Q&A with Mary Kirwan

Question: Statistically, how much has the internet grown?

Answer: At an enormous rate. In Canada, 2000, about forty percent of Canadians were on-line. By 2007, we're close to sixty-eight percent of Canadians. It has grown enormously over the last seven years, in particular.

Question: And what is the future of its growth?

Answer: The prediction is that it could double or triple. In truth, nobody really knows how much we'll grow. But if we bring everybody on-line, obviously the potential is as great as the population, and beyond.

Mary Kirwan is CEO of Headfry Inc. - a global security and risk management consultancy practice. She is particularly focused on the global data security related regulatory and legal environment- and what it all means for consumers. She writes a popular monthly column for the Globe & Mail. Read her column online.

Question: How wired is Canada?

Answer: Canada is one of the most wired countries in the world. Canadians are one of the biggest users of electronic banking, for instance. Canadians are the biggest users of debit cards in the world. They like to bank on-line. So they won't go to the branch anymore. They'll go to an ATM machine, they'll use their credit card and they'll buy goods on-line. They'll go onto eBay and auction sites. And so it has changed the way people look after all of their personal affairs. They'll do a lot of that on-line.

Question: What is the future of this connectivity?

Answer: I think a lot depends on our ability to maintain the levels of crime at a reasonable level. There are quite a few commentators around the world who are afraid that the Internet, that the Worldwide Web, that www stands for the Wild Wild West, rather than you know, the Worldwide Web. And what we're in danger of creating if the worst baddest neighbourhood that you have ever put a toe in. And that there is a danger that people will start to avoid the Internet, because they feel it's such a bad neighbourhood, that it's so dangerous that you put yourself in such peril when you go on-line, that either it will become closed in part. There's now discussions around the world in Russia, and even in Europe that the country should develop their own Internets, sub-sets of the Internet that we can build from the ground up, with for instance, security in mind. The ability to monitor.

"The idea is that a bunch of motivated people could take the power. Take out the telecommunications network, so we couldn't make a phone call. Maybe they would open dams and flood cities. And, release sewage. And leaves the economy at a standstill, essentially. Because without our ability to bank on-line, to make a phone call. To switch on the lights. We're literally in the dark."

Question: What is the worry when you start connecting that stuff?

Answer: The worry is that connectivity is not very well understood. How are they all connected? What are the interdependencies? What happens if a utility goes down? How does that affect another sector? So the concern is that could it go down like a house of cards? How they're wired to each other. There's a lot of studies trying to understand the dependencies.

Question: Are we becoming too connected? Is it smart for a country to put something like a utility company on-line?

Answer: For the longest time companies like utilities, their critical systems were very specialized. They were on separate networks. They definitely weren't connected to the Internet. And specialized people looked after them. But now we're talking about situations where most Networks are run on regular business computers. And they are subject to the same vulnerabilities, the same viruses potentially as the rest of us with our home PCs. And as long as you have an Internet connection, you have the potential there as well for somebody to attack that connection. So it's too late - the genie is out of the bottle. We're not going to stuff the stuff back in. But we're going to have to do a, a lot better job in terms of securing it.

Question: Is there a threat to critical infrastructure in Canada?

Answer: In truth, the Hollywood writers are further ahead than the policy-makers. Even if you look at the latest Bruce Willis movie you have a critical infrastructure attack portrayed in that. When I saw it, the hair stood on top of my head, because I thought there were some elements of that that were quite realistic. They took out the traffic lights, so you had chaos in the downtown. The ultimate goal was to steal a bunch of money. It wasn't really actually to take out critical infrastructure.

But the idea is that a bunch of motivated people could take the power. Take out the telecommunications network, so we couldn't make a phone call. Maybe they would open dams and flood cities. And, release sewage. And leaves the economy at a standstill, essentially. Because without our ability to bank on-line, to make a phone call. To switch on the lights. We're literally in the dark.

I don't believe Canada can separate itself from the risks other countries face. I believe there is a threat. But it's probably overblown. Anywhere you've got something connected to the Internet, there's probably somebody out there who'd like to have a crack at it. But the concern is that it's somebody serious. That it's terrorists. That's the real concern.

"The key thing is that it doesn't feel like they're committing a crime. That's one of the challenges that we have, is you don't have to burgle a place. You don't have to break the door down. You don't have to mug anybody. You may never leave the basement. And you've got a stack of Pita Pockets beside you're away to the races. "

Question: Why is there a sudden demand for this increased security?

Answer: Part of the reason the Internet is so susceptible is the anonymity factor. The connectivity. The dependencies. The fact that one attack resonate around the world in a matter of seconds. So it's the global nature of it. That it can create an enormously complex problem in a matter, in a matter of minutes. But I think one of the reasons we're hearing more about it is because the media have picked up on it. And, and it's affecting people's pocketbooks. I think that's one of the main things. As long as it's a nuisance, it's not such a big deal. But when it affects, affects your pocketbook, then, then you start to sit up and you take notice.

Question: Why doesn't security exist? Why are we patching things?

Answer: Security exists, but the trouble with it is, is that it's a bolt-on after-the-fact. Most of the time the horse is already out of the box. The, we're trying to fix things a bit late in the game. It's only now that we're really trying to design a little bit from the bottom up. So you know, originally people wrote computer code on the fly. Very little quality control. The Internet wasn't built to be secure. It was built to be scalable, resilient. It was not built to include the population of the planet. It was a bunch of nerds sitting around in an academic military setting to commune with people they trusted.

