Holding management accountable: a new policy for protection against computer crime

Attacks by cyber criminals can be potentially just as damaging to the national infrastructure as attacks by cyber terrorists. Effective security countermeasures to combat computer crime parallel those used to protect against potential threats due to cyber terrorism and information warfare. Federal data about crime indicate that the growth in prosecution of computer crime is lower than the growth of computer incidents. A survey of the attitudes and activities of college students also revealed that current policy does not provide a strong deterrent to computer crime. Current policy, as expressed in the Computer Fraud and Abuse Act, does not hold organizational management accountable when their computers are broken into by hackers. However, security organizations repeatedly state that many if not most, computer intrusions occur largely because the host operating system has not had the latest fixes applied. Sometimes notices of system vulnerabilities have been widely published for months, but because available fixes were not applied, hackers using sophisticated attack tools, were able to locate exposed hosts on the Internet and attack those vulnerabilities. Hackers share vulnerability information via informal groups linked through the Internet, while government and private industry are reluctant to share vulnerability information. This characteristic gives attackers an advantage that helps them exploit host weaknesses. A recommendation is made to hold managers in the government and private sector more accountable for keeping their computer assets updated with the latest operating system fixes, to improve computer security and protect the national infrastructure.