Amidst all the noise and drama, and considering all the break-ins, disclosures, laws and protective schemes and products, people often ask me: “Are we getting any safer?”
I have been working on software and enterprise security professionally for almost 30 years, so I’ve seen a lot of the history go by: hundreds of serious compromises and thousands of serious vulnerabilities, over a hundred new major tools for the good guys, dozens of major new companies, hundreds of billions of dollars invested. What does it all net out to?
For a baseline point for comparison, let’s take the year 2000. We had just gone through one of the largest engineering projects in history — remember Y2K? — and software quality was at least a topic of discussion in board rooms for the first time.
- Defensive tools (static and dynamic code checkers; firewalls, intrusion detection and prevention tools; log file integration and search capabilities; Web Application Firewalls; alternative non-password authentication techniques; software development life-cycles based on security, with sound practices and policies) — these are vastly improved. A business with today’s tools in yesterday’s threat environment would have been fairly well off.
- Offensive tools and techniques (vulnerability identifiers and probers; SQL injection and other database and web-based attacks; spear-phishing and social engineering, fueled by social media; complex, metaphasic attacks of the Stuxnet class; distributed denial-of-service attacks based on compromised data center servers and botnets; state-level investment in attack tools and teams) — these have also vastly grown, and have I think continually outstripped the defensive tools in range, power, and effectiveness.
- Awareness of the cyber problem is much broader, and I think media coverage may be somewhat more responsible — still fraught with misunderstanding and technical mistakes, but less sensationalistic and more cognizant of the real risks.
BUT FORGET ALL THAT
So there you have three trends. More important than these, though, is a fourth:
- The number and criticality of the functions in our society dependent on good information security has increased, year over year, to such an extent that the overall risk has increased immeasurably
To sum up, I see that the technical balance of offense versus defense is worse; governmental and commercial awareness of the cyber risk is much better, and the resources committed are climbing every year (which is a good thing, and counterbalances the worsening technical state). But the continual move to Internet-reliant technologies and services means that ultimately we are more vulnerable today to cyber attack than we were at the turn of the century.
We – and you can take “we” to mean any set of good guys you like, for all are in the same boat — are thus demonstrably worse off, more vulnerable, and less safe from cyber mayhem than we were in the year 2000. Sorry for the downer.