[LINK] UK gov't security expert: Balance cybersecurity risks

Thu Sep 28 15:23:11 AEST 2006

<brd>
After my earlier blast re extremists, here's a convenient quote:

"This is a risk-based business," he said. "There are no absolutes in this."

</brd>

UK gov't security expert: Balance cybersecurity risks
Grant Gross
IDG News Service
http://www.computerworld.com.au/index.php/id;2017729052;fp;16;fpid;0
28/09/2006 10:36:18

Governments and businesses face a variety of cybersecurity threats, but 
they also need to allow for increasing demands from computer users 
across the globe, the former information security advisor for the U.K. 
Ministry of Defense said Wednesday.

David Longhurst, who retired this week, called for businesses and 
governments to take a risk-based approach to cybersecurity by balancing 
the advantages of new applications and capabilities with the security 
risks. Too often, Longhurst found himself between the U.K. military, 
which wanted new networked capabilities, and in-house cybersecurity 
experts, who wanted no new networking functionality, he said during 
Microsoft's Security Summit East in Washington, D.C.

"IT security folks don't want to connect anything," he said. "They 
believe safe sex is no sex."

Longhurst didn't downplay cybersecurity risks as he spoke to a crowd of 
developers and network security administrators. Protecting the global 
information infrastructure is one of the top -- if not the top -- 
challenges for governments, developers and infrastructure providers, he 
said. It's difficult to fully assess the magnitude of the threat, he 
said, with IT security experts often saying, "We just have to tell you, 
it's bad."

But as security threats continue to be a large problem, IT users are 
demanding increased functionality that supports their business, is easy 
to use, is reliable and safe, and "makes the coffee in the morning," he 
said.

Maybe users don't want their computers to make coffee, but IT security 
professionals can face demands from users who want to access sensitive 
data from Internet cafes in Beijing, he said.

"They say, 'I'd like to connect to anybody, anywhere, access anything 
for practically any purpose, at any time,'" Longhurst said. "You could 
do all this ... if we didn't have a Wild West out there."

Longhurst called on everyone in the IT chain, including developers, 
integrators and users, to give cybersecurity a higher priority. But he 
also advised companies and government agencies to weigh the risks of new 
technology with the benefits to themselves or their customers. "This is 
a risk-based business," he said. "There are no absolutes in this."

To fully access risk, businesses and government agencies need to hear 
from IT security experts, from those wanting the new functionality and 
from engineers who estimate how long any identified problems will take 
to fix. In some cases, the U.K. government has rolled out new technology 
even with security concerns, but set a deadline for fixing any problems, 
he said.

Earlier, George Stathakopoulos, Microsoft's general manager for product 
security, said the company continues to push security in its upcoming 
Windows Vista OS. Vista will include several security features, 
including support for smart-card access to computers, and the Windows 
Defender scanning tool, he said.

Stathakopoulos called on governments and courts to increase penalties 
against attackers who are caught. "Right now, you write a Sasser [worm] 
and get a two-year suspended sentence," he said, referring to a 2005 
conviction in Germany. "You may even get a security job."

-- 

Regards
brd

Bernard Robertson-Dunn
Sydney Australia
brd at iimetro.com.au