Everyone's a loser in security blame game

On Tuesday, seven network security specialists tossed around a question that, increasingly, could become critical as network attacks and cyber-vandalism occur more often: who is to blame for the poor state of security?

The answer could mean damage-heavy lawsuits for whoever gets shouldered with the responsibility.

"We are screwing up somewhere," said E Eugene Schultz, research director and trusted security adviser for security technology and information provider Global Integrity, who placed much of the responsibility at the top of the corporate ladder. "Senior management is a major reason for the security problems," he said, pointing out executives' routine lack of support for necessary security measures.

He also added software makers to the list. "Vendors give us crap from a security standpoint." Yet, Schultz stopped short of blaming the user. "I find it hard to blame users for the ILOVEYOU worm," he said.

Schultz and six other security experts weighed in on who's to blame for poor information security at a panel discussion that ran during Network Security 2000 in San Francisco.

Global Integrity, which manages the World Wide Information Sharing and Analysis Center, or WW/ISAC, and its financial sibling, FSISAC, has found that network attacks have worsened and now total tens of millions of dollars per day, said Schultz.

Many of the panellists were more subdued in their condemnation, generally blaming all parties.

"The responsibility resides with all of us," said Steve Kwan, founder and director of professional services for Ignyte Technology, a firm specialising in securing e-commerce application providers.

Fighting off network attackers -- especially teenage script kids with time on their hands -- is like holding back the sea, said Keith Lowry, director of security auditing and investigations for service provider Pilot Network Services.

"These attackers have opportunity, time and motivation," Lowry said, adding that against such foes "security is something that you strive for -- there is no such thing as perfect security."

Pilot detects millions of 'attacks' -- ranging from the equivalent of doorknob rattling to something akin to a battering ram -- every month.

Such widespread attacks mean that users have to be more savvy, whether they are technical or not. "The responsibility comes down to each individual person," said Lowry. "If you give a person a powerful tool, they must be responsible for its use."

Yet, the fact that individuals cannot follow the latest security trends puts the onus right back on the security provider.

"There are no silver bullets," said Matthew Archibald, director of global information security services for semiconductor manufacturer Applied Materials. "There is nothing you can do to ensure that you are safe 100 percent of the time."

Take me to Hackers

Take me to the Virus Workshop

What do you think? Tell the Mailroom. And read what others have said.