For more than a decade, the task of securing a personal computer, corporate network or internet transmission from hackers has been one the vast majority of people, from chief executives and government leaders to consumers, have tried to foist on others.
That is understandable: the job is complicated, unproductive, and never finished.
But a series of shocking events in the past year and a half -- from the Chinese electronic break-in at Google, to the Stuxnet worm’s stealthy attack on the Iranian nuclear program, to mass breaches of consumer information at Sony and elsewhere -- have forced a broad recognition that despite the hardships, all those using the net must accept cybersecurity as part of their mission.
Chief executives, mindful of the brand damage that a Sony incident could bring and the potential for devastating industrial espionage, are now more likely than ever before to grapple with security issues themselves, according to surveys of their lieutenants.
Cyber intrusions are fast becoming the norm at the world’s most sophisticated companies, including some that have security as their main mission.
A problem this year at RSA, the security company owned by EMC, a data storage outfit, prompted the U.S. National Security Agency to warn that RSA’s 40 million physical tokens with fast-changing numeric passwords should no longer be sufficient to grant access to critical infrastructure.
The breaches are also reaching wider and lower, and not just through one-time assaults on the likes of Sony, which revealed details on 100 million users of its online gaming networks.
Consumers’ computers are increasingly at risk directly from virus infections that are undetected by standard security software and that do more harm than their predecessors.
The fastest-growing type of infections install software that records keystrokes, including financial logins and passwords, and whisk that data off to overseas gangs that specialise in defrauding banks or taking over e-mail and social networking accounts to spread more malicious software, known as malware.
“With the end-point security that the average consumer gets, as well as small and medium businesses, they don’t have a prayer”, says Art Coviello, RSA’s president.
Compounding and uniting the threats are two fast-growing phenomena.
The first is social networking, in which individuals give all sorts of clues that can be used against them in phishing scams.
Those services have also trained users to click on shortened web links that could lead to malicious pages.
Targeted e-mails to employees, made more credible by public information about the recipients, are the delivery method of choice for intrusions such as those at Google and RSA.
The second is the rise of mobile devices, which are generally controlled by employees but often have workplace access and are just beginning to be targeted in earnest.
The core problem is the combination of the most open and interoperable network ever designed and the rapid development of more powerful software and devices that take advantage of it.
It is in large part a blessing, of course, and one that is responsible for $10,000-billion in annual transactions.
But various criminal groups, some linked to traditional organised crime, national governments, or both, are taking advantage as well.
They are excellent capitalists, making money from one scam and reinvesting in new research and development to stay ahead of the security profession.
“For every technological or commercial quantum leap, criminals and criminal syndicates have kept pace,” commented Eric Holder, the U.S. attorney-general, this month.
He added: “Cybercrime threatens the security of our systems as well as the integrity of our markets.”
The advances in software and the increasing use of the internet have made defence more difficult, not easier.
“Our defences are in many cases interlinked, and if one of them has a flaw that is all that is necessary for an attacker to get in,” says Eugene Spafford, a security expert from Purdue University, Indiana, who most recently testified to Congress on the Sony breach.
He adds: “We have problems of scale and complexity to deal with, we have problems of time, of finance, of awareness. We have a lot of things going against us.”
The lack of rules that has in large part spurred the growth of internet businesses has left no safety net in security.
Businesses are confronted with a dizzying array of solutions from speciality vendors who offer everything from standard firewalls to cutting-edge “behavioural analysis” that tracks when machines are connecting to new sites or at odd times.
Few offer anything comprehensive, and none guarantees that hackers will not find a way in.
Even worse than the fact that companies do not know what to buy is that they often do not want to try.
“You sometimes have perverse incentives that encourage underinvestment in security,” Mr Spafford says. “Sometimes people are evaluated on how much they save in spending, so they try to play the odds: `We didn’t get broken into this year, so we’ll postpone the upgrade until next year.’”
New regulations could well bring fresh problems, especially if bureaucrats require companies to install programs that combat the last wave of crime instead of the next one.
But the increased awareness of hacking has finally prompted government officials who eschewed regulation to admit that the free market is not doing the job and to take a more active approach.
In the U.S., the White House put forward a detailed set of proposed laws in May that would help protect critical infrastructure from Stuxnet-like attacks, using analysis based on the biggest risks.
The laws would also require more notifications of breaches and aid private industry more. Days later, the White House pledged to work more closely with other countries to improve their defences and take action against countries harbouring criminals.
The legislative package has a long way to go to get through a divided Congress, but lawmakers in both Republican and Democratic parties agree that more has to be done, and soon.
“Everyone who has a computer or a mobile device that connects to the internet is only going to come under more attacks,” says Harry Raduege, a former head of U.S. military information security who is speaking at the EastWest Institute’s cybersecurity policy summit in London this week.
“What is lagging behind in all of this is the policy, the strategy and approach that government and private industry need to take.”