As Internet Booms, So Do Hacker-Proofing Measures

James Bond surely wouldn't know what to make of Ira Winkler. Mr. Winkler is also a supersleuth, but of a late 20th-century breed. His specialty: chasing down computer hackers, not mysterious agents in trench coats driving expensive cars.

Winkler, who is head of computer-security strategies at the National Computer Security Association (NCSA) in Carlisle, Pa., advises companies on how to protect themselves against illegal penetration of their computer networks by hackers - not only cyberspace hotshots trying to break into computer lines from outside a company, but employees trying to penetrate off-limits systems from within their companies.

Winkler's aim is to help companies build impenetrable "firewalls" around their computer systems, a task especially important now that more companies are hooking into the Internet. A link with the global computer network, he says, can open up a company to new types of unauthorized entry by outsiders.

Winkler is at the forefront of relatively young and growing industry in the United States. The computer-security industry is on the verge of expanding into a major presence in the high-tech sector, industry experts say. According to the Computer Security Institute, an information firm based in San Francisco, investments in Internet-security systems are expected to grow from $1.1 billion now to $16 billion in 2000. Firewalls, or anti-penetration systems, are expected to grow by over 170 percent annually through 1999, according to CSI.

The technical side of the industry "is now moving very fast," says Richard Powers, editor of the Computer Security Alert, a monthly newsletter published by CSI. Creating "firewalls" is only one part of the emerging industry, he says; other corporate strategies include encryption (coding) methods, and use of "smart cards" that authorize users of a computer system.

Currently, 50 or so companies provide firewall programs, whether complete security systems or more specialized software programs. Several large firms are included - IBM for example. But most of the companies providing total security systems are medium-size or small firms such as Trusted Information Systems (TIS) in Rockville, Md., Checkpoint Software, an Israeli-owned firm located in Redwood City, Calif., Secure Computing in Roseville, Minn., and Pilot Network Services Inc., in Alameda, Calif.

Of the roughly 50 companies, only a handful "offer full firewall systems," says Fred Avolio, vice president of marketing for TIS.

A few of the firms are publicly held, or are planning to make a public share offering. Secure Computing and Checkpoint Software are both listed on the Nasdaq market. But most security firms are privately held companies backed by venture capital. One example: Pilot Network Services, with 50 employees. Established in 1993, the firm has grown more than 400 percent in sales, company officials says.

Pilot offers external-security programs - creating firewalls against hackers from outside the company. But the company will soon start to offer internal programs as well, says Marketta Silvera, president and CEO. Pilot's clients include Hitachi America, GE Capital, 20th Century Fox, Clorox, and Mattel Toys.

Secure Computing also offers firewall programs, and "plans to begin encryption programs this summer," a spokeswoman says.

Winkler stresses that as yet there is no foolproof firewall protection against hackers. The reason, he says, is precisely because so many of the incursions are internal. Sometimes it's disgruntled employees trying to gain access to proprietary information. In other cases a bigger menace is involved: industrial espionage, where outside firms link up with employees from within to ferret out valuable information.

"In excess of 80 percent of the [overall computer-security] problem is from within" companies, Winkler says.

According to s CSI survey, 1 in 5 Internet sites suffers some type of security breach. Almost 40 percent of the Net sites do not even have a security firewall system. Moreover, even after firewalls are established, hackers still seek to penetrate security systems.

Winkler says there could be anywhere from 25,000 to 50,000 hackers seeking to break into corporate systems. In most cases, he says, "they exploit very simple lapses" in security, yet can come away with massive amounts of information.

This very torrent of illegality, he says, provides the underpinning for what promises to be an expanding computer-security industry in the US and worldwide.