Cybersecurity: past, present and future

Cybersecurity: past, present and future

Summary: "An insider who's gone bad can do more damage to your network than almost any hacker can do from the outside," says Dr Paul Nielsen, director and chief executive officer of the Software Engineering Institute (SEI).

TOPICS: Security

"An insider who's gone bad can do more damage to your network than almost any hacker can do from the outside," says Dr Paul Nielsen, director and chief executive officer of the Software Engineering Institute (SEI).

The insider threat is just one of the fundamentals of security that we hear about on Patch Monday this week, as Nielsen takes us on a tour of information security.

Back in 1988, the Morris Worm was the first self-replicating malware to strike the internet. The US Government Accountability Office estimated that it took somewhere between US$10 million and $US100 million to clean up the mess.

That incident led directly to the formation of the first Computer Emergency Response Team (CERT), part of the SEI at Carnegie Mellon University in Pittsburg.

Nielsen is now director and chief executive officer of the SEI. Before that, his 32-year career in the US military included commanding the Air Force Research Laboratory at Wright-Patterson Air Force Base, where he managed an annual research and development budget of more than US$3 billion, and reached the rank of Major General.

His interview for Patch Monday touches upon complexity in software systems, choosing strong passwords, the problems that local police face when prosecuting online crime, why Apple has so far had a better security experience than Android and dealing with security issues when the internet is populated with so many different kinds of devices.

We also discuss the case of Albert Gonzales, who between 2005 and 2007 managed to steal and re-sell more than 170 million credit card numbers, the biggest such fraud in history. And to round it off, the future of information security in a world with organisations like Wikileaks, LulzSec and, indeed, the group's opponents at News of the World.

Patch Monday also includes my usual look at some of last week's news headlines.

To leave an audio comment on the program, Skype to stilgherrian, or phone Sydney 02 8011 3733.

Running time: 38 minutes, 02 seconds

Topic: Security


Stilgherrian is a freelance journalist, commentator and podcaster interested in big-picture internet issues, especially security, cybercrime and hoovering up bulldust.

He studied computing science and linguistics before a wide-ranging media career and a stint at running an IT business. He can write iptables firewall rules, set a rabbit trap, clear a jam in an IBM model 026 card punch and mix a mean whiskey sour.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • While this may be true for the obsolete "discretionary access control (DAC)" model used by almost all current commodity operating systems, it must be remembered that back in 1983 the USA's "Orange Book" clearly defined the need for "mandatory access control (MAC)" stuctures where this is a threat - AND - MAC (or its newer manifestation as "flexible" MAC - should be the base for any critical information system - BUT - it isn't.
    The original "B2" and beyond specifications defined OS requirements where, indeed, insiders, and even software developers (shades of getting software from unknbown sources on the WWW), could not be trusted.
    The problem is that governments around the world have taken no interest in appropriate regulation and governance requirements in information environment in which we now live and on which our national GDP and social well-being NOW DEPENDS.
    Remember "C2 by '92" from the USA - an attempt to get higher trust into governmental and defence information systems - just didn't happen because government was not willing, as for other industries such as pharmaceuticals, air transport, motor vehicles, and so on - to provide the necessary security legisltaion and regulatory environment.
    Today - the situation can only be expected ("rats" aside) to get much worse unless there is a willigness by governments to act in the best interests of their citizens in this regard....and surpriningly, it may be the USA that takes the lead... over even the European Union.
    Any honest adherence to what former Prime Minister Rudd called "policy development based upon evidence" MUST now allow for clear intervention by government into the ICT arena. The time for obsolete "light-touch", "self-regulatory" regimes is really proven to well and truly over.