Crying Wolf in the World of Computer Security?

Feb. 16, 2006
Despite buzz about online and computer crimes, physical, not electronic incidents still more likely

You wouldn't expect to learn about a decline in home-invasion robberies at a burglar-alarm convention.

And you won't hear much at this week's RSA Conference, the annual gathering of computer security experts, about how online identity theft isn't really a crisis.

Security companies need to convince the world that cyberthieves are a major threat, getting stronger all the time.

But if the information security industry is doing its job, the threat is under control. If so, then the threat can't be as bad as the industry claims.

Art Coviello, president of RSA Security, the company that sponsors the conference, banged the drum in a speech Tuesday morning when he called the Internet "a crime-ridden neighborhood."

Computer security is certainly a booming business. The conference has drawn a crowd of 14,000 to the San Jose McEnery Convention Center, up from 11,000 last year, causing a denial-of-parking attack downtown.

So are security companies succeeding or failing in protecting us from the bad guys?

The reality, as with most things, appears to be somewhere in the middle.

Criminals and security companies are engaged in an endless battles of measures and countermeasures.

The tactics used by the bad guys have gotten much more dangerous in the last two years, such as "phishing" campaigns, where scammers build fake Web sites to harvest credit-card numbers and other financial information from unsuspecting users. There are also more non-financial risks, such as having personal information about you getting into the wrong hands.

At the same time, online security tools have grown much more sophisticated.

That's why we keep reading scary stories about increasing risk in buying or banking online, even as statistics fail to show any sudden surge in fraud losses.

Consider the example of Visa, which now processes 14 percent of all consumer spending in the United States through its credit cards. Total worldwide fraud losses on Visa accounts have dropped from a peak of 14 cents for every $100 spent in 1993 to just 5 cents today. Online credit-card fraud is growing, but at a slower rate than the overall volume of online Visa transactions.

Two weeks ago, the national Council of Better Business Bureaus released a survey showing identity theft "declined marginally" from 10.1 million people in 2003 to 9.3 million in 2005 and an estimated 8.9 million in 2006.

"Most data compromise -- 90 percent -- takes place through traditional offline channels and not via the Internet (in those cases where) the victim can identify the source of data compromise," the council said.

In other words, you're more likely to have your bank statement stolen from your mailbox than to have your financial information mysteriously sucked out of your computer.

Martin E. Hellman, a retired Stanford University professor and a pioneer in the security-related field of cryptography, said the industry risks losing credibility with what appear to the public as false alarms.

"But it's not crying wolf if you scared the wolf off and he never came," Hellman declared during a panel discussion Tuesday morning.

Not that the RSA Conference, which ends Friday, is all doom and gloom. The show's organizers traditionally set a theme for each year and start with a razzle-dazzle Broadway-style production number.

This year's extravaganza, at the appallingly early hour of 8 a.m. Tuesday, celebrated the life of Aryabhatta, a Vedic scholar from India who published a seminal treatise on mathematics in the year 499.

The number began when six men came on stage at the Civic Auditorium, across the street from the convention center, dressed as bare-chested Vedics in flowing white pants.

They were followed by two dozen women in traditional Indian costumes who delivered a Bollywood dance routine and song about security. Among the lyrics: "Gotta learn to trust but verify/because you don't want to tell it to the FBI."

Microsoft founder Bill Gates followed, starting his keynote speech with a joke.

"I'm glad to be here at RSA, because my other invitation was to go quail hunting with Dick Cheney," Gates deadpanned. "I'm feeling very safe right now."

Scott McNealy, head of Santa Clara-based Sun Microsystems and a longtime rival of Gates', delivered a keynote speech later in the morning and began with his own joke.

"Bill forgot to mention my invitation to go hunting," McNealy said. He paused for a moment and then growled, "Kaboom!"

The audience laughed, and McNealy said, "That's the only thing the press is going to write about my speech."

True enough.

[San Jose Mercury News (CA) (KRT) -- 02/16/06]