After litigation comes regulation. Historically, regulation always follows catastrophe. In 1912, Marconi Co. operators aboard the Titanic were slow to receive the iceberg warnings because relays were jammed by the crush of unregulated amateur wireless users hogging the spectrum. The Radio Act of 1912 followed and, eventually, the Federal Communications Commission was formed. The crash of 1929 begat sweeping financial regulations and gave birth to the Securities and Exchange Commission.

"In the past, IT would have argued that you can’t regulate because information technology is so different," says John. He doesn’t buy it. "They said the same about oil. Sure enough, regulation brought order to that developing industry, and it will do the same here."

We’ve seen this quite a bit recently with HIPAA, Gramm-Leach-Bliley, Sarbanes-Oxley and, most similarly, the Patriot Act, which was a sweeping reaction to an attack that freaked us out.

"What follows regulation?" asks Jeff Schmidt. "Standards."

Internet security could use a lot of those, such as standard vulnerability reporting processes, standard software patches, a single naming convention for alert levels when viruses are discovered, standard secure configurations of software.

"Take any mature discipline and there are standards," Jeff Schmidt says. "If I work in biological handling, I know what a Level 2 clean room is. It doesn’t matter who I work for. Standards will demystify security."

The final phase of the corrective response to the digital Pearl Harbor will be a reformation, a cultural shift toward better, more proactive security. If the first two stages represent our pound of cure, this is the ounce of prevention.

Of course, to have a reformation, you need a Martin Luther, a leader who’s not only willing to push for radical change, but who also has a plan. Perhaps a rebel within Microsoft who sacrifices his career to change the culture and practices he’s experienced firsthand. (Luther, it should be noted, was just such an insider who was disgusted by the pope’s practice of generating revenue by selling indulgences?that is, pardons from purgatory.) Or maybe it’s an outsider with a lot of passion for the issue and money to support his cause.

In the case of a security reformation, this leader would borrow from the ideas of experts who already have reformist ideas, like SEI’s Humphrey. Known as the Edward Deming of software, he has implemented and proposed radical changes to the way software is made. Humphrey is unsparing in his criticism of contemporary software security. We’re letting creative artists build bridges, he says, then trying to stabilize them with unlicensed laborers while they’re collapsing.