Call it a sign of the times. In September 2000 the Secure Digital Music Initiative, or SDMI (www.sdmi.org), an industry association based in San Diego, California, posted this notice on its Web site: "Here's an invitation to show off your skills, make some money, and help shape the future of the online digital music economy. The [SDMI] is a multi-industry initiative, working to develop a secure framework for the digital distribution of music. SDMI-protected content will be embedded with an inaudible, robust watermark or use other technology that is designed to prevent the unauthorized copying, sharing, and use of digital music.

"We are now in the process of testing the technologies that will allow these protections. ... So here's the invitation: Attack the proposed technologies. Crack them. ... If you can remove the watermark or defeat the other technology on our proposed copyright protection system, you may earn up to $10,000."

As of press time, no one had collected the 10 grand — although in October 2000, a group of researchers from Xerox PARC, Princeton University, and Rice University claimed to have cracked the code. But SDMI's invitation was no publicity stunt. The fact is, paying outsiders to expose holes in encryption technology and network firewalls is fast becoming commonplace in the corporate universe. And on the face of it, such an approach makes sense. After all, who knows more about network vulnerabilities than hackers?

Certainly, traditional approaches to safeguarding computer systems — passwords, encryption algorithms, and the like — don't seem to be working. In early September 2000, Englewood, Colorado-based Western Union Financial Services Inc. reported that crackers (cyber- intruders) had made off with the credit card and debit card numbers of nearly 16,000 online customers — not exactly a ringing endorsement for the safety of online shopping.

According to the San Francisco-based Computer Security Institute's (www.gocsi.com) annual Computer Crime and Security Survey, released in March 2000, more than 90 percent of the study's 643 respondents reported security breaches over the past 12 months. Of this group, 42 percent were able to quantify their losses. Total damage? A tidy $266 million, or almost $1 million per company.

And that's only the tip of the iceberg. Analysts say the actual damage caused by hackers is impossible to calculate because many break- ins are never discovered. And many companies, keen to avoid bad publicity, don't report hack attacks. In 1994 a 29-year-old Russian broke into Citibank's network and made off with $10 million. The incident didn't become public until a year later — although Citibank claimed it knew about the break-in all along and was just playing cat-and-mouse with the hacker who masterminded the caper.

Still, a number of industry-watchers have started to question whether hiring hackers to test network security is such a clever idea. Obviously, rewarding script kiddies, hackers, and other digital pranksters with lucrative consulting contracts doesn't qualify as exemplary corporate citizenship. "Nice people don't do it," insists William Hugh Murray, an executive consultant to professional services firm Deloitte & Touche (www.us.deloitte.com), in Connecticut. "You should be engaging certified information system security professionals who have at least three years' experience, pass a rigorous exam, and are committed to ethical standards."

Beyond moral concerns, giving outsiders a free hand to probe a network can be a risk management nightmare. Hackers may know about Trojan horses and back doors, but they generally know precious little about competitive advantage periods, ROI, or E-commerce strategy. Notes Fred Rica, a partner in the technology risk services unit at PricewaterhouseCoopers (www.pwcglobal.com/us/): "Most ex-hackers don't understand the complex business issues surrounding the integration of security solutions within global enterprises and E- business environments."

What's more, it's nearly impossible to suss out the true intention of hackers-turned-advisers. That sort of uncertainty can leave a network wide open to theft, fraud, or worse — extortion. "It doesn't make sense to hire an ex-hacker," says Dave Safford, manager of the Global Security Analysis Lab at IBM Research (www.researc h.ibm.com/net_security/gsalpub.html), in Hawthorne, New York. "It's like hiring a convicted arsonist as fire marshal."

Color Schemes
To keep from getting burned, many corporations instead hire outside security firms to test their firewall security. Called ethical hacking, the process is intended to help system administrators pinpoint weaknesses in networks. In addition, ethical hacking enables IT managers to gauge response time to an attack — crucial in the fight against cybercrime. According to Bruce Schneier, co-founder of Counterpane Internet Security (www.counterpane.com), a managed security monitoring company in San Jose, California, network operators typically have about 10 minutes to respond to an attack before serious damage can be done.

• 1
• 2
• 3
• next »