In fact, you'll probably see changes first at the office as companies try to "harden" their information assets against a wide variety of threats.
Some of these efforts will be successful, some will be laughable, and most will tick you off. Many of you will come to see security as getting in the way of convenience.
Since many companies will be tightening security on a learn-as-you-go basis, you and your colleagues will often have a point.
Here are some things you need to be thinking about as the great network lockdown of 2002 gets into full swing.
-
Most companies don't spend as much money on protecting their data as they do on coffee for employees. That's according to Richard Clarke, the White House special advisor on cybersecurity issues. He told an audience this week at the RSA Security Conference that less than 0.0025 percent of corporate revenue is spent on corporate information-technology protection.
-
It's not just the Internet and your company's data networks that aren't secure. Experts point out that most of the nation's critical infrastructure--the power grid, voice networks, and water supplies--are vulnerable. You'll find computers at the heart of all these systems, too. Terrorists have a wide range of technology targets, not all of them in cyberspace.
-
Our adversaries, be they run-of-the-mill hackers or devoted members of terrorist cells, have the same training and much the same access to technology as we do. "Our future enemies understand our technology at least as well as we do," Clarke said.
-
Cyberterrorists could launch an attack from anywhere, potentially framing someone else for their evildoing. Imagine what would happen if hackers in Iran left a trail that seemed to end in Iraq. It's not hard to imagine such a provocation resulting in another round of cruise missiles over Baghdad, especially given President Bush's recent "axis of evil" declarations, is it?
- If a cyberwar erupts, would we necessarily know? Simply crashing a system for seemingly natural reasons could cause enough disruption to achieve an enemy's aims. On the other hand, a coordinated series of attacks against highly visible targets--such as financial systems--could threaten chaos on a near-global scale.
So what do we do?
-
Let's avoid the tendency to throw up our hands. Yes, there are so many potential targets and means for an enemy to do us harm--information warfare is just a tiny part of this catalog--that we can't possibly protect everything. But by making it tougher to succeed, we can reduce the number of potential adversaries and, perhaps, make their work against us easier to defeat.
-
The real threat to most businesses are not cyberterrorists. Instead, the more likely danger lies in the more mundane hacking attempts made every day over the Internet or perhaps internally by unhappy employees. And don't forget: The biggest loss of data is still caused by accidents of one kind or another.
-
We need to spend money. The success of the Internet makes it attractive to what Superman called "the forces of evil" in their many forms. Clarke said most companies spend so little money on security they "deserve to be hacked." I am not sure anyone deserves to be the victim of crime, but his point--we know the threat exists, so we have a responsibility to protect ourselves--remains valid.
- We should be accepting of the changes that enhanced security is going to bring. But we need to be aware that more security doesn't necessarily go hand-in-glove with a loss of personal freedom or privacy. Some companies will, however, use security concerns as an excuse to gather more information than they need, to the detriment of privacy.
Here's the kicker, though. Despite more emphasis on security in all quarters, we may still be steaming straight into harm's way. In fact, I have deep concerns that security issues will never be solved. Then again, I can't help but wonder whether our anxieties over cyberterrorism are just as overblown as they were over the Cold War's missile gap.
