There's 100 million carriers and a virus attack in cyberspace is only a click away

Oracle's chief of security explains to Stephen Pritchard what computer firms and their customers must do to combat bugs and hackers
Click to follow

The internet is not, it seems, becoming a safer place. Last month the search engine Google found itself the latest high-profile victim of a virus attack, just weeks before the company's initial public offering on the US Nasdaq exchange.

The internet is not, it seems, becoming a safer place. Last month the search engine Google found itself the latest high-profile victim of a virus attack, just weeks before the company's initial public offering on the US Nasdaq exchange.

And despite the claims of the IT industry that security is now its top priority, viruses, spam and hacking continue to be a source of serious disruption to businesses globally.

The problem, says Mary Ann Davidson, chief security officer at Oracle, the world's number two software group, is that too few IT businesses have the problem at the core of their culture.

Competitors such as Microsoft may have increased their emphasis on security considerably over the past year or two, but their approach is still based on ease of use and flexibility, rather than on ensuring that their software is inherently secure.

But Davidson argues that Oracle is different.

The company's first product was a database for the US Central Intelligence Agency, and government contracts still account for a significant proportion of its revenues today.

"It's an enormous cultural advantage that we started that way," says Davidson. "All customers have secrets. Some of ours have national security secrets. My worst fear is that I would have one of the four chief information officers of the four US intelligence agencies calling me to say that they had data go missing."

A strong selling point for Oracle is that its databases are incredibly hard to break into. The company argues that security has to be a given for its products; Davidson says she never wants to lose a sale to a competitor because a rival has better security features.

But for Davidson, who chairs a number of IT security working parties in the US and has testified to Congress on her area of expertise, improving security on the net is not just an industry issue. The business community at large - and those responsible for purchasing IT services - need to put security higher up the agenda.

It is easy to over-emphasise the similarities between computer viruses and their biological equivalents, but the argument that online communities need to acquire the type of "herd immunity" associated with public health vaccination programmes is a persuasive one. One industry estimate suggests as many as 100 million computers worldwide could be running without protection against virus attacks or hackers.

It is these vulnerable computers that are acting as carriers, propagating viruses such as the Love Bug and, more recently, Mydoom.M, which caused the problems at Google. Even if a company protects its systems with anti-virus software and firewalls, it could still be attacked by unprotected computers elsewhere on the internet.

Davidson believes that if businesses did more to safeguard their systems - and asked their IT suppliers tougher questions about their security functions - life would become much more difficult for the hacker and virus writer.

"Businesses are starting to realise the costs of bad security," she says. "But they don't know when they buy [an IT] product how good it is. The software licence costs might only be 5 per cent of the total cost of an IT system over its life cycle. The industry does need to do a better job [of security]. But we also need to help customers become better buyers."

Conventionally, most IT companies, especially those based on the Windows platform, have sold systems with security measures either not installed, or switched off. There are good reasons for this: turning on firewall software on every desktop computer, for example, can make it harder to set up. But with more computers connected to the internet, and no signs that the threat from cyber attacks is diminishing, this is no longer an acceptable practice.

"Microsoft is trying to change its culture," Davidson notes. "But they started by writing consumer software, and the desktop [PC] doesn't usually attack itself. So they did not think about attacks from client machines but focused on ease of use, and they have done a good job at that. But now they are having to retro-fit security."

The way that the IT industry has developed in the past decade, with one operating system dominating the vast majority of computer systems, has also made users more vulnerable, Davidson cautions.

"It is important to have IT 'biodiversity' in the enterprise," she says. "There are dangers to a monoculture. The lack of biodiversity means that you are not resistant to cyber plagues. If you had greater diversity, you would have more resistance to viruses and worms. You can't expect enterprises to have one of every operating system, application and anti-virus software, as there would be no economies of scale. But there is a happy medium, for security reasons as well as others."

Davidson does concede that the IT industry could do more to make its products more robust and to educate its customers in the best way to use them. "Part of what we provide to customers is advice on how to set up the different operating systems," she says. "You do have to make sure that the file permissions are not set to something ridiculous."

But the industry will always be playing catch-up with the hackers, which is why stiffer penalties for cyber crime are also part of the IT industry's security agenda. "In some ways it is an unequal battle," Davidson admits. "If you are writing software, at the bug level you have to close every avenue of attack. The hacker only has to get through one. Hackers are very good at sharing information; it is sometimes harder for IT companies."

She believes that the industry should not use this inequality as an excuse for not writing better, more secure software. Hackers need to understand that their actions have real consequences, and the industry needs to examine its relationship with them.

"There should certainly be better criminal penalties," she says. "And an ethical discussion should be part of it." This means IT companies should be wary of employing hackers, even for testing. "If you don't trust someone, you shouldn't give them a contract," she says. "I vote with my wallet."