Data Ransom No Cause For Panic

To wit, part of leadership requires choosing an achievable goal. I propose that we in IT can serve an important role in the use of electronic data only to the degree that we work realistically within our discipline. It means informing other people who can then work within their disciplines.

We need to recognize that some level of failure in systems will be the optimal level to balance the amount of funding that we get against the return that we’re expected to provide. No rational person expects to get return on an investment portfolio with zero risk; and any portfolio with risk is going to have a few losers. We as a society make these tradeoffs in many ways: whether explicitly or implicitly. Two universal constants of computing remain operative today: computer systems fail, and people make mistakes. We need to build our infrastructures understanding these realities.

Now that “cybercrime” is being perpetrated by organized crime undoubtedly attackers will get more sophisticated. In light of this, Phil Williams of the CERT Coordination Center wrote in August 2001 that the real problem is not breaking into computers, but crime generally. If we mean to succeed, I believe that we will need to do three things:

  • Familiarize ourselves with the literature of risk management. This isn’t a “security” issue, it’s a business issue. It’s a matter of understanding risk and reward;

  • Find and use effective comparisons of risk and reward from other areas that are familiar to our audiences outside of IT; and

  • Refuse to accept ready answers and pithy quotes in place of analysis.

We have the tools to describe what is happening, to understand its impact, and its frequency. We need to make use of these and work with other leaders to find the right balances among risk, utility, and expense in our infrastructure. Choosing rationally, rather than responding out of fear, is the path forward.

Matt Curtin is a Columbus-based technologist, writer, and entrepreneur. Matt founded Interhack in 1997 as a research group that looked at the side-effects of using the Internet as a large-scale computing and communication platform. In 2000, he reorganized Interhack into a professional service practice focused on forensic computing and information assurance.