Flanked by some serious-looking guys from the FBI, the U.S. Secret Service and--get this!--Interpol, Microsoft recently announced a couple of US$250,000 rewards to anyone whose information leads to the arrest of the authors behind the MSBlast worm and Sobig virus. This is just the beginning of a US$5 million fund Microsoft will use to buy off informers.
The announcement was good for a photo opportunity and achieved the appearance of movement. Microsoft needs every bit of good news it can muster. After a couple of years being on the receiving end of escalating cyberattacks, management is clearly frustrated by what it now refers to as "criminals," not misguided geeks.
But Microsoft remains far from claiming victory over the anonymous authors whose viruses and worms target the company's software. Instead, it is ratcheting up the rhetoric. The new message is simple: Break the law, and law enforcement will go after the bad guys.
There's just one problem. It won't work--not even if they teamed up J. Edgar Hoover, Eliot Ness and The Shadow. Placing a bounty on someone's head may sound like an effective deterrent, but let's get real. For starters, it's just too reactive. In this standoff, the hackers will always hold the initiative. Besides, does anyone really believe a snitch fund will entice digital sociopaths to turn in their buddies?
So what's the alternative to playing cops and robbers?
Start with the deal worked out earlier this year, when Silicon Valley convinced Washington, D.C., to let it decide how to secure information systems. The so-called National Strategy to Secure Cyberspace calls for the government to work with private industry to devise an emergency response system and reduce the nation's vulnerability to cyberattacks.
The strategy document leaves the initiative for making all this happen to the technology industry. I would have preferred something with more teeth. But at least this was a beginning. Besides, Silicon Valley says it can clean up the mess without any government regulation. Now it has a chance to make good on the claim.
Unfortunately, nine months have elapsed since the Bush administration signed off on the agreement to leave things up to the private sector, and most companies still don't have a clue how to go about implementing the plan.
The Global Council of CSOs (chief security officers), which just made its official debut, is expected to play a big role in helping private companies figure things out. But while they're just getting started, the clock is ticking. All it takes is one major outage--courtesy of organised terrorism or an amateur freelancer--and the pressure to fix the system by hook or by crook will become so overwhelming that heavy regulation and legislation will soon follow.
A lot is going to depend on the performance of the new cyberczar, Amit Yoran, who moved into his job at the Department of Homeland Security a couple of weeks ago. If Yoran is able to provide the necessary leadership, the highly regarded former Symantec executive would send a convincing message to the IT industry that the security problem is finally in good hands.
Mr. Cooper,
You are oh so correct when you state that maintaining the status quo is simply going to leave the attackers with the upper hand. What is worse, is that security best practices tend to also leave the attacker with the upper hand. There has to be a way to change the nature of the game, to put the good guys in charge.
I believe this can be done, but only if we start with a completely honest view of reality -- not as we wish it could be, but as it really is.
The reality is that programmers are not capable of writing error free code. We may wish that our programmers be superhuman, but the simple truth is that all people make mistakes.
We may wish that we could audit our way to vulnerability free software. However, the reality still is that people make mistakes -- more so when performing complex tasks.
Software will ALWAYS contain vulnerabilities. To think otherwise is to blatantly ignore reality and live in la la land.
Recognition of this reality leads to the following conclusion: as long as vulnerabilities can be successfully exploited, the attackers will have the upper hand. Period.
This conclusion is not depressing. It is invigorating, because it spells a way out of the security quagmire. The real challenge is not "write error free code", it is "make it so vulnerabilities can not be successfully exploited."
This is not an impossible problem. There are a number of different parties (some commercial, some not) working in this area. My company, Cylant, solves this problem on the Linux platform today.
This is not the only case of ignoring reality in favor of la la land, but it is by far the most egregious with the worst impact.
We CAN have secure systems. This is not a case of wanting the wrong thing. However, we will only get them if we are willing to tackle reality as it is.
scottwimer