UK gov't security expert: Balance cybersecurity risks

Governments and businesses face a variety of cybersecurity threats, but they also need to allow for increasing demands from computer users across the globe, the former information security advisor for the U.K. Ministry of Defense said Wednesday.

David Longhurst, who retired this week, called for businesses and governments to take a risk-based approach to cybersecurity by balancing the advantages of new applications and capabilities with the security risks. Too often, Longhurst found himself between the U.K. military, which wanted new networked capabilities, and in-house cybersecurity experts, who wanted no new networking functionality, he said during Microsoft's Security Summit East in Washington, D.C.

"IT security folks don't want to connect anything," he said. "They believe safe sex is no sex."

Longhurst didn't downplay cybersecurity risks as he spoke to a crowd of developers and network security administrators. Protecting the global information infrastructure is one of the top -- if not the top -- challenges for governments, developers and infrastructure providers, he said. It's difficult to fully assess the magnitude of the threat, he said, with IT security experts often saying, "We just have to tell you, it's bad."

But as security threats continue to be a large problem, IT users are demanding increased functionality that supports their business, is easy to use, is reliable and safe, and "makes the coffee in the morning," he said.

Maybe users don't want their computers to make coffee, but IT security professionals can face demands from users who want to access sensitive data from Internet cafes in Beijing, he said.

"They say, 'I'd like to connect to anybody, anywhere, access anything for practically any purpose, at any time,'" Longhurst said. "You could do all this ... if we didn't have a Wild West out there."

Longhurst called on everyone in the IT chain, including developers, integrators and users, to give cybersecurity a higher priority. But he also advised companies and government agencies to weigh the risks of new technology with the benefits to themselves or their customers. "This is a risk-based business," he said. "There are no absolutes in this."

To fully access risk, businesses and government agencies need to hear from IT security experts, from those wanting the new functionality and from engineers who estimate how long any identified problems will take to fix. In some cases, the U.K. government has rolled out new technology even with security concerns, but set a deadline for fixing any problems, he said.

Earlier, George Stathakopoulos, Microsoft's general manager for product security, said the company continues to push security in its upcoming Windows Vista OS. Vista will include several security features, including support for smart-card access to computers, and the Windows Defender scanning tool, he said.

Stathakopoulos called on governments and courts to increase penalties against attackers who are caught. "Right now, you write a Sasser [worm] and get a two-year suspended sentence," he said, referring to a 2005 conviction in Germany. "You may even get a security job."