Great blunders in IT history

When Colin Crook offers advice on how companies should deal a security breach, he speaks from experience. He was CTO of Citicorp [now Citigroup, parent company of Citibank] 10 years ago when a hacker penetrated the company's network.

Crook is now senior advisor to the Wharton Fellows at the University of Pennsylvania, a member of the New York Academy of Sciences; fellow of the Royal Academy of Engineering and co-author of The Power of Impossible Thinking. He shared his experiences with customers of Framingham, Mass.-based ID management firm Courion Corp. during the company's Converge05 conference last week. In the second of a two-part question-and-answer feature, Crook uses history to describe the folly that can result when a company ignores youthful ideas and grows overconfident in its security technology.

You've warned against technological overconfidence. You gave some examples in your [Converge05] speech.
One example was Enigma, the coding system the Germans used in WW II. It was inconceivable to them that the allies could break their codes. When things started to go badly, when all their U-Boats were being sunk, they wanted to know why. They dismissed the possibility that Enigma was being cracked because in their minds, there was no way mathematically that it could be broken. They were locked in a mathematical mindset and not a human mindset. Of course, they were using the same repetitive system to start every message. So the cryptographers on the other side already had part of the message because it was always the same.

In the 1960s a critical safeguard for the U.S. nuclear arsenal, the permissive action links [the cryptographic combination lock on nuclear weapons], were disabled because some generals decided this system would slow down any retaliation against the Soviets. The president and the secretary of defense had no idea. It was a very dangerous security failure. What's the lesson for today's information security professionals?
It goes to show that you can put in a high-tech system and throw in restrictions and someone will find a way to break it. Work in the predictable and rigid and it will fail. It also shows that it's critical to focus on people over technology. Systems don't solve problems. People do. It shows that you have to always assume your defenses can be broken. You've said the younger generation's security ideas aren't taken seriously enough…
Business leaders have to do a better job at learning from the younger generation. Look at Napster: Napster was a brilliant piece of innovation and the entertainment industry destroyed it. The industry's reaction to it shows they missed the point about how people want to get their music. It showed the resistance out there to listen to young people. The iPod wasn't all about Apple and their innovative thinking. It was a reaction to what the community has been saying it wants. And you see similar innovation getting stifled on the security front?
It concerns me. How do you get business leaders to change their thinking?
The kind of pressure that changes the way business is conducted always comes from the outside. I do think business people are under increased pressure to make security part of the business. But they still have work to do. What's the lesson if you're the young person developing the new security technology?
You have to help people see you as a business enabler. You have to make them see that you have something that will help their business grow.

Related news items

Read Part 1 of Colin Crook's interview on how to survive a data breach

Live each day like you're going to be hacked

Former NSA director Kenneth Minihan told people [at the Converge05 conference] that they need to think of themselves as defenders of homeland security; that they're in a better position than the government to provide that security. Do you agree?
His basic premise is very critical -- there are no longer hard boundaries with technology. There needs to be a lot more breakthrough thinking. The kind of thinking that led to Napster?
Exactly.

This article was originally published on SearchSecurity.com.

Dig deeper on Information Security Policies, Procedures and Guidelines

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close