Beating the Snoops

Preparing a conference presentation a few minutes before going onstage is cutting it close for some, but Gordon Mitchell, an information-security expert, wanted to make a point to an audience of skeptics about just how vulnerable they might be. Shortly before speaking to a group of corporate-intelligence specialists, Mitchell, 59, flipped open his laptop, plugged in an antenna and within moments slipped through the back door left open by the unprotected signal of the Seattle conference hotel's wireless network. "I was looking at their firewall from the inside," Mitchell says. "All the things they were using to protect themselves were useless," because he could have deactivated them at will. In the middle of Mitchell's talk during which he projected in front of the audience his computer screen showing the network's firewall setup commands one participant leaped from his chair and ran out of the room. "I asked him where he was going," Mitchell recalls, "and he said, 'I'm going to call my network guy.'"

Information, as any hacker will tell you, wants to be free. From Web-enabled pdas to wireless networks, new technology is making data freer than ever. But if the data are more accessible to you, they're more accessible to anyone who knows where to look for them. To keep valuable information out of the wrong hands, more businesses are turning to the ancient art of encryption, making security software one of the few growth sectors in business technology. Over the past three years, sales of encryption products have jumped 86%, to $248 million a figure that will rise to $379 million by 2006, according to the research firm IDC.

New information-hashing techniques are easier to use and harder to crack. But for all the high math that goes into the jumbling of important messages, hackers and security types alike realize that while encryption is hard, people are easy. All too often, the best-scrambled plans of cryptographers are laid waste by an overworked IT guy who forgot to flip the encryption switch or a lazy user who picked a too obvious password.

Today, IDC analyst Charles Kolodgy says, encryption is the "plankton" of the Internet: ubiquitous, almost invisible and indispensable. An encryption program that Netscape released for free in 1994 secured $53 billion in online commerce in the first three quarters of this year. As the Internet weaves its way into more devices, so does encryption technology. Sony's PlayStation 2 consoles include encryption software that allows gamers to communicate securely with their online playmates. TiVo television-recording systems receive encrypted software updates without the owner's even realizing it.

Data-security companies are working on protecting every level of the data chain, from authenticating users to demonstrating when a communication has been tampered with in transit (a task that a sealed envelope performs with an elegant simplicity difficult to achieve in cyberspace). Though email encryption seems the most obvious use, its market, according to IDC, will probably be flat, because there are adequate options, like the program pgp (short for "pretty good privacy"), available free at web.mit.edu/network/pgp.html . Instead, the main drivers of growth stand to come in the areas of database and wireless security.

The need for heightened database security has been exposed repeatedly, thanks to high-profile thefts of sensitive information. These include the raiding of CD Universe's customer credit-card database in 2000 or the pilfering that year of patients' records from the University of Washington Medical Center. Visa and MasterCard have released guidelines to member banks and online merchants on measures each credit-card company expects them to take to protect card numbers. Congress, meanwhile, has passed laws demanding that financial institutions and health-care companies protect customer information.

The result has been growth in the market for database-encryption strategies. Established encryption companies like RSA Security and new entrants like Eruces and Protegrity are marketing new products that enable businesses and government institutions to encrypt each data addition separately to prevent hackers from swiping entire databases in a single attack. Some experts say health-care companies and self-insured employers are waiting to see how aggressively the government enforces the penalties for noncompliance with data-security laws. "People we've talked to are waiting until the last minute, because they just don't have the budgets," says Josh Pennell, president of IOActive, a security-engineering firm. "It could be cheaper for them to incur the fine" than to pay $100,000 to $1 million for an adequate information-security system. As things stand today, breaking into health-care databases, Pennell says, "would be a trivial thing."

An unprotected database can seem like Fort Knox compared with wireless communications. "On a wired or fiber system, there's a physical path that someone has to penetrate. With wireless, the geographic area and the technology to access it are much, much broader," says Noel Matchett, president of Information Security, based in Silver Spring, Md., and a former National Security Agency cryptographer.