They call economics the dismal science.
Well, economics got nothing on cybersecurity.
Today's Wall Street Journal reports that Shawn Henry, the departing executive assistant director of the FBI and the Bureau's top cyber cop, says that in the war between the people trying to keep the bad guys out of public and private data networks and the criminals trying to get in, "We're not winning."
The evidence supporting Henryıs assertion is overwhelming. A survey by Panda Security found that half the computers it scanned last January were infected with some kind of malware that could allow someone who's probably not very nice to control your computer. And Panda only scanned those computers that run its software. A recent Financial Executives International article noted the increased frequency and intensity of cyberattacks and saw a growing cycle of "malicious activity." When a company is attacked, it's not pretty.
But all this only tell us what we already know and what Henry put so succinctly: We're losing the war. "You never get ahead," Henry went on, gloomily. "You never become secure, never have a reasonable expectation of privacy or security."
The security vendors I speak to, who have great faith in the efficacy of their products, are still no cheerier than Henry. "Cybercriminals will always be out in front of whatever companies can do," says IronKey CEO Arthur Wong. IronKey supplies secure, encrypted USB flash drives for the military, government, large enterprises, and consumers, and its technology assumes, as Wong says, that the end user -- for example, you, trying to access your bank account on your laptop -- is already "compromised."
And the problem -- securing digital data -- is engineered to get worse. There's always been a tension between allowing easy access to information -- which is the basic promise of the Web -- and securing that information. Given current technology, that tension may be irresolvable.
"In the early 2000s," says Eric Olden, Founder and CEO of Symplified, a cloud-based identity authentication management provider, ıapplications ran on networks owned and operated by companies. They were behind a firewall. Fast forward to today. Cloud apps don't sit behind a firewall so network defenses don't work."
Then you have the problem of mobile phones. "If you lost your phone years ago," Olden says, "big deal. Now, if you lose your phone a bad guy has huge amounts of data to exploit."
My phone, for example, knows where I am, all the time. I allowed it to track my whereabouts because I wanted to be able to use it to find my way if I got lost. I traded privacy for convenience. I know that it might have been smarter not to make that trade but, like most of us, nothing bad has happened to me . . . yet. And even though I know it's probably just a matter of time, I act as if it isn't.
Of course, I'm not a CFO. If you are, mitigating risk is part of your portfolio. Henry suggests keeping your most valuable data off your network entirely. I doubt that will work for most companies. Having data you canıt access is as useless as having a phone that canıt help you if you're lost. It's a risk-reward calculation. I made mine. You'll make yours. Just don't expect to be happy about it.