Security still underfunded, 2005-08-03
Story continued from Page 1
With so much money pouring into the security industry, I think the major players need to focus much more on hiring brainpower, and pay people who are in the know some exorbitant sums of money to think of new ways of doing things. The reason? If an unemployed security researcher already has the ability to gain the keys to your kingdom anyway, it's little more than his ethics and morals that keep him or her from going through the door illegally, and slipping inside.
Michael Lynn quit his job and risked two personal lawsuits, one from his former employer and one from Cisco, because he believed what he discovered was that important. And it is. He seemed to believe there was no choice in the matter; what he discovered had to be made public. What is the value of this discovery to Cisco, a highly respected company with oodles of cash, a near monopoly in the Internet's core infrastructure, and a market cap of $125 Billion?
It's all about ethics
Most discussions of ethics tend to result in glassy eyes and yawns from those involved, so I'll keep this brief. The fact is there's little else preventing many researchers from going to the dark side, and slicing off tiny bits of the fortunes of the Fortune 100, bit-by-bit.
Michael Lynn could have taken the easy road and kept quiet, or even used what he found to own the edge routers of some of the largest companies in the world. It's an excellent way to slip inside. He has stated very times tht he disassembled Cisco's software, apparently under ISS' direction, which undoubtedly violates Cisco's license agreement. That's probably wrong. But the Cisco source code has been stolen two times now, and those criminals who have it now very much have an upper hand. That is much worse. Lynn did nothing more than any other security researcher or academic with strong ethics would do: he published his findings and presented them to the world.
Hire someone complex
Complexity is all around us, more than ever before -- and yet some very smart people can still slip in and out of the world's most secure servers and workstations with ease. Other smart people know about this, and plead with their managers to do something about it. People most in the know too often have the least amount of power to do anything. In fact, the tables should be turned.
Story continued on Page 3
