Asleep at the security wheel?

Security experts are questioning the sense of urgency on the part of government and industry to bolster network security in light of last week's denial-of-service attacks against Amazon.com, Yahoo, ETrade, eBay and buy.com, as well as credit card number heists at sites including CD Universe and RealNames.

The attacks came on the heels of President Clinton's announcement of the first National Plan for Information Systems Protection. However, it is a long-term project designed to combat an immediate problem.

John Pike, a defense and intelligence analyst with the Federation of American Scientists, said most of the attention in government and industry has been focused in areas other than denial-of-service attacks and protecting the national information infrastructure. "It is clearly the case, at least as recently as last year, that major government Web sites remained vulnerable to intrusions. And my gut hunch is that most Web-hosting companies are focused on matters other than implementing robust defenses against [denial of service] attacks," Pike said.

The government has been focused on the global Internet infrastructure at the expense of the national infrastructure, Pike said.

Ira Winkler, president of the Internet Security Advisors Group, said electronic enterprises are "asleep at the wheel" when it comes to Internet security. "For every one thing they know about, there's a dozen things they don't know," Winkler said.

In addition, most new Internet businesses do not use intrusion detection tools or encryption software to guard sensitive information such as customer credit card numbers, said Mark Gembecki, chairman and chief technology officer at WarRoom Research Inc.

Robert Steele, a former CIA officer and chief executive officer of Open Source Solutions, said the attacks are a wake-up call that industry failed to heed long ago. "They were told several years ago that this was an issue, and they chose to ignore it," said Steele, who participates in several Internet security forums nationwide. "The holes are well-known, and the pain threshold has not been reached yet."

Others point at government's failure to act quickly enough. Gembecki said the process started in the mid-1990s with the formation of the President's Commission on Critical Infrastructure Protection, but many basic security gaps still exist.

Steele points at a Congress that has allowed industry to produce vulnerable information systems. Until Congress puts an end to corporate America's disregard for "due diligence" in security issues, "then this stuff is going to continue to happen," Steele said.

Such due diligence is not in evidence regarding the denial-of-service attacks: A count last week revealed that only 2,600 individuals had downloaded a free security tool from the FBI's Web page. That tool, which detects denial-of-service code, has been available since December.