Yes, my vacation was wonderful, thank you very much. When the first Monday morning back on the job rolled around, I had only two regrets: that I hadn't taken a longer vacation and that I had 6 jillion e-mails to wade through. Fortunately, 80 percent of them went into the "later" folder, and most of the rest were invitations to the recent RSA Security conference in San Francisco. That left me with a handful of messages that either had obvious importance or looked too interesting to ignore for long. I admit that I have a dogged curiosity -- between that and my big mouth, I can get into a lot of trouble if I'm careless. But that curiosity is also what makes me good at my job; so if someone or something catches my attention, I usually let myself be diverted.
That morning, the eye candy was a subject line linking the American Aries II ELINT (for electronic intelligence) plane that was forced down on Hainan Island at the beginning of April to a conspiracy to transfer restricted technology to China. Given that the incident was a topic of conversation even where I'd been vacationing and that I love a good conspiracy theory, how could I resist opening the message? Besides, there weren't any attachments to deal with, and I wasn't about to click on any hyperlinks because I had a lot to do that morning.
The message turned out to be a plug for Troika Magazine, which referred to the whole business as a "black op" -- an intelligence operation of which a government will deny knowledge -- and basically appealed to the same mentality that causes people to watch the skies for black helicopters.
Security arms race?
I generally don't spend a lot of time thinking about "what-ifs" -- the history we know is already sordid enough -- but the pitch closed by pointing out the possibility of an arms race in the security field as a by-product of the Aries II incident. This might not be such a bad thing, of course. Let's face it; we could use a sense of urgency in this area. After all, even in the current economic climate, security is one area where IT departments have legitimate reasons for increased spending. I can't go more than a day or two without hearing of yet another brand-name company being hit with Web site defacement, DoS (denial of service) attacks, or database theft.
Because the current condition of corporate IT security is intolerable, I'm willing to consider any event that focuses attention on information security as a blessing. If the crew of the Aries II was able to disable the plane's classified equipment -- and press reports indicate this is so -- the Chinese military may simply have got their hands on some very expensive paperweights. On the other hand, if the claims made in the Troika article have any truth, I expect that the U.S. military and the National Security Agency have already thrown out their plans for the next generation of intelligence-gathering Tinkertoys and are looking at some radical alternatives.
But I really don't believe that the incident was anything more than a case of a hotdog fighter jock who decided to take matters into his own hands. After all, there are a number of easier ways to transfer technology that don't involve putting two dozen lives at risk. Because the real goodies on the Aries II were the software and the collected data, the whole thing could have been done via the Internet.
Nevertheless, the point about a security arms race is valid. Make no mistake about it: The global economy depends on IT security. If security measures don't evolve to meet ever-changing threats, the prospects for the future look bleak. Unfortunately, many companies don't get really serious about security until they get burned.
Remember, I'm not talking about physical security; we know how to do that very well. Some companies have elaborate physical security arrangements that would make the CIA proud. But now that it's open season on corporate and government systems, I'd argue that most physical access controls are a waste of time and money. The money would be better spent on building up a company's IT security effort. In most cases, a simple lock on the door will suffice to cover your physical security needs.
But if you think that installing a firewall, some anti-virus software, and a VPN means you're secure, then you've missed the point. You don't get security from installing products; you become secure by implementing secure processes.
Most companies still haven't fully grasped that concept, and they'll continue to be vulnerable to computer attacks. I really worry about the thousands of midsize and small businesses that are lucky to retain one or two system administrators. They're extremely vulnerable to attack because their staff have their hands full explaining to users that no, this isn't a cup holder.
If we do find ourselves in a security race soon, my hope is that vendors will start designing systems in which security is integrated, instead of bolted on as an afterthought. But I'm not that optimistic about the future.
