ALKHOBAR, 18 June — It doesn’t look like the situation for Internet users is going to get much better anytime soon. The Ministry of Commerce has only recently completed the final draft of proposed e-commerce legislation. It will be at least another year before it is passed and put into practice. A national IT plan is also more than a year away. Many readers have asked me for something that they can do to rapidly improve their Internet experience. My No. 1 choice would be to get a satellite Internet connection. However, since that is both expensive and illegal here in Saudi Arabia, we must consider something else.
Choice two is really a no-brainer. Write to your Internet service provider (ISP) and the Internet services unit (ISU) at King Abdul Aziz City for Science and Technology (KACST) and demand that effective immediately all e-mail relayed through local ISPs must be scanned for malicious code. It has troubled me for a long time that free e-mail services such as Hotmail and Maktoob check all incoming e-mail for viruses, worms, etc. Yet, the ISP that collects good money from me for Internet access, does nothing to prevent my computer from being attacked by every bug on the planet. In the past, when I have mentioned this subject to the management of various local ISPs, they told me that no one was interested in their mail being scanned for malicious code. Strangely, every individual I’ve spoken to would love to have their mail scanned for destructive attachments. The bottom line is that the ISPs claim that antivirus protection is a value-added service and they aren’t going to provide it unless forced.
Take five minutes and send the following message to the ISU at KACST:
“Anti-virus protection is a necessary part of e-mail management, not a luxury. Please help individuals and small businesses by reducing the misery currently being caused by the proliferation of malicious code and bring the e-mail services of the Saudi Internet up to par with global free e-mail services. Mandate automatic antivirus scanning by local ISPs.”
The e-mail for the ISU at KACST is: [email protected]. Complaints about the service quality of local ISPs can also be lodged at the ISU by telephone (01) 481-3922 or Fax (01) 481-3254.
Gulf Hill and Knowlton has released the results of its 2002 IT Director’s Survey. The primary conclusion of the survey, which was conducted among 60 IT directors throughout the region, is that “there is a major gap between what IT vendors in the Middle East preach and what they practice. IT companies in the Middle East fail to use the web effectively.”
According to the survey, the web was identified as the primary initial source of information by 75 percent of respondents but leading international vendors offer, at best, a second rate version of the facilities available to customers elsewhere in the world. Basic information such as regional availability of products, pricing, specifications and contact details are, according to those surveyed, among key requirements missing from most regional sites.
“The pages of the region’s newspapers and trade media are full of vendors talking about the impact of the digital revolution and the importance of e-business,” said James Mullan, head, Technology Group, Gulf Hill & Knowlton. “At the same time, however, very few of them are acting on their own words. The irony is not lost on their customers in the Middle East.
“It’s obvious from these responses that the quality of communication has a direct effect on whether companies will do business with particular companies. Vendors should be aware that poor communication makes a difference to their bottom line.”
Frankly, anyone who regularly peruses the Middle East sites of international IT vendors could have come to the same conclusion as that found by the GHK survey — without the expense. But perhaps it’s nice to have some validation.
Where we really need some validation too, is on the claims being put out by various IT vendors about their services. Comparing IT hardware is relatively easy. Just look at such factors as features, warranties and pricing. Valuing an IT service is much tougher, especially in an emerging market.
In one particular IT service area, network security, there is now a proliferation of questionable information buzzing around. It’s a pity, but until recently in Saudi Arabia, network security wasn’t taken very seriously. Now, local companies are trying to determine their network security needs and it isn’t a straight forward process even under the best of circumstances. This corporate ignorance combined with a lack of local talent is creating an environment where dozens of companies are setting themselves up as “experts in network protection.” The only thing certain about the current situation is that in a very short while there are going to be a whole bunch of unhappy local companies who have paid a lot for ineffective network security.
Many local business and computer magazines are carrying articles about network security because it’s a hot topic. What I’ve noticed though is that those articles are backed up by ads. Does anyone really think that a publication is going to write the truth about a network security vendor, when that same vendor has taken an expensive ad in support of the article? Plus, if it’s tough to find local network security experts, how many journalists are there in the Middle East that know enough to write an article about network security without being fed information by the IT vendors?
Most journalists depend on press releases as the basis for their stories on network security. I was sent some amusing releases by a company called ComGuard. The first release tried scare tactics. It shouted, “ComGuard Executive Speaks Out on Immediate Threats; Suggests Balance Between Technology (and) Enforced Manual Policies.”
