Overkill Trips Up Cyberspace Security Plan

Steeped in civic idealism and putting forth the ever-optimistic “call to action,” the National Strategy to Secure Cyberspace provides a solid start for the way that government, corporations and individuals need to view Internet security.

The strategy, an effort by the Office of Homeland Security, was outlined in September to allow 60 days for public comment. The plan now moves to the purview of the soon-to-be Department of Homeland Security.

Richard Clarke, the primary architect of the strategy, clearly and correctly communicates that good security demands a proactive campaign and not a reactive effort. This is a worthwhile mantra that is finally gaining momentum after last year’s costly virus disasters and new speculation about potential cyber-terrorist attacks.

The plan also highlights the need for better ways of sharing intelligence. New procedures are recommended, including the expansion of information sharing and analysis centers.

Yet while the spirit of the plan is on target, one component of its philosophical foundation may undermine the effort before it gets started.

For years, the focus of most security efforts has been on identifying and then fixing vulnerabilities in technology. The belief is that if a hole is found in the technological armor of an organization it should be fixed immediately, before it can be exploited by some cyber-deviant.

While this sounds logical, it is actually the beginning of a vicious cycle that occupies vast amounts of time and wastes millions upon millions of corporate, government and consumer dollars every year.

Today’s approach to information security is the equivalent of recommending that everyone in the U.S. be inoculated for every known disease at the earliest possible moment, without respect to whether we are likely to be exposed or to the health cost of exposure. Under such a notion, we would be inoculated for the most minor of illnesses, costing consumers, doctors and insurance companies billions of dollars annually.

Would such an approach for health make sense? No, and it doesn’t for information security either.

The philosophical focus of the government plan needs to be centered on identifying and addressing security risk, not tracking and eliminating every single vulnerability. Too many companies, consumers and government organizations spend time discovering, patching and fixing vulnerabilities that carry no risk or at least no near-term security threat.

Of the 2,437 vulnerabilities published in 2001, only about 20 were involved in real attacks against corporations, and fewer than 4% of published Microsoft vulnerabilities have resulted in breaches. This means that 96% of alerts and incidents of publicity carried no near-term security risk. Yet companies spent time, money and resources addressing problems that were of little or no significance or that misdirected their attention from something that could cost them dearly.

The government plan should support strategies to measure, predict and prioritize risk and encourage classification of vulnerabilities so that users can respond to only the most important ones.

Much as community health prevents cholera by assuring that drinking water and waste do not mix, there are numerous simple, proactive, essential practices that users, corporations, infrastructure and software providers can do to significantly eliminate the need to chase vulnerabilities and patch systems. Following that course would force security and technology professionals to take a truly proactive stance on security and address only vulnerabilities that posed the greatest security risk.