The Internet's development and the transition towards electronic commerce has been widely hailed as the most exciting technological development of the last century. Far less exciting, however, is the need to protect and fortify networks against malicious attacks.
Although Internet security is emerging as one of the highest growth sectors to profit from the cyber-boom, it remains a thorn in the side of every organisation committing vast amounts of money to its Internet strategy.
Recently we saw the experience of Internet giants like Yahoo, eBay and Amazon.com, when their online operations were disabled by organised hackers using meaningless data to clog the paths of real customers trying to reach the sites.
However, one positive outcome has been its effect on exercising the minds of policymakers in the US to devise an effective law-enforcement strategy against cyber-crime.
Testifying before a Senate panel on Internet security, the attorney general, Ms Janet Reno, said that recent attacks on popular worldwide websites had illustrated the necessity of a co-ordinated law-enforcement strategy. "How we deal with cyber-crime is one of the most critical areas we face," Ms Reno said.
She proposed a five-year plan that would include tougher penalties for hackers and standardised investigative technologies. Such a step could lower the almost prohibitive cost of security and detection gear in an environment where network security equipment is often obsolete almost as soon as it is installed.
The investigation is being conducted in the US as well as in Germany and Canada. Scores of agents from FBI offices in Atlanta, Boston, Los Angeles, San Francisco and Seattle are now working on the attacks, known within law enforcement circles as "distributed denial of service" cases.
According to Mr Bob Ayers, senior security consultant with Admiral Management Services: "Any organisation that goes into Internet based e-commerce will come up against this problem. It's no longer a matter of if, but when."
Mr Ayers recently joined Admiral after a successful 29-year career with the US Department of Defence, where he specialised in intelligence and information systems and was responsible for automating the CIA's intelligence workplace.
He has recently worked in Ireland with several financial and large organisations which have lost valuable company or client information to hackers who have then used it for resale.
"What we are seeing is the inability of the police to keep up with computer crime, and the continuing failure of organisations who rely on risk-avoidance for their security," Mr Ayers says.
By risk-avoidance he means companies which simply acquire a firewall system, plug it into their network and then believe this will be enough to protect the company against security breaches.
Mr Ayers stresses that companies need to adopt policies of risk management where it is assumed a network can be penetrated, and a number of obstacles are built into the system which will slow any attacker down. Special intrusion detection monitoring software is also necessary to record activity on a network, and trace any holes in the perimeter fence.
While working for the US Department of Defence, Mr Ayers said he and his colleagues at one point targeted 18,000 companies, and managed to get into the systems of 88 per cent of them. Of these companies, 96 per cent of the system administrators did not even realise they had been attacked.
It is likely the high profile attacks of recent weeks were conducted by hackers seeking to prove they could do what they did.
"A lot of the cost of a network security breach is built into the cost of reconstructing a secure system, and the invisible cost of damaged corporate profile," Mr Ayers says.
Then there is the problem of jurisdiction and identifying where a cyber-crime has been committed.
"All nation-states are organised around the concept of national sovereignty and blame tends to be apportioned on the basis of geographic and political boundaries. However, cybercrime requires a reassessment of these basic responses from state mechanisms, and a very much improved collaboration between nation states," Mr Ayers says.
He cites as an example the recent case of 16-year-old Richard Pryce, who, from the UK, penetrated the US Air Force's research and development systems in New York, and gained access to valuable government information. While it cost the US air force millions of dollars to rectify the situation, Mr Pryce was fined £1,200 in a British court.
Late last year, it was reported that a number of British banks had been held to ransom by hackers. Investigators said at least two London financial institutions had paid ransoms of more than £1 million sterling (€1.63 million).
So concerned was the British government's electronic surveillance centre in Cheltenham that it set about helping key companies safeguard themselves against attack.
In the Republic, the Computer Crime Investigation Unit within the Garda Fraud division on Harcourt Street, has seen a big increase in computer related crime in the last year. Since January the unit has had around six such crimes reported to it, and according to unit head, Det Insp Eugene Gallagher, more and more of its activity centres on computer-specific crime as opposed to computer-related crime.
"We've seen a lot of allegations of hacking, and malicious viruses being sent to companies by aggrieved ex-employees. Then there are cases of commercially valuable information being accessed and used by hackers for their own gain," Det Insp Gallagher says.
The computer-crime investigation unit has expanded in the last year to two sergeants and five detectives, and Det Insp Gallagher expects to see further growth this year.
"The unit is becoming an increasingly important weapon in the fight against crime," he says.
