Section 1.4. Why Buy Security?

1.4. Why Buy Security?

Computer security has historically been viewed as being an unnecessary impediment to getting work done. With pressure from the government, the courts, and the press, security now seems to have graduated to a necessary evil. In the latest versions of the Linux and the Windows operating systems, security is automated and is becoming a full-fledged system feature.

Estimates of the size of the computer security market vary. The Freedonia group estimates that computer security now represents roughly a $9 billion a year market opportunity for the United States, and this number is expected to increase dramatically over the next decade. As you'd expect, the U.S. government drives much of the security market. Because of its special concern for classified information relating to national defense and intelligence, the U.S. government has historically been the major force behind security research and technology. The government has a great many secrets (millions of new pieces of information are classified each year!), and computer security products thrive on secrecy.

It's difficult to get hard numbers on government security spending because military and other classified programs account for a large piece of the security market, and dollar figures for those classified programs aren't publicly available. Best estimates are that as much as half the total computer security purchases are government-related, but this ratio ebbs and flows as security concerns enter and leave the public mind.

The Department of Defense, the intelligence agencies, and government contractors are particularly heavy users of security productsespecially cryptographic products, highly secure computer systems, and systems that use TEMPEST technology. (The TEMPEST market is almost exclusively a government one, although the private sector is likely to wake up to it as decoding systems decrease in complexity and increase in availability.) Virtually every government department and agency buys security products. Most of them have little choice; they're required by government regulations to protect the information they process. (Not to say that the security of every government entity is exemplary; numerous "report cards" frequently implicate government watchdogs as being somewhat behind the security curve.)

Businesses and government agencies have different goals and different cost/risk tradeoffs. Because financial considerations are the focus of business, security has to be cost-effective, or business won't buy or build it. A big market question is who will be willing to pay for security over timeboth in dollars and in potential loss of convenience and user friendliness.

Why buy security? There are two especially good reasons, described next.

1.4.1. Government Requirements

If you sell to the government, you almost certainly need to use many of the security technologies described in this book. If you're a computer vendor who's trying to sell a lot of computer workstations, for example, you may be forced to build security into your products or to buy the technology from others.

Most government requisitions specify security requirements along with operational requirements. Most operating systems must conform to a specified level of the Common Criteria for security. Common Criteria has replaced the security levels specified in the former "Orange Book" (see Appendix C for more information) standard for trusted systems, but the language of the Orange Book still permeates the security business.

You may need to use a particular form of encryption to protect stored and transmitted data; for high-security applications, consider using TEMPEST shielding.

In addition to being the major purchaser of computer security, the government has historically been the driving force behind the development of security products and the standardization of what makes a system "secure." Chapter 2 describes what these security standards are and how they developed.

1.4.2. Information Protection

Government agencies are required by law to protect both classified information and also what's called "sensitive unclassified" information. Examples include such information as productivity statistics (from the Department of Commerce), currency production and transfer information (Department of the Treasury), and embassy personnel information (Department of State). What makes this information sensitive is the fact that its theft or modification could potentially disrupt the nation's economy or compromise its employees. Similarly, the breach of individual health and financial records maintained by such agencies as the Social Security Administration, the FBI, the IRS, and others could have severe legal and personal repercussions.

If your business uses sensitive corporate information, you need security too. In some cases, you need to keep information secret. Obvious examples of such information include banking funds transfers, oil resource data, stock futures strategies, medical research data, personal medical data, and airline reservation information.

In other cases, you need to ensure the integrity of the information. A primary example is electronic funds transfer (EFT). The Society for Worldwide Interbank Financial Telecommunications (SWIFT), for example, provides EFT services for over 7,500 financial institutions in 200 countries, securely completing millions of transactions a day, and billions of transactions each year (2 billion in 2003 alone). SWIFT and other financial institutions require absolute accuracy in their transactions. As described earlier, message authentication and related techniques play an important part in ensuring the accuracy of such financial information.

Even if your business doesn't involve national defense secrets or international funds transfers, the information you process is critical to your own business. Information may well be your most important business asset. Any theft or compromise of information is as much an attack on your business as is the theft of any other company asset. And the loss of information is more likely to damage your business than would a more tangible loss. Even if you're not convinced that you need security, your insurance company and your shareholders may be. The concept of "reasonable safeguards" is having an impact on users of computer systems now. You may find that if you do not provide adequate security for your information, your insurance may not cover a loss, and you may lose a court battle over "computer malpractice," "preventable loss," or the "standard of due care."