One of the most effective security countermeasures is a barrier. The walls of our homes protect us from dangers outside. Fortifications protect military bases. And the oceans continue to protect Japan from international dangers.
Unfortunately, on the Internet this is not true. One of the basic tenants of the Internet is that any computer can interact with any other computer. Distance doesn't matter. Notional borders don't matter. The Internet can route data traffic across the planet just as easily as it can route data down the block. On the Internet, the entire planet is your next-door neighbor.
This has important implications for network security because it greatly increases the risks on the Internet. A company can't just look to the motivations, capabilities, ethics of its real-world neighbors when assessing its risk. A company must look globally, because on the Internet the risks are global.
In the real-world, the list of potential criminals that might try to break into--for example--your warehouse in Yokahama only includes those who live near Yokahama, or for whom traveling to Yokamama is worth the trouble. You don't have to worry about burglars from Hokkaido, European burglars, or African burglars, or American burglars. On the Internet, you do. Your risk is much greater because the number of potential attackers is much greater.
Again, the lack of proximity on the Internet makes it more dangerous. Everyone lives next door to everyone else. A Japanese company lives next door to a Chinese hacker, an organized crime gang operating out of Eastern Europe, and a terrorist cell from the Middle East. Even worse, on the Internet every Japanese company lives next door to every one of these potential evildoers.
Some Japanese companies might try to console themselves by thinking that because they only do business in Japan, they're not an international target. Unfortunately, this is not true either. Many of the attacks on the Internet are attacks of opportunity. The attackers, whether they be ethically-challenged teenage hackers intent on causing damage, criminals intent on stealing credit card numbers or engaging in other financial fraud, extortionists out to break into a corporate network and then demand money from the victim, or worse, often don't care what victim they attack. One corporate network is just as good as another. One database of credit card numbers is just as good as another. This means that companies that skimp on Internet security will increasingly find themselves victims, as attackers target them.
There's a joke in the United States about two people being chased by a bear. "This is hopeless," one says. "You can't outrun a bear."
"I don't have to outrun the bear," replies the other. "I just have to outrun you."
Japan can't afford to be the slowest of the free, Democratic, capitalist, and rich countries. It can no longer count on its oceans to defend it. The sooner that Japanese companies realize that it is part of the Internet world, living next door to all potential attackers and racing against the rest of the world to secure its networks against them, the better Japanese companies will be able to compete in the Information Age.
Copyright (c) 2004 by Bruce Schneier.
Bruce Schneier is CTO of Counterpane Internet Security, Inc. and the author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World.