Cyber-cops

In the last three months of 2001, the software that stands watch for health insurer Regence Group captured 145,645 attempts to break into the company's computer systems. That's about one violation a minute. Trouble is, not every incident is an electronic burglary in progress. But there's no way of knowing that, because security software doesn't distinguish between the digital equivalent of a cat burglar jiggling the doorknob to see if it's locked and a determined thief who smashes the window with a crowbar and climbs inside. For Regence's 45-person security staff, responding to every alarm would have been like a small-town police force having to fight a big-city crime wave. That's a huge problem when you take into account FBI statistics: 1% of all Internet attacks are successful--or, in the case of Portland (Ore.)-based Regence, more than 1,400 attacks should have successfully breached its network.

Instead, Regence called in the digital Pinkertons. A year ago, it hired tiny Counterpane Internet Security Inc., a Cupertino (Calif.) company that manages computer security for corporate clients. At Counterpane's state-of-the-art control rooms, engineers monitor traffic in and out of Regence's three data centers, 500 servers, and 10,000 desktop computers. Security experts keep a vigilant eye out for hackers, unauthorized insiders, and malicious viruses. "When we looked at having to do this service ourselves, it scared the hell out of us," says David MacLeod, chief security officer for Regence. "This is not something we could do."

Plenty of other companies are just as terrified. Growing concern over increasingly malevolent hacker attacks and viruses, as well as the rising cost of round-the-clock surveillance and qualified cyber-sleuths, have many companies turning to others for protection. For a fee, you can hire someone to patrol your network, signal a break-in, and take appropriate action. The hired hand will monitor firewalls, authentication software, and antivirus services, and warn about dangerous developments on the Internet.

According to market researcher Gartner Dataquest, worldwide revenue from cyber security services is set to take off, more than doubling from $1.8 billion last year to $3.9 billion by 2004. "Security is moving outside the realm of what companies can do themselves," says John Pescatore, security analyst for market researcher Gartner Inc. "The [tech] staff can't monitor systems all day, support the enterprise, and roll out new stuff at the same time."

The days of wide-eyed optimism about the Internet have given way to cyber checkpoints and pragmatism. The terrorist attacks of September 11 delivered a wake-up call to business: spend as much time protecting computers as is spent connecting with customers, suppliers, and employees. That will be especially true as the Web allows computers to automatically share programs, data, and services to manage everything from product design to supply-chain management to trading information with business partners. "Boards are becoming much more aware of computer security, especially as it relates to business continuity," says Richard Diamond, chief information officer of The Doctors Company, a Napa (Calif.)-based provider of malpractice insurance. The directors of his company handed computer security headaches to Symantec Corp. (SYMC )

It's a decision that will likely save him more than security headaches. It should help the bottom line, too. Regence's MacLeod pays Counterpane approximately 25% of the $500,000 a year he figures it would cost just to hire the people to provide a 24-hour watchdog service. That's without spending a dime on security hardware or software. And because he's using a service already approved by Lloyd's of London, it was easier to get an insurance policy covering the company in case of any shutdowns from technical glitches, hackers, or computer viruses.

That's assuming MacLeod could find enough digital Sherlocks. Staffing shortages are the other big reason for outsourcing security. Sure, companies often have plenty of programmers on the payroll, but it's tough to turn a software developer into a security expert. The work is erratic. Staffers can endure months of boredom--then suddenly face hours of sheer panic. "It's very difficult to justify the cost of experts when you might not need them every day," says Maria A. Cirino, co-founder and CEO of Guardent Inc., which provides security services to corporate clients.

When the alarm sounds, companies need workers who can assess the degree of danger in seconds, because security software often isn't up to it. Hackers scan thousands of systems for an opening, which software records as an attack, even if the network wasn't penetrated. With the steep rise in assaults, companies are drowning in data generated by security programs. "What used to be a weekly report that was half an inch thick is now 17 inches high," says Cirino.

Just as technology hasn't replaced the need for a police force in the physical world, security software can't protect the virtual world without people who can assess the threats. "What about computer security is flawed?" asks Bruce Schneier, founder of Counterpane. "You need people." That means that if he plays his cards right, he's in for lots of work, because he has the gumshoes for the digital age.

Cyber Attacks Are Rising...

Global cyber cop hits town, says hacking is passe

Narayanan Madhavan

New Delhi, March 12, 2007

Bearded, wiry, with his eyes sparkling as he unfurls articulate soundbites, Bruce Schneier hardly looks like the master geek that he is. But his claim to fame is precisely that: Schneier has breathed passion, detail and a touch of evangelism to the business of computer network security, a dull topic even for those who need it badly.

The global cyber cop is the chief technical officer of BT Counterpane, the British telecom company?s subsidiary that adds security layers and network patrolling to its business of building and managing computer networks.

Schneier, who landed in Delhi to promote cyber security services targeting IT companies and call centers, believes hacking by cocky young men seeking short-term fame has given way to more methodical and dangerous cyber crime gangs that need checking.

Hackers want to make a splash. Criminals don't want them. The new worms are better written, they are quieter and better targeted. The criminal worm will sit quietly and steal your passwords, Schneier told Hindustan Times in an interview.

We see worms target companies, we see worms for reconnaissance, he said. The movement from a hacker environment to a criminal environment is the really big story?

Schneier, who believes cyber security is increasingly about economics and psychology as much as computer knowledge, has been quoted as a cryptography expert by author Dan Brown of the hugely popular Da Vinci Code that helped the New York-raised expert get added brand value in a business few understand.

Schneier has controversially strong views against electronic identity cards and computer voting machines. As a man who makes money from the fear of the unknown in computer networks, he sketches a scary view of the easy world of online shopping and banking.

Cyber criminals, he says, could lurk anywhere.

It is very international. We see extortion. It mostly happens against fringe industries like online gambling, online gaming, online porn, Schneier said. Expert disruptions of networks are now used to blackmail key websites into paying up to restore operations, much like highway robbery did in the old world.

Because of the Internet, they can be anywhere. They come from Eastern Europe, South East Asia, Sub-Saharan Africa. They come from countries with bribable police forces and no extradition treaties. It is very hard to go after some of these criminals. I call this jurisdiction shopping, Schneier said.

He offers some consolation for Indian business process outsourcing (BPO) firms , who are his potential customers. He says their data networks are as safe or unsafe as any other in the world, and location has very little to do with it. However, contractual obligations offer stronger security to customers of Indian firms than law enforcement, he adds.

So what do firms like Counterpane do? They monitor computer networks with their own tools and skills, and use their trained eye to bounce off attackers, who can steal passwords or identities and indulge in transactions or disruptions they can use to make money.

In a lighter vein, Schneier likens his firm to the private security gangs used by railroad travellers in America?s Wild West when lawlessness was rampant, like in some parts of Bihar today.

When we did our first advertising campaign in 1999, we used American Wild West metaphors, because it is like that,? Schneier said.

It is very much like they are warlords. If you want security, you have to buy it yourself.

Managed security services? is the official term for work rendered by 100-employee-strong Counterpane, which was acquired last year by BT.