SECURITY: HOW SAFE IS THE NET?

For most businesses, not safe enough. So they're building their own private networks

BUSINESS AT NET SPEED Click for June 22, 1998 issue




The first sign that someone is tampering with GTE Corp.'s (GTE) global data network is a warning message that appears on a computer monitor nicknamed ''Prozac.'' Every second or two, another one pops up, indicating that an uninvited guest is logging onto the network that GTE operates for National Semiconductor (NSM), CVS (CVS), Taco Bell, and 300 other corporations and government agencies.

Most of the time, it's GTE engineers making adjustments to the network--something the two men who watch the screen can tell by glancing at the color-coded messages. But every so often, a speaker in the corner of the cramped room calmly intones, ''Red Alert,'' and the guys straighten up in their chairs. Eyes narrowing, they quickly type commands that might catch an intruder from the ''demilitarized zone'' outside the network's hardened firewalls.

With so much talk about the billions to be made in E-commerce, you would think the Net already was secure for business. Not exactly. While some transactions, including E-mail and simple home banking, can be protected through basic encryption, the secure environment that businesses need to carry out lots of confidential transactions still doesn't exist.

Indeed, concerns about security run so deep that they are slowing use of the public Internet by corporations. Fear, says Jack Danahy, director of security services at GTE Internetworking, ''is having a negative effect on the rate people are adopting the Web'' for business-to-business transactions. The reality is that fewer than one in seven companies is willing to link its critical applications to the Net, according to a recent survey by the Open Group, a consortium of global companies pushing for security standards.

Most experts believe the delays are temporary. E-commerce, after all, was developing well before the Internet's recent explosive growth and has been steadily building momentum. Today, while awaiting better Internet security, companies continue to invest in private networks that, in reality, run on the public telecommunications system--just as General Electric (GE), General Motors (GM), and IBM (IBM) have done since the 1970s.

LICENSE TO HACK. Then there's the ultimate private network--SWIFT, the international bank settlement system based in Brussels. With responsibility for nearly $3 trillion in electronic money transfers every day among the world's 3,000 largest banks, SWIFT Chief Executive Leonard Schrank says he never considered using the public Internet. Instead, SWIFT is spending hundreds of millions of dollars to link member banks with dedicated fiber. The result looks more like a fortress than the long-heralded Information Superhighway. ''Security is the primary driver,'' says Schrank. ''That's different from the Internet, which was built as an academic exercise.''

Promoters of the Internet and cyberspace in general view such private networks as perhaps necessary but backward. For one thing, these systems are expensive. And because they are private, they don't take advantage of the Net's most celebrated attribute: ubiquity.

Still, businesses are willing to forego ubiquity to maintain security. ''Without a common set of specifications and products that guarantee security and reliability, the Internet may simply become an interesting public-access network,'' says Michael Sullivan-Trainor, an analyst at International Data Corp. in Framingham, Mass.

How hack-prone is the Internet? Even cocky security consultants admit that in time, determined hackers can surmount any barrier. Private networks have higher walls, but they are not impregnable. Last year, a group of Texas hackers snatched unlisted phone numbers and personal credit information from private networks run by SBC, GTE, MCI (MCIC), and Sprint (FON)--and wreaked $500,000 of damage. But what scared telephone companies and the FBI most was the group's ability to gain control of core programs, known as root access, enabling the transgressors to reroute calls from FBI crime centers to sex chat lines in Hong Kong and Moldova.

The good news is that so much talent is being dedicated to improving computer security. Netscape (NSCP), Microsoft (MSFT), IBM (IBM), Cisco (CSCO), and Lucent (LU) have all made it a research priority. And startups are turning it into a market. Its leaders include Checkpoint Software, Network Associates (NETA), VeriSign (VRSN), Security Dynamics (SDTI) and its RSA subsidiary, and Entrust, which have a combined market cap of about $11 billion.

