A few weeks after the biggest North American electrical blackout in decades, speculation is running rampant that the event was exacerbated, if not actually triggered, by a series of Internet-borne computer virus attacks that affected hundreds of thousands of users in the same region. Whether or not this proves to be true, the fact is that a very harsh light has now been thrown on IT security as an issue of prime national importance, and a very strong case has been made that – as we wrote back in December – information technology today is as fundamental a piece of our economic infrastructure as highways, telephones, and power plants.

To corporations, government agencies and universities in the eastern U.S. and Canada, the triple traumas inflicted by the Blaster worm, the blackout, and the SoBig.F virus surely didn’t feel like coincidence; instead, it appeared more like a combined assault by the Forces of Darkness. But even if no immediate causal link between the failures in IT security and power generation is ever established, there are important lessons to be learned that shouldn’t make IT managers or their vendors any too comfortable.

Shared Pain, Separate Remedies
In both cases, a neglected infrastructure failed, and in both cases constantly rising user demand set the stage for that failure. The remedies, however, will be vastly different. In the case of the electrical grid, government may come riding to the rescue by revisiting the regulation of power transmission and generation, thereby encouraging reinvestment in an infrastructure that has been largely ignored over the past decade. Elsewhere, public energy conservation is always a possibility as well, but it remains to be seen whether enough gas will be left in the political and public tank (you should excuse the metaphor) to exercise this option once the California gubernatorial recall is complete.

In the IT sphere, things are rather different. Although government has some say over the operation of major Internet server centers, the ’Net is effectively unregulated and unregulate-able. The security mechanisms that should have kept thousands of infected PCs from shutting down are as much psychological as they are technological, and any grassroots movements to conserve or control Internet resources will likely fail because they’ll run counter to the Internet’s fundamental and historical “freedom.” Given this absence of outside help, it would therefore appear that the responsibility for preventing future breakdowns lies squarely in the hands of those who own the networks – and by extension, those who provide them with systems and services.

Customer Responses
The good news – such as it is – is that the viruses and worms launched this summer lacked “payloads” that could destroy or contaminate data and programs residing in networked databases or on the hard drives of individual PCs. Thus, the harm they caused – though quite real and often expensive – really has been limited to the likes of massive inconvenience, blown production deadlines, and interruption of service. Sadly, this relatively benign situation cannot be counted upon to continue, and customers are looking to take several important steps to mitigate any future disaster:

• Focus on ongoing network behavior, rather than point solutions. An IT environment is only as secure as every point of Internet and network access, and this includes standard email, instant messaging, and all manner of business applications. Firewalls are necessary, but their functionality is limited and their intelligence even more so. The purchase of firewalls and even intrusion detection systems (IDS) can even increase the danger by pandering to user psychology and encouraging a false sense of security. Ongoing monitoring of activity everywhere on the extended network, with automated alerting to potential threats, must be the first line of defense.
    
• Implement and automate enterprise security policies and best practices at the end user level. All users must be educated about the risks inherent in network attacks and network misuse. But because they are wrapped up in their “real work,” most users will ignore any directives that take more than a few mouse clicks to follow. So preventive best practices must be implemented via user-access controls of which the users themselves may be totally unaware. In addition, standard responses such as installing software patches need to be organized in advance so that they can be initiated within hours, not days, of a virus threat – and they of course must be installed at all!
     
• Make EIO the foundation of network security. The way business applications are built, upgraded, and distributed, and the way they work with other applications, determines the level of their vulnerability. Security provides another urgent reason for organizations to pursue Enterprise Interoperability (EIO), using combinations of workflow, business process management, Web services, and portals technology to eliminate redundant points of entry and make the IT infrastructure more transparent, manageable, and impregnable.

• Develop expertise in network monitoring, or partner with suitable experts. Vendors can create value for customers by helping them anticipate security threats rather than merely respond to them – usually too late. Network security monitoring is a fascinating example of EIO at work; a few vendors, such as Q1 Labs, are already marketing systems that allow network owners to view network behavior in multiple ways, according to specific business rules.

• Give customers the tools to make systems more interoperable and thus more secure. Many legacy systems were developed to stand alone, and only later were network- and Internet-enabled. As a result, they can be as vulnerable to attack as they can be inefficient to use via a browser. Under the flag of enterprise application integration, vendors can provide better ways to model and build applications. IBM is promoting use of model-driven development through its Rational division. And business process management vendors such as Softheon are espousing Model-Driven Architecture (MDA) as a standard, equal to XML in importance.

• Clean house concerning Internet vulnerability. Every software solution that interoperates with others in a large enterprise affects, and is affected by, the interactions that take place via Internet or intranet. Thus, network security has become everyone’s job and should be part of every product’s functionality in some way. This needn’t require a grandiose company mission statement: Microsoft’s much-ballyhooed, now 18-month-old Trustworthy Computing Initiative may ring a bit hollow today, yet thousands of XP users had reason last month to be grateful for the automatic upgrade feature that allowed their PCs to protect themselves quickly.

Kinetic Information is always eager to hear your opinion, too, so please let us know what you think – send us an email, give us a call, or start a conversation in our Client Forum: visit our Web site at www.kineticinfo.com and choose News & Views – KI Client Forum. Thanks!