% fortune -ae paul murphy

Reactions to threats

The threats I talked about yesterday call for an intelligent reaction - and ignoring these kinds of issues isn't a smart choice.

So what can you do?

It obviously depends a lot on what country you're in - but I see three kinds of actions CIOs and the IT managers who report to them can undertake:

1. repatriate any systems work you've out-sourced to providers whose work isn't carried out by people you can identify and trust. Basically, if you're American, hire Americans - and if you're German, hire Germans.

   It will cost more to do software that way; but, obviously depending on what you have in place, you may be able to achieve net savings by switching to technologies that substitute cheap hardware for expensive manpower. Remember: a current generation 4GL/RDBMS based application will use around four times the hardware per function point per minute compared to COBOL/CICS/DB2 - but Solaris on SPARC has better than a 6:1 cost/performance advantage over zOS on the mainframe and the overall change will let you reduce manpower needs on affected applications by 80% or more relative to traditional data center operations.

   Remember: your million line COBOL masterpeice is hard to maintain in large part because it's so large - but a functionally comparable 4GL package will have a a bunch of system maintained code and only a handfull of program files, each usually in the few hundred lines category. You need smarter people for this, but fewer of them and you can, therefore, afford to spend a lot more to get each one.

   Your situation will be different: but commit to the substitution of cheap hardware cycles for expensive manpower as a key medium term strategy, and you'll find ways to improve your operation while eliminating the threats associated with foreign dependence for development or maintenance.

2. take another long careful look at centralised Unix processing with decentralised IT decision making. Give your users Sun Rays or other business desktops along with direct access to, and control over, the people running their servers and you'll gain lower costs, freedom from daily upgrade and attack panics, happier users, and a much smaller staff - and all the vulnerabilities that go with enormously complex desktop computers processing confidential information or functioning as critical links in more complex systems will just go away.

   If you're like everybody else in the business you've probably got at least ten years of experience with the PC - and your experience isn't any worse than anyone else's: the reason no one succeeds in securing them is that it can't be done: the failure are designed in, and you have no way - absolutely no way - of knowing what's in those things to be used against you when some nut case decides it's time to bring down your company - or trigger a worldwide economic crisis.

   There's a simple bottom line to client-server: if you want desktop security, the PC has to go.

3. take political action - educate everyone you can get to listen: from your colleagues to your political representatives. Make them aware of what's at stake; make them aware how trivial the current "PC Security" nonsense really is compared to what a more sophisticated attacker could do - and get them thinking about political action to safeguard information processing in the democracies.

Oh, and if you think I'm nuts? remember that the freedoms you have are yours to lose, that ultimately everything in the democracies depends on the economy, and that the economy depends entirely on the continued integrity of the key information processing resources you've signed on to protect.