SHERSTOBITOFF: From a European perspective, we see that the financial community is adopting smart cards. They are adopting a physical end point because the population of users isn’t that high. When we’re talking about Bank of America, how many users do they have? And is the risk to them great enough --because they have insurance against fraud. They can pretty much write off losses with antifraud insurance. So is the risk great enough to be worth implementing and taking care of the costs of putting in an end-point security technology?
But we’re also seeing that there’s transaction and anomaly detection, which can spot risky behaviors during an impersonation or victimization. It takes multiple factors into account. Where is the user connecting from? Is it his usage pattern to be connecting at 2:00 in the morning? Is he supposed to be paying for a flat screen TV across the country? All those things are aggregated and computed in an overall behavioral profile. Then institutions can apply policies to certain groups of users who have higher risks, and mitigate the associated losses.
I would say in about 18 months, the U.S. will probably be pulled into providing end-point security that involves some inexpensive token that authenticates. But right now, it’s eighteen months too early to be thinking about that.
DIFFIE: I note that as you go to tokens, you move controls from the users to somebody else. One of the great virtues of the password scheme is that you can go with somebody over the net, establish a relationship and an identity, assign a password to it, and it’s just between the two of you. You have an equal role in it as opposed to their getting a degree of control over you by issuing you some identifying physical object, needing to know where you are to send it to you, etc.
SADLER: I think there’s a much greater effort in France, Germany and the U.K. to educate small businesses than in the U.S. So despite arguing against education, I think the U.S. probably has to get some basics in place for small businesses here. Also, there’s a much better dialog between academia, government agencies and industry in Europe, particularly in the U.K. and in Germany, than in the U.S. Given that we’re having to marshal resources against bad guys, I don’t think the U.S. shows anything like enough common dialog among those parties. Europe is doing much more to address those kind of issues.
SHERSTOBITOFF: In the U.S., we haven’t seen a seamless cooperation between law enforcement and industry. We’re seeing task forces emerge in Europe that are dedicated to thwarting cyber-crime. They’re taking an initiative far in advance. But from our talks with the FBI, it is still not there yet in this country. We’re moving toward it, but it’s not 100 percent, whereas they’re all working with each other to federate identification.
LIPNER: Because there are usages and national purposes specific to Europe and the U.S. government, I think that additional standards will be needed. I think they’ll have to be international. Some specific policies nationalize who you rely on, but the underlying technologies and architectures really have to be to international standards.
GILLILAND: Obviously, there’s a ton of different privacy regulations that go on throughout Europe. The way that impacts Symantec is, global companies buy our software and have to configure it differently for the different countries based on their privacy regulations. So being able to manage that is part of it. Companies are trying to figure out how to adhere to some process or some policy framework that allows them to follow as many of the rules as they can.
I think that’s the challenge that we haven’t spent a lot of time talking about here. How do people and companies that have been trying to comply with the privacy regulations prove that they have been doing it?
HEIM: I would say there are plenty of standards out there to comply with. But the fundamental problem is that we’re dealing with compliance and not risk management, and compliance is a relatively static process in the grand scheme of things. Whereas, I think one thing we can all agree on, is that the threats are extraordinarily dynamic and evolving all the time. Static protection models relying purely on compliance fail. Compliance needs to be coupled with a more dynamic risk-driven approach to security.