Last time, I wrote about "The Sophisticated Adversary," malfeasants so socially and technically superior to you that their attacks have rendered your defences impotent. It was a dark and cloudy bit of columning. So much so, in fact, that I felt compelled to promise a silver lining. I pledged that the next column would discuss ways to "fundamentally shift the game away from the bad guys."
In retrospect, this was a foolish promise. It assumed anyone is interested in combating the information security problem for the common good, at a holistic, architectural level; I don't think that they are. It's not hard to find people who say they are interested; most of them are selling products.
Nevertheless, I spoke with the leaders of several such vendors over the past couple of months. Smart ones, like Shlomo Kramer, who invented the firewall and has now moved on to application security; Bill Harris who took a bad experience with phishing at PayPal and turned it into an anti-phishing startup; Robert Bales, who once founded the National Computer Security Association (which became TruSecure) and is now throwing his energy into an anti-spyware venture; and Scott Charney, CSO of Microsoft.
A couple of points emerged from these conversations. One, the solution hailed by the vendors and by the current administration, namely market forces, has largely failed. And two, a holistic approach to fixing the problem isn't a likely near-term scenario. Heck, even look at the fact that all of these men got into the business of selling fixes to just small slices of the problem — :spyware or phishing and so forth — and not trying to sell the overarching solution.
As Scott Charney said, "The problem is, if you even think about the information security problem holistically, it can be overwhelming. We're talking about a multi-disciplinary issue."
Where does that leave us? It seems that, as things stand, there are only two ways to fundamentally shift the balance of power away from sophisticated adversaries: Regulate and sue.
Regulate: I'm not alone in this. The DHS cybersecurity task force recently deigned to suggest that in some cases, regulation would be necessary to protect critical infrastructure — a shocking statement coming from any group that includes vendors like Microsoft. Charney himself said, "I'm not as anti-regulatory as some." Of course, he's not bear-hugging regs either. Charney says that there are rules for writing good regulations and he (as someone who used to write them) seems open the possibility of using such well-designed government strictures to improve information security. "Assume you can't create perfect security," he says. "We can at least raise the bar."
Sue: Chris Wysopal of @Stake showed me his company's entry into a new generation of application scanners. If they work as advertised (a big if), they could fundamentally improve coding. They can dig into binary and look at flaws in context. Catch bugs during development, but also prioritize fixes and generate executive-level reports. Wysopal was giddy about the market opportunity for his product. All I could think about were lawyers. If a reasonably easy-to-use and widely available tool like this exists, why shouldn't vendors be forced to develop to certain quality levels, or face the consequences of not doing their due diligence?
Now, proving negligence is more complicated than a simple application scan, for sure, but this is an important step. I'll bet that there are lawyers out there now setting up software negligence practices who will no doubt use such tools.
Still, regulation and litigation won't spontaneously emerge. The catalyst, according to these experts and others, will be pain. More bad stuff happening. It reminds me of what one Coast Guardsman said to me when asked how his outfit would get more funding in order to improve the state of port security. It wouldn't happen proactively, he said. It would only happen after people were made to feel insecure. Only after they were affected in a visceral way would they actually take action to fix the problem holistically.
He said: "Ships gotta sink. Stuff's gotta blow up."