I have noticed something strange when I am in Europe talking
about computer security. I have heard people say things, in a
self-deprecating tone, such as, "This is not CIA-quality security,
but it will probably do" There is an implicit assumption that US
computer security - particularly the government's - is at a level
to which few can aspire.
Let me set the record straight. If you are labouring under the
false impression that the US government has fantastic security, you
are wrong.
Do you imagine that the country's nuclear secrets are stored in
a bomb-proof bunker, where machines run custom operating systems
with biometric smartcards and military-grade encrypted file
systems?
On the contrary. As we have seen, idiots at
Los Alamos National Labs were periodically e-mailing nuclear
secrets in the clear across ordinary networks.
Lost FBI laptops
The
FBI admits that in the past four years it has lost over 150
laptops, including some containing classified information.
Then there is the "approximately 10Tbytes" of data that a US Air
Force spokesman admitted left the "sensitive but unclassified"
Department of Defense networks heading, "we think, to China".
Taken together, all of the news you hear about IT incompetence
and mismanagement should leave you in no doubt. You Europeans need
to form a more accurate picture of how bad things really are over
here.
When I hear Europeans looking up to the US government, I wonder,
"Are things that bad here?" But then I realise that there is simply
no possible way that European governments could have security that
is worse than the US government's - short of having no security at
all.
Patience will pay
I think it must be purely a problem of perception. Some of that
perception is founded in truth most of the world is still behind
the US in terms of IT innovation. In terms of security, that spells
opportunity for other countries. The opportunity to sit and wait,
and see how it pans out before you decide to try it.
For example, the current fad in the US is for the government to
outsource everything it can. Is that going to result in a huge
improvement in security and functionality, as the low-cost provider
replaces incompetent federal workers?
Or is it going to result in massive leaks of information as we
turn the critical processes of government over to whoever wants to
do it? Europe has the opportunity to sit back, watch, assess and
learn. But do it with your eyes open do not simply assume that
because the Americans are doing it, it is a good idea.
As information becomes increasingly critical to the workings of
government, warfare and economics, the need to protect these assets
will become commensurately serious.
Now is the time to "make haste, slowly" and to make sure that
the perceptions upon which you base your decisions are clear and
accurate.
US Navy searches for hundreds of missing computers
>>
Nottingham hospital in USB data-theft scare
>>
Business data protection: the expert view >>
Comment on this article:
computer.weekly@rbi.co.uk