Statements in the release read: “The Arabian Gulf States are under threat of being attacked and violated by cyberterrorists located anywhere in the world, and the threat increases with each passing day because technology is not sensitive enough to prevent terrorism from striking deep into the heart of a government’s most sensitive data,” said Herbert Kamensky, managing director, ComGuard.
Kamensky added, “Everyday, intrusions take place despite the presence of firewalls; theft of trade secrets takes place despite the presence of encryption; and Internet abuse flourishes despite corporate edicts against it. The Gulf States must deploy the world’s latest IT security technology, while also employing world-class manual procedures that significantly mitigate the possibility of both internal and external threats.”
Pretty scary stuff, right? The spin on this story was so bad that I felt dizzy just reading it. I had to clutch my firewall to get my perspective back in balance. The reality here is that hackers and their assorted like, now called “cyberterrorists,” have been out there ever since the Internet existed. For years the Gulf States have been “under attack.” This is nothing new.
However, Kamensky’s assertion that technology must be linked to manual oversight was right on target. Even though the release was a bit over the top, I felt heartened that this vendor was working to offer a respectable service. That’s until I saw the next release ComGuard put out in the market this week.
The release was full of typical PR trash. There were phrases like global leader, finest, best in the world, and globally proven. Interestingly, there was absolutely no evidence of international certifications or international awards to substantiate the use of such superlatives in regards to the ComGuard service.
In its second release, ComGuard, which had previously advocated the use of technology coupled with manual procedures, suddenly started promoting a network reliability assessment that would for the most part be done through the use of automatic scanner technology based at a remote site. For the record, scanner technology is nothing new. Also for the record, the largest Saudi enterprises will not even consider having such devices used on their networks from a remote location.
Network reliability assessed through scanners generally provides a false impression of security. That’s because scanners can only identify known vulnerabilities in a known environment. Any time a network takes a walk on the wild side, perhaps through the use of a customized solution or nonstandard configuration, the scanners are out of their league. That’s when network assessment on site by a suitably skilled human becomes essential. Network security is more than just plugging in firewalls and slapping on patches. Effective network security requires that a network functions in a manner that unites best practices with business needs, and as of yet, only a real live person can make such a determination.
Anyone who thinks I’m just spouting off here, drop me a note and I’ll arrange a meeting with someone I met recently. In the business, this guy is called a white-hat cracker. He’s currently making his living by flying into the Kingdom and taking down hardened networks. Those are networks, which are deemed to have adequate security. If the cracker can’t take the network down, he doesn’t get paid. Lately this guy has been chuckling all the way to the bank. Saudi Arabia is a paradise for network security stupidity.
Please, please, get it in your heads. Network security is a process, not a product. And it’s a constantly emerging process. Where is network security headed? On June 4 at a gala awards ceremony in Washington D.C., special recognition was given to some of most innovative applications of information technology.
The ComputerWorld Honors Program (cwheroes.org), founded in 1988, spans the globe and recognizes those who show vision and leadership as they strive to use information technology in innovative ways across 10 categories: Business and Related Services; Education and Academia; Environment, Energy and Agriculture; Finance, Insurance and Real Estate; Government and Non-Profit Organizations; Manufacturing; Media, Arts and Entertainment; Medicine; Science; and Transportation.
“Recipients of the ComputerWorld Honors 21st-Century Achievement Awards represent those organizations whose use of information technology has been especially noteworthy for the originality of its conception, the breadth of its vision, and the significance of its benefit to society,” said Daniel Morrow, executive director of the ComputerWorld Honors Program.
Silent Runner, Inc., received the 21st-Century Achievement Award from the ComputerWorld Honors Program for visionary use of information technology in the category of Business & Related Services. Silent Runner Software, which was in development for five years using funds from Raytheon Corporation, allows constant monitoring of complex network events alerting companies to potential misuse or theft of data “from the inside,” and complementing technologies such as firewalls that protect from the outside. A case study on Silent Runner and comments on network security from Jeff Waxman, president and CEO, Silent Runner, Inc. are available at cwheroes.org.
Also don’t miss the essays written by finalists in the area of Education and Academia, who contemplate how information technology has benefited their category of endeavor, and where they hope this benefit will lead in the future.
The winner of the 21st-Century Achievement Award from the ComputerWorld Honors Program for visionary use of information technology in Education and Academia was the African Virtual University. AVU was set up to respond to the desperate need for higher education in sub-Saharan Africa. AVU has partnered with learning institutions in North America and Europe using technology-based distance learning techniques to provide learning resources to 15 African countries. Perhaps they could teach us in the Kingdom something new. Click to the case study at www2.cwheroes.org /[email protected]?id=170.
***
(Comments to [email protected].)
