APBnews.com

January 4, 2000

EMPLOYEES, NOT HACKERS, GREATEST COMPUTER THREAT

    The greatest security threat to companies' computer systems comes from disgruntled employees stealing confidential information and trade secrets, according to a new study on cybersecurity.   The survey, conducted by Michael G. Kessler & Associates Ltd., a New York security firm, found that 35 percent of the theft of proprietary information is perpetrated by discontented employees. Outside hackers steal secrets 28 percent of the time; other U.S. companies 18 percent; foreign corporations 11 percent and foreign governments, 8 percent. The remaining 10 percent, according to the study, are listed as miscellaneous crimes. The financial losses caused by these cyber break-ins totaled $42 million last year, which is up more than 100 percent from the 1997 figure of $20 million.

'No such thing as a hacker's holiday' 

   "Computer crime is much more complex than bugs and viruses," said President and CEO Michael G. Kessler. "Y2K enlightened business owners to pitfalls in their systems, but there must also be heightened awareness of the growing number and variety of computer security breaches that can weaken a company's balance sheet." 

   The survey was done over the past six months, and written questions were given to 300 of Kessler's clients and other companies. He said that disgruntled employees could be capable of taking business records, trade secrets and payroll information.  "It doesn't take a new millennium for corporate computer piracy to occur," said Kessler. "There's no such thing as a hacker's holiday. Internet invasions increase with growing computer and Internet popularity. Codes can be cracked; systems will be sabotaged. Hacking is a reality, and CEOs who have turned a deaf ear to its existence will be shocked when it happens to their allegedly fail-safe network." Kessler cautioned that now that Y2K is over, corporations shouldn't be lulled into a false sense of security.

Hacker attacks not often reported

   "Problems could just as easily occur on Jan. 30 as Jan. 1. Businesses should brace for outbreaks of sophisticated viruses and hackings from outside and in. Once a breach in computer security has occurred, our research historically reveals much more -- a 'subplot' that can alert corporations to the real root of some serious trouble," said Kessler.  He said companies fail to report computer break-ins for fear of bad publicity, and that for every break-in reported, 400 do not. The Kessler study mirrors previous reports showing that computer security is one of the biggest challenges facing corporate America. Computer-crime rates and information-security breaches continue to increase, according to a joint study conducted last year by the Computer Science Institute and the FBI.

Losses greater than $100 million 

   The 1999 Computer Crime and Security Survey, based in San Francisco, polled 521 security professionals at U.S. corporations, government agencies and universities.  The findings revealed that financial losses among 163 respondents totaled $124 million, which was the third straight year the survey had recorded losses greater than $100 million.   "It is clear that computer crime and other information security breaches pose a growing threat to U.S. economic competitiveness and the rule of law in cyberspace," said Richard Power, editorial director of the institute. "It is also clear that the financial cost is tangible and alarming."  System break-ins by outsiders were reported by 30 percent of respondents, and unauthorized access by insiders was reported by 55 percent.

Technology not enough 

   Even though security measures such as digital identification, encryption and intrusion-detection systems are being used more frequently, technology itself is not enough to stymie hackers. The study also found that 98 percent of respondents said they use anti-virus software, 90 percent reported incidents of virus contamination. Also, system penetration from outside grew for the third straight year despite 91 percent of respondents saying they used firewalls. "The lesson to be learned is simple security technology does not equal a security program," said Power, suggesting that well-trained, motivated staff and smart procedures are just as important for security as technology.

Justice Department stepping in

   The problem of proprietary information being breached on computer systems has prompted the Justice Department to devote an entire section to computer crimes, called the Computer Crime and Intellectual Property section. In addition, the Economic Espionage Act of 1996 is expected to be used to prosecute foreign sources of computer crime.  Michael A. Vatis, director of the FBI's National Infrastructure Protection Center, agrees that a "disgruntled insider" is the principal source of computer crimes. "Insiders do not need a great deal of knowledge about computer intrusions, because their knowledge of victim systems often allows them to gain unrestricted access to cause damage to the system or to steal system data. The 1999 Computer Security Institute/FBI report notes that 55 percent of respondents reported malicious activity by insiders," Vatis told a congressional committee last year.

Coast Guard lost data 

   Recent cases of white-collar computer crimes:  Shakuntla Devi Singla used her insider knowledge and another employee's password and log-on identification to delete data from a U.S. Coast Guard personnel database system. It took 115 agency employees over 1,800 hours to recover and re-enter the lost data. Singla was convicted and sentenced to five months in prison and five months' home detention and ordered to pay $35,000 in restitution.  Software engineer William Gaed, working for a subcontractor to Intel Corp., was convicted of illegally downloading secret data on the computer giant's plans for a Pentium processor worth between $10 million and $20 million. Authorities said Gaed also videotaped information on his computer screen and planned to sell the tapes to a competitor. Gaed was sentenced to 33 months in prison. And, according to a General Accounting Office [GAO] report issued in October, the federal government has been lax in protecting computer networks used by government and businesses.  "At the federal level, these risks are not being adequately addressed," the report said.

U.S. unprepared for information threat 

   The report showcased concerns of some experts about threats to private-sector systems that control energy, telecommunications, financial services, transportation and other critical services. "Few reports are publicly available about the effectiveness of controls over privately controlled systems," GAO said. 

Currently, there is no strategy to improve government information security, the GAO report found. If the United States is faced with a threat, the response could be "unfocused, inefficient and ineffective," wrote Jeffrey Steinhoff, the acting assistant comptroller general.

Author - David Noack