2010: The Future of Security

Scenario One After The Storm, Reform

In 2010, information security will be much better than it is today. But between then and now, everything will get inconceivably worse.

There’s no need to imagine a worst-case scenario for Internet security in the year 2010. The worst-case scenario is unfolding right now.

Based on conservative projections, we’ll discover about 100,000 new software vulnerabilities in 2010 alone, or one new bug every five minutes of every hour of every day. The number of security incidents worldwide will swell to about 400,000 a year, or 8,000 per workweek.

Windows will approach 100 million lines of code, and the average PC, while it may cost $99, will contain nearly 200 million lines of code. And within that code, 2 million bugs.

By 2010, we’ll have added another half-a-billion users to the Internet. A few of them will be bad guys, and they’ll be able to pick and choose which of those 2 million bugs they feel like exploiting.

In other words, today’s sloppiness will become tomorrow’s chaos.

The good news is that we probably won’t get to that point. Most experts are optimistic about the future security of the Internet and software. Between now and 2010, they say, vulnerabilities will flatten or decline, and so will security breaches. They believe software applications will get simpler and smaller, or at least they won’t bloat the way they do now. And they think experience will provide a better handle on keeping the growing number of bad guys out of our collective business. Some even suggest that by 2010, a software Martin Luther will appear to nail 95 Theses?perhaps in the form of a class-action lawsuit?to a door in Redmond, kicking off a full-blown security reformation.

The bad news is that this confidence, this notion of an industrywide smartening up, is based on the assumption that there will be a security incident of such mind-boggling scope and profoundly disturbing consequence?the so-call digital Pearl Harbor?that conducting business as usual will become inconceivable.

The Digital Pearl Harbor: What It’s Not

The phrase digital Pearl Harbor was first seen in print in 1991. D. James Bidzos, then president of RSA, said the government’s digital signature standard provided "no assurance that foreign governments cannot break the system, running the risk of a digital Pearl Harbor."

By 1998, the term’s use was reasonably common, a dark, lowering cloud on the horizon of the Internet revolution. Newsweek, in an article from that year, suggested it would come in the form of a "sophisticated attack on our digital workings [which] could create widespread misery: everything from power failures to train wrecks."

Since then, the phrase has become bromidic to the point that former cybersecurity czar Richard Clarke declared that "digital Pearl Harbors are happening every day."

Whether conceived of as rare or quotidian, the digital Pearl Harbor’s definition has remained constant: It’s a computer outage, a big one, a physically and financially damaging one. More recently, it has become a shorthand way to say, "Terrorists will take down the Internet."

In either case, this definition is wrong. Not only is it wrong, it’s not even useful.

"I hesitate to even use the term," says Jeff Schmidt, an elected member of the FBI’s InfraGard national executive board. "It’s come to mean any attack that’s massively inconvenient. But I don’t think they merit the term digital Pearl Harbor."

"We need to distinguish between the mischievous and the malicious," says Darwin John, who served recently (albeit briefly) as CIO of the FBI and is considered one of the godfathers of the CIO profession. "We’ve tolerated the attacks until now because they’re mischievous. The malicious attack will be the one that moves the public consciousness, and it’s so much harder to know what that attack will be."

It’s much easier to know what a digital Pearl Harbor won’t be. Taking down the Internet or ATM networks, compromising the Social Security database, even hacking into the electric grid?Schmidt and others argue that while each event may be part of a digital Pearl Harbor, none qualifies in and of itself. None would galvanize society, spurring it to action.

And it needn’t be a terrorist attack. Open networks coupled with vulnerable software make it more likely that a transformational event will arise from a more banal source, like a motivated group of computer experts, a common thief or, most fickle of all, an accident.

The coming digital Pearl Harbor doesn’t even have to be a single event. Thinking about the nature of disasters, Software Engineering Institute fellow Watts Humphrey consulted nuclear power people. "I talked to one guy who did nothing but review incidents," Humphrey says. "And typically, these kinds of disasters result from a combination of many smaller events that each seem highly unlikely. But they all happen at once to create unforeseeable consequences."

That’s the "Perfect Storm" theory, and what makes an event perfect (in a negative sense) is the apparent lack of relationship between systems in a complex environment. The blackout last August was a Perfect Storm. Random, seemingly unrelated factors?an aging power grid, certain corporate decisions, a heat wave, a history of deregulation and some human errors?all came together to darken a significant chunk of the northern hemisphere.

"That’s how modern systems fail," says Humphrey. "And our networks are so big and fast that things which seem damn near impossible happen every few days."

Not even loss of life necessarily means an event is a digital Pearl Harbor. Three years ago, four Marines were killed after a hydraulics failure on a V22 Osprey plane. They took all the proper measures, but because of software bugs, their plane still crashed. Few even heard of the event, never mind demanded more secure software as a result.

Those scenarios, no matter how dire, didn’t rise to the level of a Pearl Harbor because they failed to inflict significant, collective psychological damage. Before Internet security changes in fundamental ways, we will have to feel as shocked and vulnerable as all Americans did reading the newspaper and listening to the radio on the morning of Dec. 7, 1941 (or watching television on Sept. 11, 2001).

In a sense, this should be obvious. If digital Pearl Harbors were happening every day, they wouldn’t be Pearl Harbors. They’d have a name that conveyed their seriousness, but also their ubiquity and survivability. They’d have a name like "virus outbreaks."

