Internet security

Internet Security

Introduction
On October 21, 2002, all 13 of the Internet’s root Domain Name System servers were targeted by a distributed denial of service (DDoS) attack. While the attack had little overall effect on the performance of the Internet, a more sophisticated and sustained attack might have had a more deleterious impact.

As the use of the Internet grows, so has concern about security of and security on the Internet. A long list of security-related incidents that have received wide-ranging media coverage (e.g., the Melissa virus, the Love Bug, and the Code Red, Nimda, Slammer, and Blaster worms) represents the tip of the iceberg.

More recently, a series of computer security breaches have resulted in the loss of credit card numbers and other personal identifying information. Every day, persons gain access, or try to gain access, to someone else’s computer without authorization to read, copy, modify, or

destroy the information contained within. These persons range from juveniles to

disgruntled (ex)employees, to criminals, to competitors, to politically or socially

motivated groups, to agents of foreign governments.

Extent of Security Problems
The extent of the problem is unknown. Much of what gets reported as computer

“attacks” are probes, often conducted automatically with software widely available to Internet users. But the number of instances where someone has actually

gained unauthorized access is not known. Not every person or company whose

computer system has been compromised reports it either to the media or to

authorities. Sometimes the victim judges the incident not to be worth the trouble.

Sometimes the victim may judge that the adverse publicity would be worse.

Sometimes the affected parties do not even know their systems have been

compromised.

There is some evidence to suggest, however, that the number of incidents is increasing. According to the Computer Emergency Response Team (CERT) at Carnegie-Mellon University, the number of incidents reported to it has grown just about every year since the team’s establishment — from 132 incidents in 1989 to over 137,000 incidents in 2003. Since many attacks are now coordinated and cascade throughout the Internet, CERT no longer tracks the number of incidents reported to them. While the total number of incidents may be rising exponentially, it is interesting to note that, according to the Computer Crime and Security Survey, the percentage of respondents that reported unauthorized use of their computer systems over the previous 12 months has declined since the year 2000.

Impact on Society
The impact on society from the unauthorized access or use of computers is also

unknown. Again, some victims may choose not to report losses. In many cases, it

is difficult or impossible to quantify the losses. But social losses are not zero. Trust

in one’s system may be reduced. Proprietary and/or customer information (including credit card numbers) may be compromised. Any unwanted code must be found and removed. The veracity of the system’s data must be checked and restored if necessary. Money may be stolen from accounts or extorted from the victim.

If disruptions occur, sales may be lost. If adverse publicity occurs, future sales may be

lost and stock prices may be affected. Estimates of the overall financial losses due

to unauthorized access vary and are largely speculative. Estimates typically range in

the billions of dollars per major event like the Love Bug virus or the series of [[denial-

of-service attack]]s of February 2000.18 Similar estimates have been made for the

Code Red worms. Estimates of losses internationally range up to the tens of billions

of dollars.

In the 2005 Computer Crime and Security Survey, 687 responders (out of a total of 700) estimated financial losses totaling $130 million in the previous 12 months. According to the survey, viruses accounted for the most financial losses ($43 million), followed by loss of proprietary information. Denial of service attacks accounted for $7 million in losses.

National Security Risks
Aside from the losses discussed above, there is also growing concern that unauthorized access to computer systems could pose an overall national security risk should it result in the disruption of the nation’s critical infrastructures (e.g., transportation systems, banking and finance, electric power generation and distribution). These infrastructures rely increasingly on computer networks to operate, and are themselves linked by computer and communication networks.

In February 2003, the President’s Critical Infrastructure Board released a National Strategy to Secure Cyberspace. The Strategy assigned a number of responsibilities for coordinating the protection of the nation’s information

infrastructure to the Department of Homeland Security. Most of the Department’s

efforts in cybersercurity are managed by the National Cyber Security Division

(NCSD) within in the Preparedness Directorate.

As part of the Strategy, the NCSD has assumed a major role in raising awareness of the risks associated with computer security among all users, from the home user to major corporations, and to facilitate information exchange between all parties. To this end numerous cooperative and coordinating groups and fora have been established. One such activity is U.S.-CERT, a cooperative effort by the National Cyber Security Division and Carnegie Mellon’s CERT, which among other services and activities, produces alerts of new

and existing attacks and guidelines for preventing or responding to them.

Federal Legislation
Congress has shown a strong interest in the security of computers and the Internet. The federal Computer Fraud and Abuse Act (18 U.S.C. §1030) was initially added as part of the Comprehensive Crime Control Act of 1984 (P.L. 98-473). This Act, as amended, makes it a federal crime to gain unauthorized access to, damage, or use in an illegal manner, protected computer systems (including federal computers, bank computers, computers used in interstate and foreign commerce).

Other legislation is primarily aimed at protecting privacy by protecting certain personal information held by government and private sector entities and affects computer security indirectly. For example, the Gramm-Leach-Bliley Act (P.L. 106-102, Title

V) and the Health Insurance Portability and Accountability Act of 1996 (HIPPA, P.L.

104-191, Title II, Subtitle F) require that entities have in place programs that protect

the financial and health-related information, respectively, in their possession.

The Sarbanes-Oxley Act of 2002 (P.L. 107-204) also indirectly affects private sector

computers and networks, by requiring certain firms to certify the integrity of their unauthorized access,

A number of bills have been introduced that extend the requirements to safeguard and protect personal information, similar to that found in Gramm-Leach-Bliley Act and HIPPA, to “information brokers” and/or require any organization engaged in interstate commerce holding personal information] to inform consumers of any security breach that may have compromised their information.