Last Wednesday, the world's largest stock exchange went down for half a day, the world's fifth-largest airline grounded its planes for a few hours, and The Wall Street Journal's home page went missing, all within a few hours of each other.
No wonder speculation was rife that a large-scale cyber attack was under way. But by the end of the day the Department of Homeland Security had declared unequivocally that this triple threat was merely a coincidence -- random outages that happened to fall on the same day. I believe it.
Part of the reason I accept this explanation is because the damage was so minimal. A coordinated, widespread cyber attack that went far beyond last week's mini-debacle could be executed at will by any hackers seeking to make a great big point. It would not take uber-skilled hackers to accomplish. A few kids could do it using readily available hacking tools to target the abundant vulnerabilities nearly every company decides to live with as a part of the cost of doing business.
Our state of insecurity
When you read a news headline about a company that was hacked on a particular day, don't think that company was the only one. In fact, nearly every company is either currently hacked and owned or could easily be hacked and owned with minimal effort. The headline should always read, "X company was hacked today, along with every other company."
Yes, I mean every company -- except for (literally) one or two that have implemented proper defenses. Even companies that have been thoroughly and publicly owned and have spent millions of dollars on security in response are still easily hackable.
Few companies are doing what they need to do fast enough. Worse, few companies are concentrating on the right elements. Prompt and consistent patching of all software and educating employees against social engineering would remove the majority of security risk in almost all organizations.
When I share this view with the executives at the companies I consult for, I'm often told, for example, it's not that simple.
True, patching can be complex. But many companies don't even own software that can patch the most exploited software programs -- which today appear to be unpatched Java and Adobe software. Alternatively, they have the right patch management software, but fail to patch the most abused programs, which can be found on nearly every computer.
Moreover, I can tell you from experience that nearly every company has weak passwords that haven't been changed since the system was installed. Nearly every company has employees that can easily be socially engineered out of their logon credentials. Nearly every company allows all employees to install anything they want.
As long as this lax state of affairs persists, almost any group can cause a digital Armageddon. It may not have happened last week, but it can still easily come to pass.
The big security fix
How do we remedy this ridiculous state of affairs? For starters, we need to restructure the Internet so that anonymity is replaced with high-assurance, pervasive identities. As long as cyber criminals can get away with their transgressions, we will never decrease Internet crime. We need to enforce new requirements on the existing Internet.
We don't need new protocols or technologies to make this happen. We already have all the tools and technology we need for pervasive identity to become a reality. But we need agreement on the bare minimum requirements for all Internet transactions -- and to enforce those requirements.
Some folks reject the idea of pervasive identity becoming the rule on the Internet. I get that. Personally, I think the solution is to fork the Internet into sections that require or don't require pervasive identity. If you don't want to use pervasive identity, that's fine. But don't interact with me or all the other people who want to work and play on a more secure Internet. You have your place and we'll have ours.
Ours will be a lot less stressful. We'll spend far less time getting rid of malware and ignoring the constant onslaught of spam and other malicious or bothersome problems that currently plague the Internet today.
Lastly, whether or not pervasive identity takes hold, all companies should look at the ways they've been successfully attacked and fix these issues first. This sounds self-evident, but most companies don't do it. Instead, they spend money to fix bugs that sound like severe risks but aren't. Improving security doesn't take more money, only a shift in resources to the appropriate items.
I'm going to do my part. Here and in every other place where I have a voice I'll continue to raise the alarm. We can make the Internet a significantly safer place to compute. We simply have to do it.