New York Times, August 17, 1998
By DENISE CARUSO
The trade secrets of commercial software vendors are threatening the security of the global Internet -- and that threat extends to the future of electronic commerce as well.
This was not the conclusion that most people would have reached over the last two weeks as significant security flaws were disclosed in several popular e-mail packages, including Eudora, Microsoft Outlook and Netscape Mail.
Instead, most of the focus was on how users could get their hands on patches, the additional bits of software code that would spackle over the holes in their vulnerable e-mail programs.
Nonetheless, network security experts are adamant that the roots of the problem are fundamental and widespread. They think that the Internet's structure as it exists today -- the open, freely available Internet protocols, with overly bulky and/or proprietary software running atop them -- is impossible to secure, because only the software vendors know what is in their code.
Consider the recently exposed e-mail flaw that would enable an intruder to send an electronic message containing a program intended to damage or steal data. How could a company release software that would allow such a thing to happen?
"The problem is these gigantic, 10-megabyte Web browsers," said Mark Seiden, chief network consultant for Veriguard Inc., a computer-security concern in Menlo Park, Calif. "Nobody knows what flaws are in them. Nobody even knows, really, everything that they do."
Yet, he said, we install them without thinking.
"Or worse," Seiden said, "you have no choice but to install them because, in the case of Internet Explorer, they're part of the operating system. Then there are all the things which are part of Windows which haven't been looked at, with an eye toward security, by anybody other than the vendor."
Any software company that develops software for Windows, for example, has to trust whatever security defaults Microsoft has chosen to use, yet "the developers have no idea what's in them," Seiden said. "There's no way to find out the Windows source code."
Until a few months ago, the same was true of Netscape. But earlier this year, Netscape published its source code to encourage its use by third-party software developers. Apparently developers have not had sufficient time to discover all its flaws.
What this means in the end is that the network infrastructure created by popular Web browsers from Netscape Communications Corp. and Microsoft Corp. -- and from the scores of other companies that produce software to work with them -- has not been subjected to the same rigorous peer review that went into the design of Internet protocols, the rules that are continually scrutinized by some of the world's best software engineers.
As a consequence, Seiden said, there is always the possibility, however remote, that "any of the stuff that's on your desktop can be gotten to by hostile programs."
For today's online consumers, that means exposing bank accounts, password files -- anything that is in a file on a hard drive connected to the Internet. But for companies conducting business on the Internet, that means exposing trade secrets, intellectual property, product designs, customer databases, marketing strategies and more.
Seiden recommends encrypting sensitive information on a vulnerable machine, preferably by using code embedded on a computer chip, rather than encryption software.
But even if a company follows that recommendation, the incentive to steal corporate data appears to be increasing at an alarming rate.
According to the 1997 Global Information Security Survey, conducted by Ernst & Young in conjunction with Information Week magazine, 38 percent of respondents in the United States said their networks had been compromised for purposes of industrial espionage, up from 6 percent in 1996. Those reporting malicious acts by outsiders increased to 42 percent in 1997 from 17 percent in 1996.
Although there is no known instance of any intruder actually exploiting the e-mail security flaws disclosed this month, this increasing vulnerability alarms security experts.
"Corporate espionage is the fastest-growing sector of the computer crime business," said Thomas Noonan, chairman and chief executive of Internet Security Systems, an Atlanta-based supplier of security management systems.
"Flaws in the infrastructure are inevitable, a fact of life," Noonan said. "But if electronic commerce is about the ability to trade ubiquitously in all corners of the globe, one of the huge challenges for business is how to protect the security and integrity of my information, which is now the basis of my competitive advantage."
Noonan, whose clients include some of the world's largest companies, says corporate information officers realize that commercial software is "the source of their vulnerabilities." But though they spend millions of dollars on software every year, "they feel their hands are tied."
"I really think that unless these vendors provide their customers with a much higher level of comfort for managing security risks, then a lot less software will be sold, and electronic commerce will gain a lot less traction than it could have," Noonan said.
If Noonan is right, the industry's very tentative steps toward open source code -- a la Netscape and the Linux version of the Unix operating system -- become even more attractive. When a program's code is open to inspection by everyone, bugs are fixed and quality improves much more quickly because an entire industry of engineers is working on them at once.
Maybe one day the software industry will have to embrace the truth of the old Psychology 101 adage: You're only as sick as your secrets.
Email comments and questions to firstname.lastname@example.org.