WASHINGTON (Reuters) - U.S. computer systems are increasingly vulnerable to cyber attacks, partly because companies are not implementing security measures already available, according to a new report released on Tuesday.
``From an operational standpoint, cybersecurity today is far worse that what known best practices can provide,'' said the Computer Science and Telecommunications Board, part of the National Research Council (news - web sites).
``Even without any new security technologies, much better security would be possible today if technology producers, operators of critical systems, and users took appropriate steps,'' it said in a report released four months after the events of Sept. 11.
Experts estimate U.S. corporations spent about $12.3 billion to clean up damage from computer viruses in 2001. Some predict viruses and worms could cause even more damage in 2002.
The report said a successful cyber attack on the U.S. air traffic control system in coordination with airline hijackings like those seen on Sept. 11 could result in a ``much more catastrophic disaster scenario.''
To avert such risks, the panel urged organizations to conduct more random tests of system security measures, implement better authentication systems and provide more training and monitoring to make information systems more secure. All these measures were possible without further research, it said.
Investments in new technologies and better operating procedures could improve security even further, it noted.
Herbert Lin, senior scientist at the board, said information technologies were developing at a very rapid rate, but security measures had not kept pace.
In fact, he said, recommendations for improving security made by the panel a decade ago were still relevant and timely.
``The fact that the recommendations we made 10 years ago are still relevant points out that there is a real big problem, structurally and organizationally, in paying attention to security,'' Lin said.
``We've been very frustrated in our ability to get people to pay attention, and we're not the only ones,'' he added.
But he warned against merely putting more federal funds into research, noting that it was essential to implement technologies and best practices already available.
``The problem isn't research at this point. We could be so much safer if everyone just did what is possible now,'' Lin said.
For instance, the report notes that passwords are the most common method used today to authenticate computer users, despite the fact that they are known to be insecure.
A hardware token, or smart card, used together with a personal identification number or biometrics, would provide much better security for the computer system, the report said.
The report urged vendors of computer systems to provide well-engineered systems for user authentication based on such hardware tokens, taking care to make sure they were more secure and convenient for users.
In addition, it said vendors should develop simple and clear blueprints for secure operation and ship systems with security features turned on so that a conscious effort was needed to disable them.
One big problem was the lack of incentives for companies to respond adequately to the security challenge, the report said.
It said one possible remedy would be to make software companies, system vendors and system operators liable for system breaches and to mandate reporting of security breaches that could threaten critical social functions.