Establishing Digital Trust: Don't Sacrifice Security for Convenience
In a little-noticed event this past January, a 16-year old computer hacker styling himself "Mafia Boy" pleaded guilty to 56 charges related to attacks last year on some of the Internet's largest e-commerce sites, such as Amazon.com, Yahoo! and eBay. The FBI estimates his acts of cyber vandalism caused more than $1.7 billion in damage by slowing or denying access to the Web sites for over six hours. Because of his status as a juvenile, Mafia Boy faces a penalty of two years in detention and a $650 fine. He boasted that he will commit this kind of cyber vandalism again.
One can argue whether or not Mafia Boy has learned his lesson. A more important question is whether or not the technology community has learned its lesson. It is wrong to assume that because a teenager committed a global Internet hack that it must be a very complicated and difficult thing to do. In fact, just the opposite is true; if a maladjusted teen flunking out of secondary school can do it (Mafia Boy's last report card had four F's and a D), then just about anyone can.
Single Point of Failure
That's because of the very nature of the Internet. It was designed to be open-not secure. Everyone uses the same protocols, and many of the same computing platforms (e.g., Solaris, Unix, Win NT) and operating systems (e.g., Win 9X). Not only that, but all of those interoperable systems are interconnected via the Internet. This makes for a potent combination known in security circles as a single point of failure.
The overwhelming majority of these viruses had the following things in common: 1) they were transmitted via the Internet, typically e-mail; 2) they attacked known vulnerabilities to common desktop applications and operating systems; and 3) they attacked using protocols designed to make systems interoperable (e.g., TCP/IP or MAPI for e-mail).
It is becoming increasing obvious that the current model of fighting computer viruses is not working. This problem looms large as e-commerce delivered via the Internet becomes more critical to the global economy. E-commerce totalled over $42 billion in the past year, with estimates that it will quadruple over the next three years, according to the Computer Industry Almanac. Along with this promise of continued growth is the promise of continued threats to Web commerce from viruses-a threat that is not going away anytime soon.
Re-examine Current Methods
So what is to be done? Perhaps we should start by re-examining our current method of fighting viruses. Today each corporation is expected to exercise due diligence by keeping its antivirus software current and capable of defending against the latest viruses. This model works in the large majority of cases, but when it breaks, the consequences are catastrophic.
For example, Mafia Boy was successful because he was able to infect sites that did not defend against viruses. Once infected, these sites then became unwitting participants as platforms for launching the denial-of-service attack against legitimate e-commerce sites. Not only that, but if a new virus were to strike suddenly and propagate rapidly, then antivirus vendors might not have had time to effect a new virus pattern file to defend against the threat. Even worse, after the antivirus vendor releases a new update many users cannot download the update patch because the vendors' Web site becomes overwhelmed with everyone seeking to download the same virus update simultaneously.
A more effective model for fighting viruses would be to scan e-mails for viruses at the Internet Service Provider (ISP). Virtually every corporation and individual user connects to the Internet via an ISP. E-mail messages are routed to an ISP for initial transmission on the Internet and then received by an ISP just prior to the destination address. ISPs, then, are in an ideal position to perform virus checking on behalf of virtually all Internet users. They could send the e-mail through a virus scanning engine that would employ not one but several different antivirus products. After checking that an e-mail was virus-free, the ISP could digitally sign the e-mail as a "seal of approval" to other ISPs that the e-mail had already been found virus-free and did not need to be rechecked.
This paradigm solves three problems. First, checking viruses at the ISP provides for a more robust solution since multiple virus-checking packages are used to check viruses rather than just a single package. Second, e-commerce sites are no longer at the mercy of other organizations that do not keep their antivirus software up-to-date. Third, in a virus emergency, corporations would not have to download the latest antivirus update. Instead, ISPs would receive the latest updates from each of the antivirus products, thus preventing an overload of requests at the antivirus vendors' Web sites.
Such a system would virtually inoculate the Internet against viruses since it would choke off their primary delivery mechanism-e-mail. The only problem with implementing such a solution is that there is no single body to mandate it. Since no one owns the Internet, no one owns the Internet's problems.
The result is that problems are corrected piecemeal without addressing wider systemic problems. In this case the best that can be hoped is that ISPs will take it upon themselves to begin providing this service to their customers. One British company, MessageLabs (www.messagelabs.com), has already begun marketing a virus-scanning service to ISPs; perhaps more will follow this lead.
With any luck, this model will catch on as an Internet standard-hopefully sooner rather than later. Concerted action now may well prevent the next global computer virus epidemic.
Note: The views contained in this article do not represent the views of Barclays Capital investment bank. Paul Raines writes strictly in a personal capacity.
Paul Raines is head of global information risk management for the investment bank Barclays Capital, New York City. He is responsible for the information risk management of Barclays worldwide, with operations in 66 countries. Prior to joining Barclays early this year, Paul was vice president of electronic security for the Federal Reserve Bank of New York, supervising its computer and network security systems. He was also U.S. representative to the Bank of International Settlements on computer security matters. E-mail him at email@example.com.