Watching the Watchers

By Seth Ross

Every day seems to bring dramatic reports of some new network or computer security problem. A mini-industry of computer security sites, news sites, and Internet mailing lists is committed to exposing every bug, virus, vulnerability, and root exploit. Law enforcement and computer security research institutes publicize the tremendous losses caused by information security breaches, from stolen intellectual property to denial-of-service. Computer security vendors are naturally willing adjuncts to this feeding frenzy as they step up with improved virus checkers and entirely new classes of must-have corporate security products like intrusion detection software.

Much of this sound and fury is entirely self-serving. Security web sites want to sell ads. Law enforcement wants more budget and expanded surveillance powers. Security vendors want sales. While some of this activity serves the broader purpose of heightened public awareness, much of what passes as security reporting ends up distorting reality. Incessant and repetitive reports about computer risks carry their own risks:

The Reality Distortion Syndrome -- While security news stories constantly harp on the real and imagined dangers of Internet-based systems crackers, who seem to be everywhere and nowhere at once, the banal reality is that most computer security threats are from insiders ... disgruntled employees, bored employees, curious employees, careless employees. Reality distortion is dangerous in so far as it leads people to expend time and resources on relatively low-risk vulnerabilities (network break-ins) while ignoring high-risk factors like employee alienation.

The Security Fascist Syndrome -- Managers armed with a distorted view of reality sometimes layer on so much security that users can't get their work done. This is an obvious business problem. But it also creates its own risks: inappropriately tight security measures invite users to come up with workarounds. A "no-net" policy, for example, can motivate employees to set up their own rogue net connections using cheap modems and dialup accounts. There are few things more dangerous to corporate computer security than proliferating dialup accounts, each of which provides an entry point for intruders. Security is something to do right before someone does it wrong for you.

The Despair Syndrome -- Any security expert will tell you that there's no such thing as perfect computer security. You can put your sensitive information on a computer, encrypt it, turn the computer off, and place it in a subterranean vault: maybe your opponent will rent an earthmover, hire a safe-cracker, and bring a diesel power supply along with a laptop equipped with brute-force cracking software. When one considers the flood of bad computer security news, the impossibility of perfect security, and the perceived expense of computer security safeguards, it becomes all too easy to throw up your hands and give up in despair.