As a veteran of the U.S. Navy, I have become accustomed to seeing our military denounced by Al Jazeera and The New York Times, but not in the pages of our information security journals and periodicals. That is, until now.
Jay Heiser, a columnist for Information Security magazine and vice president with research firm Gartner, in a recent column saw fit to blame all the ills and failed security projects of corporate America on our military. Even going so far as to make the ridiculous statement that "if we had developed a business approach that ensured transactions were genuine instead of a military approach that protected the secrecy of credit card numbers, ID theft wouldn't be an issue today."
With all due respect to Heiser, I don't ever recall the military "forcing" corporate America to adopt its security tools, practices and standards over my IT career, which spans some 40 years. Had it not been for the military, Rear Admiral Grace M. Hopper of the U.S. Navy and the CODASYL project, which finally adopted COBOL as an industry standard in 1960, we would still be wiring electromagnetic unit record boards and making punch card Christmas wreaths.
Let me take a moment and examine a few of the issues that really have made our corporations and information assets targets of opportunity and placed our personal data at risk:
- Was it the military or ChoicePoint that faxed personal financial records to a Third World thief operating out of a P.O. box at a Kinko's?
- Was it the military that "lost" several computer tapes containing millions of consumer records? (No, it was from Bank of America Corp., CitiGroup Inc. and Ameritrade Inc.)
- Was it the military that was responsible for the thefts of confidential student records -- including Social Security numbers and financial information -- from numerous major U.S. universities?
- Or, more recently, the March 23 theft of a laptop from Fidelity Investments in New York containing customer account data?
Since the early 1990s, I have been involved in all facets of IT security consulting and business development. I've heard a litany of excuses from corporate executives paying "lip service" to best security practices, tools and controls. For example, I've heard an executive say, "Of course we know security is important, but we have to roll out this application, which has a higher priority than conducting an enterprise-wide security review and vulnerability assessment." Is any project more important than ensuring the integrity of corporate and customer information assets?
While many American companies impose stringent security and background checks on its employees, they rarely bother to do the same for foreign nationals, or even third-shift cleaning crews. In his book "Corporate Espionage," no less an authority than Ira Winkler pointed out how easy it is for felons to be hired to work on cleaning crews and fill those large gray trash barrels with a treasure trove of stolen laptop PCs and credit card reports.
According to the Electronic Crimes Task Force of the U.S. Secret Service, the greatest threat posed to corporate America today is from insiders and social engineers, not the military, Mr. Heiser. I could go on and on, but by now you get the picture.
In his book A Deficit of Decency, former U.S. Senator Zell Miller wrote a chapter entitled "Wimps and Warriors." In it, Miller said that at a time when the Warriors wanted to focus all our energy on the future, instead of the past, the Wimps preferred to point fingers, assign blame and wring their hands. Sound familiar?
Failure to do so will no doubt result in an alarming increase in security breaches and identity thefts, and may even lead to an digital Pearl Harbor of September 11 proportions, from which we, as a nation, may never recover.
Norman Beznoska Jr. is director of enterprise security at Infiniti Systems Group in Brecksville, Ohio.