world changes, the more rapidly we want to react and we want everything—now! IMICI.com's Web site stated that they expect more than 200 million users sending 2 trillion messages per year by 2004. They state that IM is the fastest growing Internet technology. Furthermore, it can be used to transfer files, send graphics, and unlike the telephone and normal e-mails, with IM one knows whether or not the person being contacted is there. Interesting ramifications—check to see if a person is on line; if not (after already setting up a masquerade or spoof), take over that person's identity and contact someone posing as the other—instantly. Of course there are perhaps hundreds, if not thousands, of examples of ISPs being penetrated or misused. Around November 1995, for example, The Wall Street Journal ran a story entitled "America Online to Warn Users about Bad E-mail." We all know about the basic issues of viruses and other malicious code also being sent via ISPs. So, the problem has existed for quite some time.

I asked a couple of trusted InfoSec professionals about a portion of this topic—a basic InfoSec requirement, audit records: Did they know of federal or state laws in the United States requiring ISPs to keep audit records of e-mails and/or of chat room sessions? One person who leads a major InfoSec effort for a billion (probably trillion)-dollar corporation said: "Nope, there have been attempts to do so that met with much opposition." Steve Lutz, an international InfoSec consulting leader who runs an ISP and the highly successful WaySecure (waysecure.com) consulting firm said:

On the flip side of that, I have had great success in getting ISPs to turn over audit records, e-mails, etc., in the course of an investigation simply by asking. The problem is that the quantity and quality of data varied widely. Some of them had logging enabled on nearly every device with exceptional detail available. Others just had the basics (minimal logging) or even less. At the ISP I am president of, we have an elaborate logging system (including capturing ANI data on dial-in subscribers and correlating it to subsequent activities by that user (entity)) with the ability to generate a report of cross platform/network activities. The reason we developed such a paranoid system was that we formerly hosted the web and e-mail servers for 2600, the hacker quarterly. We were barraged hourly with people from all over the world looking to break in and claim they had hacked the premier hacking web site . . . there have been several attempts to do so that failed. One of the problems is that additional logging costs money (more disk space) and time (slower performance). The other is that (unlike telcos, radio stations, television stations, etc.) ISPs do not have to be licensed to operate. If they were, then the FCC could require minimum standards for security, privacy and log collection and retention. ISO 17799 would be a good place to start to look for guidance as to what would be considered "best practices" as it could then be applied worldwide.

Using an Internet search engine, I found others that were also concerned about InfoSec standards for ISPs. One such group (ftp://ftp.isi.edu/in-notes/rfc3013.txt) is looking into what should be the "Best Current Practices" for ISPs. They have an excellent document online and have invited readers to comment. This "Network Working Group" document, according to them, is to "raise awareness among ISPs of the community's expectations, and to provide the community with a framework for discussion of security expectations with current and prospective service providers." Suggest you check out this document and get involved in pushing for some standards across the entire spectrum of ISPs—everywhere in the world.

Let's close with a recent example in the United States which makes the need for InfoSec standards clear. In December 2000, the U.S. newspaper The Detroit News, and subsequently CourtTV (a U.S. cable television channel), discussed a murder case: The defendant "loved the nation's Internet because it allowed her to be different people. Prosecutors claim one of them turned out to be a killer.... In what is being dubbed the nation's first Internet-related murder, the chat-room regular is accused of sweet-talking her online lover into murdering her husband with a shotgun blast. ..."

The investigation led to information from the killer's computer, but none was allegedly found on the defendant's computer. They of course used an ISP to communicate through the chat room and e-mails. Information about the case did not mention whether or not investigators tried to obtain records from the ISP. If they did and were successful, it certainly would have helped in the investigation. However, we don't know. For the sake of discussion, let's say that there was no evidence found on the killer's computer or the defendant's computer, nor were there any hardcopy documents related to the crime. In that case, the only evidence to corroborate other noncomputer evidence would come from the audit records of the ISP. Since no laws require the ISP to keep such records, or, if records are kept, how long they must be retained, it is quite possible the murderer and coconspirator would have literally gotten away with murder. If records were available and with a proper search warrant obtained by the investigators, they would have assisted in proving or disproving the allegations of murder, and thus help convict murderers or help ensure that innocent people are not convicted of crimes they did not commit.

So, as one can see from this simple example, ISP InfoSec standards and requirements can be used in life-or-death situations, a strong counterargument to the protests of the ISPs that they don't have the resources, etc., etc. We have heard those cries and complaints from others who hold our privacy and protection in their hands. Isn't it about time that all of us who use ISPs, probably a few hundred million by now, demand that they start doing what is ethically and morally the right thing to do?

The Internet and ISPs have matured enough that their customers—all of us—should demand such protection. After all, as Mr. Lutz pointed out, telcos, television networks, and radio stations, just to name a few, are monitored and regulated. They must meet certain standards. So, why not ISPs?

So, what do you think? Should ISPs be regulated? Should there be some minimum InfoSec standards or requirements that every ISP must meet? Let your ISP and politicians know what you think, After all, we are all in this together, not only as InfoSec professionals representing government agencies and corporations whose networks are connected to the Internet and thus ISPs, but also as Internet citizens.

ISPs must be required to meet certain InfoSec standards in order to ensure our privacy.

This issue is important to the ISSO because many of the verbal conversations that may take place through the Internet will be sensitive, proprietary business or government information. As the ISSO, you have the responsibility to ensure that these conversations can be carried on securely.

Anyone who is currently an ISSO and dealing with the problems of Internet's InfoSec knows that compounding that InfoSec problem with the use of verbal communications protection on the Internet would make one want to retire early! At the same time, it offers the ISSO new, unique challenges—and to a certain extent, maybe a little more job security.

One does not have to look far to also see the vital need for an InfoSec program in corporations and government agencies which also protects the privacy of individuals whose information is stored, processed, and transmitted by these systems.

^[2]Previously written by the author under the name Shockwave Writer and published by Reed Elsevier in their magazine Computer Fraud & Security (2002), as the article "Internet Service Providers and InfoSec Standards."