Issue No. 01 - January/February (2011 vol. 9)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2011.17
John Viega , Perimeter E-Security
Average computer users probably feel more secure than they might have a decade ago, but in fact, they're likely far less secure. Although security technology has come a long way, threats have moved a lot faster.
Today, the "bad" guys make hundreds of millions of dollars a year without most people noticing. They can target even the most knowledgeable and careful industry experts with tricks such as polluting ad networks with attack code that exploits browser vulnerabilities. Consequently, even if you limit your browsing to highly reputable sites like CNN or Facebook, you can still become infected. Malware is expert at hiding itself, and people aren't aware that they're infected, even as the malware silently uses their CPUs in money-making schemes such as click fraud, spam delivery, and more.
The problem isn't just underground criminal activity. Governments regularly exploit vulnerabilities in software, usually for intelligence purposes. Although governments have a strong incentive to secure their own software, they'll hold some security bugs tight to their chest, so that systems run by others can then be penetrated. It doesn't matter how helpful governments are or aren't—even if technology is always improving, we've learned in the past decade that we'll never get security problems out of our software, and industry doesn't have the incentives to make big enough investments to accomplish that.
Ten years ago, the popular press frequently reported on computer security, with the media giving lots of attention to Code Red and Nimda worms. Today, the problem is far worse, and attackers are much more sophisticated, but the general public seems to think the problem is a non-issue in the same way the Y2K bug seemed to be. The media still reports problems, but the apocalyptic undertone of a decade ago is mostly gone.
Most people do worry about identity theft, but they seem to worry less about it than they did a few years ago. Despite millions of data records being lost, there seem to be far fewer horror stories than the average person anticipated. The past decade's press accounts led people to believe that everyone would know several people who had their credit ruined or maybe would owe money that they didn't use. I don't think this has actually occurred, and financial institutions have generally been helpful when this does indeed occur. So again, we've become complacent because the reality seems much rosier than the uncertainty that originally fed our fear when the threat was new.
Complacency is higher today for several other reasons, too. Antivirus software is broadly deployed, and spam filters keep the annoyance level down. And, too, the bad guys have learned to keep their profile low, partially because they're professionals with economic objectives, rather than amateurs seeking notoriety. Of course, what we know is that the bad guys are pros, and, sometimes, even government sponsored. So the threat has gotten bigger and scarier, while the general public has been lulled to sleep.
But some people do realize there are still risks. IT security budgets are up tremendously, even if a lot of the money is ill-spent complying with standards that don't do enough to protect against attackers. Although regulatory standards such as the Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley, and the Federal Information Security Management Act (FISMA) provide a minimal level of protection, security technology vendors are more focused on tools to manage compliance than innovation to soar above that minimal bar.
All in all, the security world is much more interesting than it was 10 years ago. First, the stakes are higher, because the Internet has become a critical part of many people's lives and of many businesses' plans. Second, security technologies have started to show a lot of promise, and we're just beginning to see how they might be able to give the good guys a long-needed edge by allowing them to make far more informed decisions about potential threats far faster (through use of collective intelligence and the cloud), in a far more trusted environment than the desktop operating system (through virtualization).
But will technology make our lives better or worse? The security and privacy community is right in the middle of that question. It's up to us to try to get a good result. If we do our jobs well, in 20 years, the security scares of the beginning of the millennium will look as silly to most people as Y2K does now. Just like when the clock rolled over on 31 December 1999, a disaster-free outcome will only be possible as the result of lots of hard work from thousands of smart professionals.
As the new editor in chief of IEEE Security & Privacy, I would like to make sure we stay in the center of the fight. From its first issue in 2003, the magazine has been not only compelling but also important. The first EIC, George -Cybenko, brought the biggest names in the industry to S&P. And my predecessor Carl -Landwehr continued to make the title even better, expanding both the readership and the content.
I'd like to continue in George and Carl's footsteps by bringing more experts to the table to focus on the most important topics. The more relevant our content, the more important a role the magazine will play in sharing best practices and technological ideas.
S&P has a big advantage over other security publications. The articles in this magazine must be independently and anonymously peer reviewed to help ensure that they're as accurate as possible and that they're both timely and relevant. Through peer review, we can keep out propaganda and fluff, and ensure that new technologies are presented objectively and thoroughly. Although academics are used to peer review, in my experience, people in industry are leery of it. Although I started out in academia, I've spent the past decade in industry, including almost five years in executive positions at McAfee. One thing I will work hard to do as EIC is to use my experience in industry to bring even more of the leading-edge practitioners to the magazine, both as authors and editors.
To that end, we plan to bring in two new sets of department editors. Dino Dai Zovi and Alex Sotirov will tap the best and brightest people in the "gray hat" community for the Attack Trends department. Many thanks go to Marc Sachs and David Ahmad for ably leading that department for the past several years. And in the future, helming the Building Security In department will be Adobe's Brad Arkin and HP's Brian Chess, taking the reins from Gunnar Peterson and John Steven. I also welcome Robin Bloomfield, who serves as our new associate editor in chief representing the IEEE Reliability Society, and a new board member, Jeremy Epstein.
It's very hard to build bridges between industry and academia and keep them open. Many people in industry might not know how to get their work published and assume that their chances of publication are low if they don't have an insider helping to groom their article for publication. But because I've spent a lot of time in both worlds, I'm going to focus most of my time and energy on fostering more collaboration between academia and industry, so that the magazine can provide as much value to as many people as possible.
I'm honored to have the opportunity to helm S&P. I look forward to a bright future—for both the industry and the magazine.
Selected CS articles and columns are also available for free at http://ComputingNow.computer.org.