Are we losing the security war?

Five years ago, hopes were high that cyber crime could be cracked. Now security experts admit traditional approaches can't keep pace with the growth in malware. What can be done to turn the tide, asks Simon Moores.

A short cyber crime story on Al Jazeera TV on Sunday made me realise that this year's Infosec show in London had passed me by, almost unnoticed. I had missed my annual pilgrimage to the great security bazaar at London's Olympia because I had been speaking at the IDC conference in Milan.

Security from A to Z
Click on the links below to find out more...

A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day

I can't honestly remember how long Infosec has been running. But an observer from another planet might be forgiven for asking why, after all this time, the security industry and world governments between them have failed to deliver any sure-fire solutions for dealing with a global problem - beyond throwing ever larger amounts of money at it.

In time for Infosec 2003, I wrote a Microsoft-sponsored report entitled A Matter of Trust, which, as I'm sure you'll have guessed, focused on the company's Trustworthy Computing initiative.

Five years further into the search for this elusive goal, I'm reminded of one of my comments from that report: "This problem brings us to where we are today, at the beginning of 2003, looking back at a disastrous record of security incidents and exploits and wondering how long it will be before any new approach to the challenge of Trusted Computing can inspire real confidence from those at most risk from the technology."

Back in the distant past of 2003 the threats were different - viruses, spam, hackers, SQL Slammer and so on. The broadband society, botnets and the Russian Business Network were, as yet, largely unimagined dangers.

But billions of dollars were still being spent by individuals and companies to maintain the comforting illusion of security or at least mitigate its more immediate and damaging risks.

Today, I look at my slide deck from Milan and see that we have entire internet relay chat networks controlled by the criminal underground economy, that cyber crime could be almost as big as the value of the global illegal drug trade - no one really knows - and that as many as one billion personal computers - 12 per cent of the world's total internet connected machines - could be hiding malware of one type or another.

Meanwhile, the burgeoning information security business soldiers on and threatens to overtake the Chinese army as the largest employer on earth.

Security experts are having to admit that traditional antivirus scanning approaches are no longer able to keep pace with the growth in malware products, increasingly purpose-designed by sophisticated criminal gangs, with product packers to defeat antivirus signature detection.

Recently, I was passed a copy of an FBI report to the US Congress from 2004, the last declassified year. The report notes that "56 million cyber events took place in the first six months of 2004 up from 500,000 events in 2002" and that one-fifth of suspicious incidents were committed by "foreign state actors in the same year."

Four years is a very long time in internet terms. We know from our own experience how rapidly the many different threats and attack platforms have evolved.

So you'll understand why I discovered in Italy that they are rather unhappy about a series of recent exploits they believe are targeting their large companies for either purposes of espionage, extortion or simply the theft of trade secrets.

It's only reasonable to assume in another five years Infosec 2013 will still be at Olympia but I struggle to imagine how much worse the security problems can become.

Winston Churchill once said: "Although personally I am quite content with existing explosives, I feel we must not stand in the path of improvement." But unlike the Second World War, this is a struggle that we're losing. There is no end in sight and the IT security industry is arguably experiencing an expensive form of denial.

In 2003, I wrote: "The past 12 months have witnessed a worrying escalation in the number of vulnerabilities that can lead to internet-based attacks on organisations and compromise their information infrastructure."

So what's really changed for the better since then? Perhaps I need to wait a little longer, for 2013 and the promised and long-awaited arrival of really trustworthy computing to find out?