E-PASSPORTS. Their primary strategy emulates the military doctrine of deterrence: make it so expensive for interlopers to gain access that it simply isn't worth the cost. Companies do this by constructing concentric layers of encryption, using quick-changing passwords, and adopting devices known as digital certificates. The certificates act as electronic passports, strictly limiting entry to different areas of the network.

None of these defense schemes is cheap, however. And in the end, says GTE's Danahy, ''You're protecting yourself against a risk that you can't quantify all that well.'' Barclays Bank PLC, for instance, calculates that it costs about $800,000 a year to maintain each of its three major firewalls. ''Even for a large corporation, that's a major expense,'' says Paul G. Dorey, group operational risk director for Barclays.

Many companies now sell off-the-shelf firewall products. But the systems must be customized, since no two companies will make the same decisions about which employees or outside customers should have access to different areas on the network. Monitoring and maintaining the firewalls also soaks up plenty of human resources. As for digital certificate systems, implementation costs run about $185,000 for a large business and nearly as much each year to keep current. Meanwhile, user authentication, which relies on rapidly changing passwords, can cost as much as $4 million to roll out across a big organization.

ARE YOU CERTIFIED? But, if you're doing business across the Internet, your security is only as good as that of your E-commerce partners. Many companies hooking partners up to an extranet now specify the types of routers, firewalls, and security procedures each partner must employ to safeguard the extranet connection before turning it on. Cisco Systems Inc. is going one step further. The networking giant sends its own security engineers to examine a partner's defenses and holds the partner liable for any security breach that originates from its computers.

Federal Express Corp.'s (FDX) challenge is to maintain security as it manages 60 million electronic transactions every day. Some 140,000 employees use its systems, which have all sorts of information that must be kept confidential: account numbers, container contents, and even home addresses of senior executives at customer companies. ''A loss of trust would be very expensive,'' says Tom Buss, FedEx's senior manager for data protection.

In May, the company began distributing digital certificates to all its employees. These unique IDs cling to the owners wherever they roam in FedEx's vast computer system, and they are required each time a user seeks access to certain computers or records. They raise barriers against internal hackers, who are at least as common as attackers from the outside. One big advantage of certificates, Buss says, is that employees need to remember only a single password to activate their digital certificates when they log on at the beginning of a computer session. After that, access--or denial--is automated and invisible.

Even if such approaches spread rapidly, however, they represent only a partial fulfillment of the promise of Web commerce--the promise of ubiquitous access at low cost. That leaves many companies waiting for stronger assurances before moving more of their business online. Says Sullivan-Trainor: ''Business folks can't walk into the Internet naked and expect it to give them the kind of coverage they need to do business.'' For now, at least, companies have to bring their own suits of armor.

By Paul C. Judge in Boston



RELATED ITEMS

The 'Click Here' Economy
COVER IMAGE: Doing Business in the Internet Age

GRAPHIC: Online Sales Are Soaring

TABLE: How the Internet Changes (Almost) Everything

Commentary
Extranets
TABLE: Understanding Net-Speak

GRAPHIC: How a Mythical Merchant Uses Three Avenues of the Net for E-Commerce (.pdf)

Supply Chain
GRAPHIC: How Mythical Sportz Gets Products to Market

CHART: Explosion in Enterprise Software: These Tools Are Being Honed for E-Commerce

Customer Service
TABLE: At Your (Cyber) Service

Middlemen
Security
TABLE: Six Signs That You Have Been Hacked

BW/Harris Poll
FedEx: An Internet Stock?
Online Merchants
Cyber Prices
Commentary
E-Cash?
Next: Smart Cards
Net Tax Commentary
Knowledge Management

Return to top of story


SIGNUPABOUTBW_CONTENTSBW_+!DAILY_BRIEFINGSEARCHCONTACT_US


Updated June 11, 1998 by bwwebmaster
Copyright 1998, Bloomberg L.P.
Terms of Use