[SCENARIO ONE]

After the Storm, Reform

In 2010, information security will be much better than it is today. But between then and now, everything will get inconceivably worse

There's no need to imagine a worst-case scenario for Internet security in the year 2010. The worst-case scenario is unfolding right now.

Based on conservative projections, we'll discover about 100,000 new software vulnerabilities in 2010 alone, or one new bug every five minutes of every hour of every day. The number of security incidents worldwide will swell to about 400,000 a year, or 8000 per workweek.

Windows will approach 100 million lines of code, and the average PC, while it may cost $99, will contain nearly 200 million lines of code. And within that code, 2 million bugs.

By 2010, we'll have added another half-a-billion users to the Internet. A few of them will be bad guys, and they'll be able to pick and choose which of those 2 million bugs they feel like exploiting.

In other words, today's sloppiness will become tomorrow's chaos.

The good news is that we probably won't get to that point. Most experts are optimistic about the future security of the Internet and software. Between now and 2010, they say, vulnerabilities will flatten or decline, and so will security breaches. They believe software applications will get simpler and smaller, or at least they won't bloat the way they do now. And they think experience will provide a better handle on keeping the growing number of bad guys out of our collective business. Some even suggest that by 2010, a software Martin Luther will appear to nail 95 Theses - perhaps in the form of a class-action lawsuit - to a door in Redmond, kicking off a full-blown security reformation.

The bad news is that this confidence, this notion of an industrywide smartening up, is based on the assumption that there will be a security incident of such mind-boggling scope and profoundly disturbing consequence - the so-call digital Pearl Harbour - that conducting business as usual will become inconceivable.

The Digital Pearl Harbour: What It's Not

The phrase digital Pearl Harbour was first seen in print in 1991. D James Bidzos, then president of RSA, said the government's digital signature standard provided "no assurance that foreign governments cannot break the system, running the risk of a digital Pearl Harbour".

By 1998, the term's use was reasonably common, a dark, lowering cloud on the horizon of the Internet revolution. Newsweek, in an article from that year, suggested it would come in the form of a "sophisticated attack on our digital workings [which] could create widespread misery: everything from power failures to train wrecks".

Since then, the phrase has become bromidic to the point that former cybersecurity czar Richard Clarke declared that "digital Pearl Harbours are happening every day".

Whether conceived of as rare or quotidian, the digital Pearl Harbour's definition has remained constant: It's a computer outage, a big one, a physically and financially damaging one. More recently, it has become a shorthand way to say: "Terrorists will take down the Internet."

In either case, this definition is wrong. Not only is it wrong, it's not even useful.

"I hesitate to even use the term," says Jeff Schmidt, an elected member of the FBI's InfraGard national executive board. "It's come to mean any attack that's massively inconvenient. But I don't think they merit the term digital Pearl Harbour."

"We need to distinguish between the mischievous and the malicious," says Darwin John, who served recently (albeit briefly) as CIO of the FBI and is considered one of the godfathers of the CIO profession. "We've tolerated the attacks until now because they're mischievous. The malicious attack will be the one that moves the public consciousness, and it's so much harder to know what that attack will be."