2009: Recrimination, Reconstruction, Reformation

That moment - the exposure of negligence to the public - is when security will start to get better. The senselessness of the incident and the profound losses it leads to will generate outrage.

The first response is litigation. Lawyers will prosecute vendors, ISPs and others based on downstream liability; that is, they will follow the chain of negligence and hold people accountable all along it. Hackers, whether their intent was malicious or not, will be arrested and prosecuted. If the event's nexus is overseas, foreign governments will cooperate to bring the miscreants to justice.

After litigation comes regulation. Historically, regulation always follows catastrophe. In 1912, Marconi operators aboard the Titanic were slow to receive the iceberg warnings because relays were jammed by the crush of unregulated amateur wireless users hogging the spectrum. The Radio Act of 1912 followed and, eventually, the Federal Communications Commission was formed. The crash of 1929 begat sweeping financial regulations and gave birth to the Securities and Exchange Commission.

"In the past, IT would have argued that you can't regulate because information technology is so different," says John. He doesn't buy it. "They said the same about oil. Sure enough, regulation brought order to that developing industry, and it will do the same here."

We've seen this quite a bit recently with HIPAA, Gramm-Leach-Bliley, Sarbanes-Oxley and, most similarly, the Patriot Act, which was a sweeping reaction to an attack that freaked us out.

"What follows regulation?" asks Jeff Schmidt. "Standards."

Internet security could use a lot of those, such as standard vulnerability reporting processes, standard software patches, a single naming convention for alert levels when viruses are discovered, standard secure configurations of software.

"Take any mature discipline and there are standards," Jeff Schmidt says. "If I work in biological handling, I know what a Level 2 clean room is. It doesn't matter who I work for. Standards will demystify security."

The final phase of the corrective response to the digital Pearl Harbour will be a reformation, a cultural shift toward better, more proactive security. If the first two stages represent our pound of cure, this is the ounce of prevention.

Of course, to have a reformation, you need a Martin Luther, a leader who's not only willing to push for radical change, but who also has a plan. Perhaps a rebel within Microsoft who sacrifices his career to change the culture and practices he's experienced firsthand. (Luther, it should be noted, was just such an insider who was disgusted by the pope's practice of generating revenue by selling indulgences - that is, pardons from purgatory.) Or maybe it's an outsider with a lot of passion for the issue and money to support his cause.

In the case of a security reformation, this leader would borrow from the ideas of experts who already have reformist ideas, like SEI's Humphrey. Known as the Edward Deming of software, he has implemented and proposed radical changes to the way software is made. Humphrey is unsparing in his criticism of contemporary software security. We're letting creative artists build bridges, he says, then trying to stabilise them with unlicensed labourers while they're collapsing.

Included in Humphrey's blueprint for a security reformation are new software development processes that change the governance and structure of software engineering to favour security. Called Team Software Process (TSP) and Personal Software Process (PSP), they entail a fundamental shift in software development practice from the regular army model - top-down command - to a special operations model wherein a small group is given objectives and let loose to fulfil them. "I want the technical community to become professionals," Humphrey says, "to say: 'This is how we do our job.'"

TSP and PSP have already been found to reduce coding errors by factors of up to 10 or more. Microsoft tried it and reduced bugs within a 24,000-line program from more than 350 to about 25.

Humphrey also has conceived of even more radical changes, including a software engineering curriculum modelled on medical school, complete with professional internships.

A full-blown security reformation would mark a triumph over the "tragedy of the commons", the dilemma that bedevils Internet security today. A principle in ecology, the tragedy of the commons states that individual short-term benefit trumps collective long-term benefit. That is, I will let my sheep graze on the commons to increase my personal wealth even if it contributes to the degradation of the commons as a whole.

In security, individual companies make, buy and deploy software to gain a competitive edge, even as the networking of that software degrades security for everyone. There's no incentive for any single company to improve security for everyone, especially if doing so threatens the company's competitive position and wealth.