section II: Security and Protection

Massive data theft has become an everyday reality in the world of information technology. In 2006, for instance, it was revealed that personally identifying data, including names and social security numbers, on up to 26 million Americans were compromised in the U.S. Department of Veterans Affairs.

In the United States, information technology security rose to first place in budget priority after the bombing of the World Trade Center and has remained a top priority to the present day. McAfee Avert Labs, leaders in security software, released a list of top security threats for 2007. Noting over 217,000 various known threats, the report outlined several disturbing trends affecting security:

• Malware is increasingly being created by professionalized organizations, including organized crime, characterized by sophisticated programming by development teams who test and automate the production of malware. Sophisticated malware characteristics include polymorphism, recurrent parasitic infectors, rootkits, and software using cycling encryption to release new versions on an automated basis.

• The black market for malware is lucrative and growing.

• Trends in technology are making malware easier to transmit and more dangerous (e.g., Bluetooth or Wi-Fi wireless networking, "smart" mobile phones).

• File sharing, particularly in video and music, creates a vulnerable population of users willing to open transmitted files, and malware is more easily concealed in media than in text files. Imposter Web sites simulating popular destinations (e.g., eBay) are increasingly employed to steal passwords.

• Identity theft is also increasing through corporate and government data breaches.

More than 4 years after terrorist-controlled airplanes smashed into the World Trade Center and the Pentagon, and after the U.S. Federal Aviation Administration had promised to secure its systems within 3 years, the U.S. Government Accountability Office issued a report finding that air traffic control systems operated by the Federal Aviation Administration contained significant cybersecurity weaknesses and were still vulnerable to attack. Weaknesses cited included outdated security plans, inadequate security awareness training, inadequate system testing and evaluation programs, limited security incident detection capabilities, and shortcomings in providing service continuity for disruptions in operations. These weaknesses are not unique to this particular agency but are commonplace worldwide, making all the more important the need for research on the many dimensions of cybersecurity.

G. David Garson, September 2007