Security holes will slow the growth of e-commerce
Goldman, Sachs & Co. recently reported that business-to-business e-commerce should explode in the next five years to the tune of a $1.5 trillion market, a whopping boost from today's $114 billion market.
I'm not so sure. The potential for this market increase obviously exists. After all, considering that the Internet changes everything, it's obviously going to change businesses the most. But can it really? Security issues plague the Net. I simply don't believe that companies have adequate security systems in place in this open Net economy.
Consider that just two weeks ago the ABC and the NASDAQ/Amex sites were broken into. Before that, the White House, NASA and even the CIA Web sites were also hacked. This doesn't give me warm feelings because these organizations use at least some best-of-breed security products.
A perusal of two of my favorite sites—Attrition (www.attrition.org) and Project Gamma (www.projectgamma.com/ defaced/1999/september)—shows that there have been at least 50 breaches this month alone. So when will companies realize that they shouldn't be investing $1.5 trillion in such an insecure environment? Is it a macho thing? Nope. These companies have businesses to run. One reason that PC Week Labs set up www.hackpcweek.com is to find operating system and Web server security holes so that companies can boost their defenses.
Now, for all I know, as soon as our site went live, it could have been breached. I have no way of knowing because I'm writing this column several days before the site is wired. But companies are in the same predicament—they often don't know how secure their environments are. It's guesswork.
Here's the creepy part. One of the major aspects of security is encryption. The standard that the U.S. government allows vendors to sell outside of the United States is 56-bit, which now can be cracked in less than a day. This weak security algorithm tends to kick the United States off its perch in a global economy. To escape the madness, most security vendors simply moved development of security algorithms to Can ada. Now the government is easing its stance on 128-bit encryption, a standard that should last at least another five years or so before someone cracks it with a souped-up Palm XXXII running Extreme Linux.
But strong encryption matters little. Government security forces want access to our data, anyway. Here's the exact wording in a recent government document: "A sound and effective public policy must support the development and use of encryption for legitimate purposes but allow access to plain text by law enforcement when encryption is utilized by criminals." Most security breaches occur within the government. If it can't secure its secrets, can we expect it to keep our encryption keys safe?
There are government projectsthat supposedly already track all our communications—voice and data. I imagine that most companies will shrug these things off. But I also have to wonder whether we'll be moving ahead as fast as Goldman, Sachs says if our infrastructure is vulnerable.
Does our lack of security scare you? John Taschek can be reached at john_taschek @zd.com.