As computer viruses multiply, so do software remedies. Managers suddenly awake to the danger; is our system safe?
| Boston
``They're coming up all over,'' says Harold Highland. ``The same way toadstools grow on rotted wood after a storm.'' With names like Antidote, Data Physician, Flu Shot 3, Novirus, Vaccine, Vaccinate, Viralarm, and VirusSafe, you can't help getting the message. These software products (and many others) are being touted as new remedies for an old problem: computer insecurity.
``I've got 20 in hand that I've tested,'' says Dr. Highland, editor in chief of Computers & Security magazine. ``I just got another seven from Germany and England, and another three or four'' from the United States. That makes 31 antivirus software products he has seen in the past 11 months.
Highland is pioneering a sort of Consumer Reports for computer security software. The service is sorely needed, he says, given the sudden proliferation of software that claims to keep a specific type of program called a ``virus'' from invading computer systems.
A computer virus is a program designed to be introduced illicitly into a computer system, and to survive on its own inside the machine without outside help from the person who made it. The idea is for the program to sneak in undetected, blend subtly with data in the system, all the time multiplying and spreading into computers linked to it.
Like its biological equivalent, the computer virus is meant to cause problems: to destroy or make computer data unusable, to take over control of a computer, to overtax its memory space by multiplying rapidly, or all of the above.
To control this threat (which surfaced during the last two years, but which has only been widely reported in the past year), antivirus software products have been quickly developed - though not quite fast enough to keep up with the appearance of new viruses.
Among the many infamous viruses popping up unexpectedly to destroy data or clog university, personal, and occasionally business computer networks are the Hebrew University Virus, the Pakistani Virus, the Macintosh Virus, the Lehigh Virus, and the IBM Christmas Tree Virus.
Last December, an attractive picture of a Christmas tree with an attached well-wishing message was transmitted worldwide through IBM's V-Net electronic mail network. But the pretty picture had an ugly twist, and turned out to be an out-of-control virus, a sort of electronic chain letter that multiplied itself and sent copies of itself to users. IBM's massive system was overloaded within hours.
As concern has risen, sales of computer security software at Codercard Inc. of Santa Ana, Calif., reportedly rose 25 to 30 percent in recent months for some security companies. Personal computers appear most vulnerable, and are likely the biggest potential market for security programs.
The antidotes, however, are often cumbersome and expensive, and some don't work with the computers they are supposedly designed for.
None are necessarily effective in detecting or stopping new virus varieties constantly being cooked up by computer criminals and hackers.
This means a company or individual may spend from $30 to $2,000 per computer for protection, but still get protection only against the particular virus the antidote was designed to fight or detect.
Despite such limits, says John McAfee, director of the Computer Virus Industry Association based in Santa Clara, Calif., 18 companies are already members of his young association. Some of them have multiple anti-viral products, although for many companies a single anti-virus program is their only offering. Mr. McAfee counts at least 40 anti-virus products on the market - all but three of them making their debut this year.
McAfee's association reports 311 confirmed virus incidents on its logs so far this year. About 30 percent of the incidents were reported by industry, the rest from universities and individuals.
McAfee says a range of establishments have been hit, from big defense contractors, to medical office computers, to even the Mormon Church in Chicago, whose computer holds the church's membership list.
So far, no comprehensive national statistics on computer crime exist. In part this is because many incidents go unreported. Companies, especially those that rely heavily on computers and software, are afraid customers will lose confidence.
Apparently adding to all the attention was 23-year-old Robert Morris, the Cornell graduate student whose alleged illicit computer experiment gone awry helped boost the market for anti-virus products. America's top corporate managers, many of them only dimly aware of computer security needs, awoke with a start last month after newspapers reported that Mr. Morris had allegedly unleashed a virus-like computer program on a military/research computer network a few weeks ago.
Whether it was the headlines, or simply the catchy word ``virus,'' something struck a chord with management. The ``virus'' was later relabeled a ``worm'' - the difference being that it did not destroy files but only overtaxed the network. Still, phones began ringing with the boss on the line. Was the company computer safe?
``It finally got through to the senior management,'' says John O'Mara, executive director of the Computer Security Institute in Northborough, Mass. ``People are being asked for the first time, `What is our status? Can we protect ourselves?'''
This was one of Mr. O'Mara's discoveries when his organization, which represents more than 3,000 corporate and university computer security specialists, met recently in Florida. Having become used to management's denying funding requests for added security measures, many professionals reported their bosses uncharacteristically ``are asking the right questions,'' O'Mara says.
The market for all types of computer security hardware and services will grow from about $500 million in 1988 to more than $1 billion, estimates Lawrence Dietz, an analyst at Coin Financial Systems in Norcross, Ga. The market is still not very big, relative to the investment in computers, and no dramatic growth is expected.
``One of things management does poorly is dealing with problems, like a virus, which have very low rates of occurrence but high consequences,'' says William Murray, a computer security specialist with Ernst & Whinney, the accounting firm.
For that reason, management is expected over the long haul to continue treating computer security the way it does accident insurance - with only as much funding as is necessary. Despite a short-term surge in spending, Highland and some computer security experts believe awareness of the computer virus problem is ephemeral.
``After your teeth chatter for 30 days, you go back to the old ways of thinking,'' Highland says. ``You're aware of the problem but it didn't hit you.'' Others agree.
``I think it will be over within months or shorter because some new `crimoid' is going to take its place,'' says Donald Parker, a computer security expert at SRI International.
A crimoid, by Mr. Parker's definition, is a computer crime fad. He cites other such fads, including software piracy (peaked in 1985); hacking via automated phone calling by computer (peaked in 1984); phone toll fraud (peaked in '77-78).
Hacker techniques that include exotic names like superzapping, data diddling, salami slicing, logic bombs, and Trojan horses are all variations on a theme that spell trouble for computers, individuals, and companies that use them. Parker, however, says the virus will join their ranks as it peaks, then fade slowly away. Computer criminals will go on to new fads, and the anti-virus product market will dry up, he predicts.
Others, however, are not quite so sanguine.
``The hackers are not going to put this away because it's a seductive technology,'' McAfee warns. ``They talk about things like giving birth, creating life, and playing God. This is literally what these hackers feel like when they write a program. They're not going to give it up.''
John Williams, who runs a mail order software business from his home in New Mexico, also finds it reasonable to sell copies of the Pakistani Virus, also known as the Brain Virus, for $50 a copy. He has sold about 100 copies so far, he says.
``Of course we don't know what happens to the virus after we send it out,'' Mr. Williams says. ``But it's important for people to understand how it's formed.''
While Williams says he makes an effort to sell the virus only to ``legitimate'' users, others say that selling computer viruses is patently irresponsible.
``I don't think anybody should sell viruses. Period,'' says McAfee. ``I find that grotesque.''
Says Highland: ``They should be treated like machine guns - you don't sell them and you don't give them away.''