The Scare Stories About Security Miss Real Issues

Last February, at a government conference on “National Security in the Information Age,” U.S. Deputy Atty. Gen. Jamie Gorelick gave a rather frightening speech. Citing examples of the growing “cyber threat”--including a hacker who broke into the U.S. marshal’s computer system, and a hacker group called Legion of Doom that “could have shut down the phone network for the Southeastern United States”--Gorelick grandly called for “the equivalent of the Manhattan Project to help us harden our infrastructures against attack.”

During high school, I was part of the cyber threat that Gorelick rails against. In fact, I was one of the fifteen-odd hackers in the Legion of Doom. So I believe that I can speak with some assurance on this topic. And what seems most obvious to me is that what we need is not more government scare stories about hackers, but rather some common sense and clear thinking about the real risks in the Information Age.

Whether it’s the government warning against hackers, consumers expressing their fear of using credit cards online or front-page news stories about security holes on the Web, we are increasingly barraged with anecdotes and admonitions about computer security. The problem is that it’s easy to get distracted by these stories and ignore the underlying issues. The result? The defenses we put up may turn out to be far more damaging than any electronic terrorist or virus could ever be.

Take hacking, for example. What was depicted during the 1980s as a kind of clever prank done by boy geniuses (remember “War Games”?) is now painted as a criminal act committed by sociopaths (remember Kevin Mitnick?). From my experience, neither of these opposing fables comes anywhere close to the truth.

The best way I know of to describe hacking is that it’s like computer science grad school--but for teenagers. Like all grad students, members of the Legion of Doom were obsessed with publishing the results of their research. Like all grad students, most of our time was spent doing grunt work: reading old telephone company manuals, learning C, mastering Unix. The actual system penetrations were merely the Q.E.D. that proved our research was correct.

Given this almost tedious reality, it’s not surprising that today most LOD members have gone on to become Internet consultants and programmers. After all, despite the illegal patina and secret code names that make hacking particularly appealing to suburban teenagers, we were essentially training ourselves for our careers.

Which isn’t to say that hackers should be rewarded, or even tolerated. They cost companies money in the form of lost productivity and can cause system administrators untold headache. But hackers also shouldn’t be used as a boogeyman to convince us that the government needs to mount a “Manhattan Project.” That’s going nuclear when conventional tactics would suffice.

*

This gap between perception and actual risk is even more dramatic when you look at people’s attitudes toward online commerce. Surveys that ask what prevents people from buying products online routinely report that one of the main factors is fear of credit card theft. Yet these same people will give their card numbers to dozens of clerks every month and allow their card imprints to be thrown away where anyone can dig them out.

“I have to admit being a bit puzzled,” says Allan Schiffman, chief technology officer for Internet security firm Terisa. “I care a lot about credit card security issues, but that’s my business. I’m not sure why other people worry so much.”

Part of the problem, he suspects, is that people have unrealistic expectations of computers. Here, computers may be victims of their own marketing; promoted as being flawless and unerring, it’s easy to assume that computer security should be perfect too. But computers will never be perfectly secure. Like everything we build, they are only as secure as we can afford to make them.

When a structural engineer designs a building, she calculates the risk of an earthquake--or today, explosives--versus the costs. It would be prohibitively expensive to build a building to withstand the rare magnitude 10.0 quake, but it makes sense to design them for a 6.5 quake. This same kind of cold risk analysis needs to be applied to computer security.

“As a goal, absolute security is outrageous. You don’t ask for 100% of anything,” agrees Schiffman.

This same problem also afflicts the newest kind of computer security--that involving the Web. Whether it’s a new flaw found in the Netscape browser or a bug in the Java programming language (used by Netscape), the reaction always seems more dramatic than warranted.

“I’ve had quite a few people call me up and ask if Java is secure or not. But that’s not a reasonable question. The real question is: What’s the degree of risk?” says Edward Felton, a computer science professor at Princeton, who has been in the news lately for uncovering a number of Java security holes.

Felton blames this partly on the media: “News reports concentrate too much on the blow-by-blow: Now there’s a problem, now it’s fixed, now there is a new problem.” This, he says, encourages people to think about security in absolute terms rather than in degrees.

But the real reason for Web security hype may have to do with today’s sped-up production cycles.

“The commercial pressure is to push products out quickly, and that’s a disincentive to get security right,” says Felton. Indeed, Netscape makes a big point of the fact that it welcomes reports of security flaws from hackers and researchers like Felton. Yet wouldn’t it be better if it did the work of making its products secure before they were released?

The real point I’m trying to make with these examples is that the problem of computer security is far more complex than the scare stories that people like Deputy Atty. Gen. Gorelick make it out to be. This is not a simple, external threat that can be responded to with a “Manhattan Project.” Instead, the problems we face--bored teenagers, unrealistic expectations, simplistic news reports and commercial pressures--come from within.

Steve G. Steinberg is an editor at Wired magazine. He can be reached on the Internet at steve@wired.com