IN MY OPINION
Andrew Plato
Recently, I opened my mailbox to an unsettling surprise: a cellular telephone bill for more than $500. Of course, it was not my phone bill, nor had I made any of the calls it listed. Like millions of other Americans, I was a victim of identity theft.
The irony of my experience is that I am a computer-security professional. I make my living helping organizations secure their information systems from break-ins and theft.
The theft of my identity, like millions of others, was not because my home computer was infected. It was not because I lost a charge receipt. My identity was stolen from a large, multinational corporation's computer database, similar to the recent theft of 40 million credit card numbers from a company in Tucson, Ariz.
When I called the police to report this crime, the officer was blunt about my predicament. He said police get hundreds of identity-theft claims every week, and almost all of them go unpunished. And because credit firms don't hold consumers liable, these crimes are considered victimless.
But there are victims: all of us. Identity theft has become the perfect crime for crooks and drug pushers. With stolen identities, criminals are getting a free ride while the rest of us get stuck with the bill in the form of higher interest rates and expenses.
All crime has two components: motivation and opportunity. People must be motivated to commit a crime and have the opportunity to do so. We cannot do much about motivation, but we can surely do something about opportunity.
It has become far too easy for hackers and thieves to access a network and take what they want. Armed with a home PC and free software tools, anybody with a little technical savvy can break into a network, plant malicious software and walk away with valuable data.
In my line of work, I've seen the data centers for hundreds of companies. I've seen large financial companies that have networks infested with worms and viruses. I've also seen the development of critical governmental systems outsourced to companies that are so incompetent that the systems they built were broken into minutes after being put online.
The fact is, our public and private organizations are ignoring their security problems and by doing so are needlessly creating the opportunity for identity thieves. Security is too often placed at the end of projects as a luxury that never gets implemented.
But information security and privacy is no longer a luxury. It's time for action. Unfortunately, the only way to get action these days is to hit companies and governments where it really hurts: their wallets and the voting booth.
We need to steer purchasing power away from organizations that cannot secure information and toward those that can promise security and privacy. And when data are stolen, there must be accountability. There must be penalties. Class-action lawyers are starting to sue companies for damages in such cases. My firm has already assisted in one such lawsuit. The fear of lawsuits is a powerful motivator for companies.
But we also need to make information security a priority agenda item for our elected officials. Government technology spending is highly flawed, often awarding contracts to incompetent low-bidders, many of which are incapable of handling complex security issues.
Identity theft will continue to go on unchecked until there is a serious effort on the part of public agencies and private companies to make security an integral part of their information systems.
Let's face it: Identity theft is no longer merely an inconvenience. And it is not acceptable for corporations and governments to continue building and using insecure information systems.
Andrew Plato is president of Anitian Enterprise Security, a computer security consulting firm in Beaverton.
Copyright 2005 OregonLive.com.
NOTE: For more telecom/internet/networking/computer news from the daily media, check out our feature 'Telecom Digest Extra' each day at
For more information go to: