Market Segments | IT Security

Cyber crime documentary prompts awareness and action

It is no easy task getting busy corporate executives to sit still to watch a movie. But more than 100 leading vendors and IT specialists recently took their seats for a private advanced screening of "The New Face of Cyber Crime," a documentary produced by Fortify Software and created by the Academy Award-winning filmmaker, Frederic Golding.

The film was designed to inform both the lay public and industry professionals about the scale of the problem and the latest trends in network security.

But to those who attended this screening, perhaps the most stimulating aspect was the fact that the social gathering drew together two groups that often have dramatically different perspectives on the problem of cyber crime.

Two key aspects prompted lively discussion and debate: Who should accept the burden of legal accountability? And what role should government regulations play in assuring compliance to anti-cyber crime standards?

Many of the chief information officers and chief technology officers present nodded in agreement when James Routh, chief information security officer for the Depositary Trust Clearing Corp., which handles a significant percentage of all U.S. banking transactions, suggested that software vendors whose products are being sold as a cure for the problem should be held legally accountable if the product doesn’t work as promised.

This prompted Ted Schlein, managing partner of Kleiner Perkins Caufield & Byers, the Silicon Valley-based venture capital firm, to tartly reply that if software companies were held liable, most would be out of business.

Roger Thornton, Fortify’s founder and CTO, suggested that the solution lies somewhere in the middle.

Several audience members suggested that code testing by a neutral third party (akin to UL ratings) could be used to certify anti-cyber crime software.

Government agencies already have this in place to some extent, through Common Criteria standards for information technology security evaluation, as well as requirements set by the General Services Administration and the National Institute of Standards and Technology (NIST), which sets federal information processing standards known by the acronym, FIPS.

But several of the technocrats -- both vendors and users -- gathered at the film screening warned that those federal standards, like many corporate security regimes, may be fatally flawed. While the standards have now generally made links and access points more secure, the real threat to large government agency and corporate computer systems may actually come from within, from software compromised to actually permit the hacking and cyber terror it was touted to prevent.

"We need code scanning and effective security testing of software architecture," said Gary McGraw, CTO of Cigital, a risk management software developer based in Newport Beach, CA.

Vendors and users are both under the gun. Fortify’s Thornton suggests the federal government is also challenged by the rapid evolution of cyber terror techniques. "FIPS and other such standards specify controls that were needed 20 years ago," he said. "But what is needed now is a way to assure security of the software itself."

It is a point that "The New Face of Cybercrime" makes abundantly clear.

• Print
• E-mail
• Add your comment
• trackback url: http://www.gsnmagazine.com/cms/trackback/458-2