Still, no matter how nebulous the name, we’re hurtling toward what many experts keep referring to, darkly, as the "point."

"The more complex you get, the more vulnerable you are," says Peter Tippett, CTO of TruSecure, a security services company, and noted security expert. Tippett argues that if we simply extend the present situation into the future, the level of complexity and vulnerability we would create will make a digital Pearl Harbor inevitable?and before 2010.

"For seven years, we’ve had these negative events," says Howard Schmidt, vice president and CISO of eBay and former vice chairman of the President’s Critical Infrastructure Protection Board, and, before that, CSO of Microsoft. "And every time there’s an event, it’s called a wake-up call. It’s like those alarms that crescendo to wake you up. We’re getting to that point, where it’s so loud, you wake up."

December 7, 2008: A Moment That Will Live in Cyber-Infamy

The alarm goes off in 2008. Several security experts’ composite picture of a digital Pearl Harbor looks like this (although given that the event is by definition unpredictable, it will, in fact, probably not look like this):

It is global and instantaneous. It is so fast?seconds long?that no one knows about it until it’s over. It does not attack PCs; it attacks the Internet infrastructure?such as domain name servers and routers?and industrial systems connected to the Internet, like utility control systems. It exploits an unknown or little-known vulnerability.

Five factors distinguish the digital Pearl Harbor from the virus attacks we’ve suffered to date.

First, it disrupts backup systems. Fragile networks heretofore have been mitigated largely with backup. Disrupt that and badness follows.

Second, it leads to cascading failures. All of those massively inconvenient attacks people previously referred to as Pearl Harbors pile up. Due to the loss of backup, corporate earnings data is irretrievably lost. This panics Wall Street and destabilizes the financial sector. People run to their banks, but the banks cannot disburse funds; their networks are down. As are the credit card networks and the ATMs .

If you don’t have cash, you go hungry.

Then the lights wink out. Everywhere.

And it begins to get cold.

Panic is a key part of a digital Pearl Harbor. "If you can disrupt the flow of money and resources, that’s where I’d look for incidents to become bigger than what we’ve experienced so far," says Michael Hershman, an international security expert who has worked in military intelligence, and who was a senior staff investigator on the Senate Watergate Committee. Hershman now runs Civitas Group, a security consultancy, with Sandy Berger, the former national security adviser to President Clinton, and Richard Clarke. "Where you see panic and money, that’s where I’d look for a digital Pearl Harbor."

Third, though the attack is instantaneous, its aftereffects linger for weeks. People are hungry. Freezing. The old and the young begin to die. The strong turn against each other.

Fourth, after it’s over, the attack’s origin is pinpointed and the vulnerability it exploited is determined. That’s another element that’s been missing from most recent security events, especially virus outbreaks, and most notably in the August 2003 blackout. Blame has not been assigned; no heads have rolled. No one has even called for heads to roll. No heads can be found to roll.

Last, and perhaps most important, once the source of the event is determined, it’s revealed that the loss of property and life was completely and absolutely and tragically avoidable.

2009: Recrimination, Reconstruction, Reformation

That moment?the exposure of negligence to the public?is when security will start to get better. The senselessness of the incident and the profound losses it leads to will generate outrage.

The first response is litigation. Lawyers will prosecute vendors, ISPs and others based on downstream liability; that is, they will follow the chain of negligence and hold people accountable all along it. Hackers, whether their intent was malicious or not, will be arrested and prosecuted. If the event’s nexus is overseas, foreign governments will cooperate to bring the miscreants to justice.

After litigation comes regulation. Historically, regulation always follows catastrophe. In 1912, Marconi Co. operators aboard the Titanic were slow to receive the iceberg warnings because relays were jammed by the crush of unregulated amateur wireless users hogging the spectrum. The Radio Act of 1912 followed and, eventually, the Federal Communications Commission was formed. The crash of 1929 begat sweeping financial regulations and gave birth to the Securities and Exchange Commission.

"In the past, IT would have argued that you can’t regulate because information technology is so different," says John. He doesn’t buy it. "They said the same about oil. Sure enough, regulation brought order to that developing industry, and it will do the same here."

We’ve seen this quite a bit recently with HIPAA, Gramm-Leach-Bliley, Sarbanes-Oxley and, most similarly, the Patriot Act, which was a sweeping reaction to an attack that freaked us out.

"What follows regulation?" asks Jeff Schmidt. "Standards."

Internet security could use a lot of those, such as standard vulnerability reporting processes, standard software patches, a single naming convention for alert levels when viruses are discovered, standard secure configurations of software.

"Take any mature discipline and there are standards," Jeff Schmidt says. "If I work in biological handling, I know what a Level 2 clean room is. It doesn’t matter who I work for. Standards will demystify security."

The final phase of the corrective response to the digital Pearl Harbor will be a reformation, a cultural shift toward better, more proactive security. If the first two stages represent our pound of cure, this is the ounce of prevention.

Of course, to have a reformation, you need a Martin Luther, a leader who’s not only willing to push for radical change, but who also has a plan. Perhaps a rebel within Microsoft who sacrifices his career to change the culture and practices he’s experienced firsthand. (Luther, it should be noted, was just such an insider who was disgusted by the pope’s practice of generating revenue by selling indulgences?that is, pardons from purgatory.) Or maybe it’s an outsider with a lot of passion for the issue and money to support his cause.

Related:
1 2 Page 1
Page 1 of 2
Survey says! Share your insights in our 2020 CIO Tech Poll.