CONCLUSIONS

The federal government can report in exacting detail the number of bank robberies committed in any given year. But when it comes to computer crimes against government agencies, it’s close to clueless.

Government officials estimate that only 20% of such incidents are being reported because individual agencies either don’t have the technical sophistication to discover the crimes or want to keep bad news quiet. It’s for those reasons that the 155 root compromises of federal computers reported in 2000 likely represent a fraction of the actual number.

Computer compromises are a serious issue. Agencies fear the unwelcome attention computer crime reports bring and often lack the money and tools needed to detect IT security breaches.

In addition, there’s an ingrained reluctance on the part of agencies to work together to combat computer crimes. There is no culture of collaboration in the federal government.

During the first three months of 2001, the Federal Computer Incident Response Center (FedCIRC), the government’s central crime data repository, recorded 55 root compromises at civilian nondefense federal agencies, which put it on pace to exceed the year 2000’s total. That would result in an increase in the number of such intrusions for the third straight year.

A root compromise occurs when an intruder gains systems administration privileges on a network, giving the attacker the ability to do things such as copy documents, alter data, or plant malicious code. Still, security analysts said it’s impossible to gauge just what the first-quarter increase recorded by FedCIRC (http://www.fedcirc.gov/) means. FedCIRC doesn’t know whether they’re seeing a change in the rate of reporting, the rate of detection, or the rate of penetration.

For its part (prior to the 9-11 attacks), the Bush administration had begun to take steps to improve compliance by federal agencies in reporting and responding to security breaches, including a recommendation that FedCIRC’s annual funding be boosted 38%, from $8 million to $11 million. Agencies are already required by law to report breaches to FedCIRC as a result of the Government Security Reform Act approved in 2000.

Federal agencies have repeatedly been faulted by the General Accounting Office for poor security practices—the 9-11 attacks and the recent issuance of educational visas to the dead terrorists have bore that out. The GAO has conducted penetration testing against various government systems. For example, it said in a report recently released that it found significant security weaknesses at all of the 24 agencies where it conducted audits of IT security readiness. Improving security procedures needs to be a priority within the Bush administration, and from some of the early indications in the budget, it is going to be.

Cost of Computer Crime Exploding

According to results of the 2002 Computer Crime and Security Survey recently released, intellectual property theft and security breaches are on the rise while the costs of those intrusions are skyrocketing. Conducted by the Computer Security Institute of San Francisco and the FBI, the survey of 649 security administrators from industry, government, and academia shows that 86% of respondents reported security breaches in 2002’’s survey, and 27% reported intellectual property theft, up from 21% in 2001.

But the survey also shows that the cost of that theft is exploding. Although only 35 respondents could quantify the financial losses associated with intellectual property theft, that number added up to more than $262 million. The amount is up from almost $78 million in 2001 and $31 million in 1998. In total, 297 respondents said losses from all types of security breaches cost more than $488 million. That means theft of intellectual property accounts for 41% of all losses tabulated in the survey, despite the fact that such a small number of companies could quantify it.

Companies are figuring out how to protect their financial data, customers’’ credit information, and personnel records. The problem is many companies aren’t aware that they should be protecting the information that fuels their businesses—such as marketing plans, source codes, and research information. You lock up rooms so people can’t steal laptops; but, if your company is based on information and information systems that can’t be secured, then you’re in line to lose your cash crop.

Industrial espionage is giving way to information age espionage. It used to be that if you wanted information on your competition, you would turn to an insider. You bribed them. You blackmailed them. But why risk someone getting caught when you can just hack in and take what you need? The survey also points to several other aspects of computer security that are on the rise:

• Forty-one percent (41%) of respondents reported outside system penetration. That number is up from 21% in 1998.

• Thirty-nine percent (39%) detected denial-of-service attacks. That number is up from 25% in 1999 and 28% in 2001.

• In 2000, 249 people were able (and willing) to quantify financial losses. That number totaled $265 million.

• Thirty-seven percent (37%) of respondents reported security breaches to law enforcement agencies. That’s up from 18% in 1998 and 26% in 2001.

Industry analysts and corporate users agree that more administrators should be focused on protecting their valuable proprietary information. Companies that collect credit card numbers and personal information about people take on that security responsibility. What they’re not doing is protecting their own information, records, plans, and technologies.

For some IT administrators, getting the message through to upper management is another problem. It’s not that upper management doubts the information’s value, but, rather, that upper management feels that there isn’t enough threat to warrant any significant attention. Once management buys into the importance of protecting information, it’s another matter to put a strong security plan in place.

Companies developing a new drug or a new widget may understand how sensitive that product information is, but they find it hard to protect. It’s the core of what they’re doing, so it requires access from a whole lot of people for a lot of reasons. It’s difficult to enforce protection of information while still letting people at the information.

The survey trends are unnerving. It’s clearly a dangerous world, and has been—and will continue for years to come—possibly even get worse, given the widespread deployment of computer forensics and security technologies. And it’s costing American businesses billions.