The vast majority of commercial "firewall" protection software - the programs that protect networks from malicious intrusions - is faulty and unsafe, according to the British government agency that certifies computer security products.
The agency, IT-SEC, has certified only two out of more than 100 products on the market as safe. It has not tested all the other firewalls - submission for testing by manufacturers is voluntary - but its experience has shown that, on average, each untested product will have two to three faults before submission and testing. A fault is defined as "an exploitable vulnerability".
IT-SEC deputy head Tim Moore says: "Sometimes a fault in a firewall might not be obvious, but we take it that there are people out there who know very well how to break into systems, and when someone does find out, word gets round very quickly on the Internet. If there is a problem with IT security, you may not notice until it is far too late."
Most worrying of all is the fact that, as IT-SEC certification is voluntary, bad products can be withdrawn from the process halfway if manufacturers do not want to pay the cost of fixing the faults.
This picture of leaky security in the public market comes just as the British government's own intranet (internal network based on Internet technologies) is about to go live. The Government Secure Intranet is planned to link all government bodies electronically for the first time.
The pilot phase of the project began technical testing last week and will go live next month. Ministers are keen to roll out the intranet project to around 40 departments and agencies within six months. It is aimed at generating communication efficiencies, as well as allowing better co-ordination of policy material and exchange of information in such areas as welfare fraud.
The government says its own vital secure networks have never been broken into, unlike the commercial products tested by ITSEC, although the CCTA confirmed recently that attempts continue to be made to breach its defences.