Question: Are there any example of past security breaches effecting infrastructure?

Answer: This is one of the great debates that exists amongst the security people. Everybody's desperately trying to find examples to make their case one way or the other. But in the last week or so, a CIA analyst had a meeting in the U.S. And indicated that they had evidence that outside the U.S. there have been numerous attacks, successful attacks on utilities where extortion was the end game. .They didn't quite know who, they were weren't revealing the countries concerned, who the targets were. But I think we have to take that kind of thing quite seriously. There was an instance in Australia where a guy was fired from his job, I think it was a sewage plant, and remotely was able to open some barriers and supposedly flooded the Hyatt parking lot with sewage or something of that nature. That's everybody's favourite.

A very small number of people can do a vast amount of damage remotely. And the key thing is that it doesn't feel like they're committing a crime. That's one of the challenges that we have, is you don't have to burgle a place. You don't have to break the door down. You don't have to mug anybody. You may never leave the basement. And you've got a stack of Pita Pockets beside you're away to the races. So they don't feel they're doing anything wrong, particularly the kids that are involved in this.

There is evidence that Al Qaida and terrorist groups are doing reconnaissance of utilities. They like schematics. They will pull them off the Web. They have them on their computers. They're very well aware that an attack on a utility or on critical infrastructure could be useful.

"A hacker recently told me that identity theft is a great new career. It has great benefits. Why would you make minimum wage, when you can stay in the best hotels and buy big screen TVs with somebody else's money?"

Question: What is their motivation?

Answer: Most of the time when these guys get grabbed, if and when they get grabbed, it was just for sport. Or their pals. Or they were sitting in their school room in Germany, and somebody annoyed them, so they decided to play a game and write viruses or whatever. So usually they have no clue of what they're doing. And that's why they can be very dangerous. They don't anticipate consequences of what they're doing. They release these things into the wild.

But I think the new people who are attracted to it now it's like I said, you can make minimum wage, or you can make hundreds of thousands of dollars. Never leaving the safety of your living room. So that's enormously attractive, particularly, but not exclusively in countries where you make very, very little. A hacker recently told me that identity theft is a great new career. It has great benefits. Why would you make minimum wage, when you can stay in the best hotels and buy big screen TVs with somebody else's money?

Question: What's the difference between a hacker and an internet specialist?

Answer: Sometimes only a criminal conviction may be the only thing in the difference. An Internet security specialist should be a good person who's employed by an organization to defend their Networks. The original hacker word was a positive one. It meant somebody who liked messing around with code and kind of pushing the envelope, and really was a good phrase. It's only become negative in recent years.

Question: How have hackers fit into the Internet security industry? Is it becoming a more respected profession? This idea of The Matrix, this male teen-age fantasy that the hacker was god, are we going to see one day hackers as rock stars?

Answer: There certainly is a certain maybe romantic mythology around it all. But there's nothing romantic about doing hard labour in a U.S. federal prison so I think the fact that they're starting to do real time has taken some of the glamour out of it. It has real risks now. Also, in some places around the world, parts of the U.S. for instance, parents can be liable for the actions of their kids.

"The concern is that the 'Storm Worm' has created all these compromised computers that in themselves create a kind of an almost a massive super-computer. And that very bad people have control of this. They may be able to do very bad things on a very, very big scale. That's the kind of bottom line concern."

Question: Why is it so difficult to catch these people?

Answer: There's no one central place that you can identify and take down. In the past, you could identify a big computer where this stuff was residing. And if you took that down, they'd have to move it to another server in another country. And you're playing cat and mouse with them. But with a distributed attack, you've got multiple nodes. It's like the way a lot of these terrorist cells like to operate now. In a distributed and anonymous Network. It's like guerilla warfare. It's very difficult to take them down.

The other thing that's fascinating about is how devious they are. And in a way, the security researchers are half admiring how clever it is in that they have built-in defenses. So if somebody attempts to fight back against 'Storm', it goes into a kind of a counter attack methodology, and they can morph into other variants. They're constantly re-writing it. So it's not static. It's distributed. It's dynamic. They are coordinating their code-writing efforts in a way that we would be thrilled to have in the legitimate world, quite frankly. They're developing coding methodologies that are quite remarkable to deliver, this very bad stuff. So the concern is that the 'Storm Worm' has created all these compromised computers that in themselves create a kind of an almost a massive super-computer. And that very bad people have control of this. They may be able to do very bad things on a very, very big scale. That's the kind of bottom line concern.

Question: Seems to me in a medium like the Internet where the crime can be so remote, the national organizations are really powerless.

Answer: We don't have global laws. Internet crime is just another form of crime - it's just a new method for carrying out traditional crimes really. We've had financial fraud as long as we've had market and an economy - back to ancient Rome. It's anonymous. It's remote. And most countries laws are national. In Canada you have different laws in practically every different province and in some cases they conflict. We didn't draft our laws to have a truly international component to them. And criminal laws, in particular, tend to be very nationally-based. What may be a crime in one country may not be a crime in another, for instance. That's a problem.