If the information security industry had a Mt. Rushmore, Donn B. Parker would certainly be one of the faces etched in stone. Donn's legacy of service and decades of research have had wide ranging influences on public policy, law enforcement, best practices and many other aspects of information security.
Q. Mr Parker, thank you very much for taking the time to answer a few questions. As you reflect back on your early years of investigating computer crime, did you have an inkling that this field would grow so large and your work would become so important?
A. I felt I was a voice crying in the wilderness. Back in the 1970s the threats were focused on mainframe systems, and I was not yet able to anticipate the Internet as an environment for crime. However, as I documented in my National Science Foundation and Department of Justice reports, I did anticipate world wide expansion of computer crime including the physical destruction of large systems.
Q. What has surprised you the most about the way information security has evolved over the years?
A. No surprises because it has not evolved over the years. It is still the same incomplete, incorrect, inconsistent, under-funded folk art it has always been. The fundamentals of information security still rely on the tired old model of achieving confidentiality, integrity, and availability to reduce risk of destruction, disclosure, use, and modification of information by prevention, detection, recovery, and awareness. This is the fault of the security technologists who are so busy fighting fires deep in the technology that they don't have the time and patience to fix the fundamentals and recognize that we are fighting a war against real human enemies, not just their technical attacks. This is all wrong.
We need to build a sound and realistic base for progress beyond immediate needs: something like a confidentiality and possession, integrity and authenticity, and availability and utility model with the addition of avoidance, deterrence, and motivation to our functions and a change in our objective from risk reduction to achieving due diligence.
Q. ISACs (Information Sharing and Analysis Centers) are all the rage now as a method of collaboration in order to catch cybercriminals and protect information assets. Although some people may think this is a new concept, you formed the International Information Integrity Institute (I-4) at SRI in 1985 - arguably the very first ISAC. What were some of the biggest challenges in getting the I-4 off the ground?
A. In 1985, the 13 charter member companies and governments of I-4 agreed that I had the right combination of confidential services, and this was confirmed by having a waiting list of enterprises wanting to join for many of its past 17 years of operation. The major problem was establishing a workable business model to keep the annual fees at an acceptable level and to be able to provide all of the services the members desired. As a not-for-profit, SRI was the right sponsor for the model to work, but we existed on a shoestring for many years.
Q. As you look back on your involvement with the I-4, do any of the thrice annual meetings stand out as particularly memorable?
A. The second one where we had an open discussion forum instead of interaction with formal speakers was a disaster. Our members wanted to hear what the leaders in our field had to say in a confidential environment. We never made that mistake again.
Q. You have probably interviewed more computer criminals than anyone on the planet, and have often said that it is difficult to neatly profile them. Did you detect any significant trends from the early criminals to the later ones - in terms of age, motivation, modus operandi, or anything else?
A. Remote computing freed criminals from the historic requirement of proximity to their crimes. Anonymity and freedom from personal victim confrontation increased the emotional ease of crime, i.e., the victim was only an inanimate computer, not a real person or enterprise. Timid people could become criminals. The proliferation of identical systems and means of use and the automation of business made possible and improved the economics of automating crimes and constructing powerful criminal tools and scripts with great leverage.
Q. Do you feel comfortable with the federal government's general level of involvement in fighting computer crime?
A. I believe that the criminal justice system is doing a reasonably credible job within the constraints of the poor patchwork of badly written and legislated statutes. For example, the statutes incorrectly use the concept of trespass to address illegal use of computers and communications systems. They should be applying theft of services. This confusion arose because we technologists incorrectly adopted the jargon of access and intrusion instead of the correct terms of use and usage of computers and services.
Q. Do you feel comfortable shopping online?
A. I feel no more uncomfortable and wary of shopping online than I do by mail or in stores. The Internet is like any big city. There are places you don't trust and there are places you don't go.
Q. What do you think are the key things we need to do as a society for the next generation, to both help them avoid computer crime as well as producing quality security professionals?
A. Everybody hates security and its constraints on computer usage and job performance. We need to recognize this up front. Instead of attempting to motivate support for security by teaching awareness, which doesn't work, we need to motivate positive, not grudging, acceptance of support for security by properly rewarding exemplary security and penalizing poor security. Security must become part of job and business performance in meaningful ways rather than being in conflict with performance. Intangible and immeasurable risk reduction is the wrong objective to achieve this. Our unknown enemies manage and control risk. The defenders of our imperfect security systems cannot manage and control risk. Our objective should be changed to due diligence.
Donn Parker is a retired emeritus senior consultant and creator of the International Information Integrity Institute (I-4) at RedSiren Technologies, a spin-off from SRI International. He has spent 35 of his 50 years in the computer field engaged in research, consulting, writing, and lecturing world wide on computer crime and information security. He has received all of the possible awards in his field. His sixth and most recent book, published by John Wiley & Sons in 1999 is "Fighting Computer Crime, a New Framework for Protecting Information." He has appeared on 60 Minutes, 20/20, and many TV news programs worldwide. He has been profiled in People, Fortune, Time, Newsweek, and other magazines, and he is quoted in many news articles on computer crime. Donn wrote the computer security and computer crime articles for the Computer Science, Encarta, Grolier, and Britannica Encyclopedias. Donn is a CISSP and Fellow of the ACM.
CSOinformer is edited by Jim Reavis, founder of SecurityPortal and longtime industry analyst. This monthly newsletter is targeted at people who must take a strategic, multi-year view of the information security industry, and we promise insights you will not find anywhere else.
CSOinformer is a service of Reavis Consulting Group, and is published on the second Tuesday of each month.