The Insecurity of Computer Security
By JOHN SCHWARTZ December 1, 2002Copyright The New York Times Company THE thieves who stole the credit histories of more than 30,000 people, law enforcement officials said last week, succeeded because Philip Cummings, a low-level employee of Teledata Communications Inc., had easy access to the material and was willing to steal it. Mr. Cummings, one of three people under arrest for what officials describe as the largest known case of identity fraud, was paid as much as $60 per person for credit histories.
Just weeks prior to those arrests, three former fraternity brothers were arrested on charges of trying to rig the computerized betting system in the Breeders' Cup horse race, hoping to win nearly $3 million. Again, an insider, Chris Harn, allegedly used his position as a programmer at Autotote, a racing service company, to cheat the system.
Not long ago, society feared the anarchic compulsion of hackers to penetrate any system designed to keep them out. But the greater threat to an increasingly computerized world, security experts said, comes less from high-tech bandits than from trusted insiders and the trust with which computer systems are generally regarded by society.
The truth is, any system can be hacked, and it is always easier to do from inside. Moreover, the greater the payoff, the more likely a hack.
This should give everyone pause, as government and industry look to ever- larger databases and networks. The newly revealed "
Total Information Awareness" program, for example, will amass a huge database of financial, medical and personal information — a treasure house for data miners to abuse.Systems like these, whatever their intent, will inevitably create "a greater risk to identity theft," said Ari Schwartz of the Center for Democracy and Technology, a Washington policy group.
Risk experts feel even greater qualms about another system now moving toward the virtual realm: elections. This, democracy's biggest prize, will inevitably become a target for interested insiders as votes change from verifiable paper and mechanical ballots to bits, said Peter G. Neumann, a principal scientist at the computer science lab of SRI International, a research institution.
"It's clear that humans aren't infallible," he said. "It's clear that machines aren't infallible either — no matter how carefully they're designed."