Private sector isn???t waiting for Feds to deal with Internet security

Congressional efforts to introduce cybersecurity legislation have failed this summer, at least for the time being, but the private sector has hardly been idle in creating defenses against hackers and viral threats.

Some details of this security activity must necessarily be kept secret, because cyber-war defenders cannot afford to tip their hand to hackers. Online security is analogous to a military intelligence operation at every level, from vendors providing anti-viral solutions for home users, to massive corporate security structures.

This makes it difficult to put together a broad picture of private security efforts, but Larry Clinton, president of the Internet Security Alliance, estimated before a House Energy and Commerce subcommittee in February that private sector security spending totaled an astonishing $80 billion in 2011.

This expense covers a constantly evolving defensive architecture, which must cope with eternally mutating viral threats and innovative hacking techniques. Most personal users can get a faint impression of how quickly this game of cat-and-mouse plays out by noting how frequently their personal anti-virus software is updated.

Multiply that sense of urgency by a billion, and you have an idea of the challenge faced by top-level Internet security experts.

Nothing to sneeze at

Those little personal-computer antivirus programs are nothing to sneeze at. A huge amount of work goes into designing and updating them. Top security software companies, such as Symantec and McAfee, publish enormous databases of viral threats, which they update daily. McAfee offers visitors to its website a global virus map, and a viral threat level indicator similar to the one used by the Department of Homeland Security for terrorist threats. Symantec has a global risk timeline, which graphically tracks the detection and defeat of viral threats from day to day.

Market research firm Canalys projects that 2012 will see a nearly 9 percent increase in sales of security software, bringing the global value of that market to $22.9 billion. Heated competition from many different vendors for a share of that immense market has kept the cost of security software for home users remarkably low. In fact, programs from some vendors can be downloaded for free, while even the more powerful and highly regarded packages for home users cost about the same as a video game.

And yet, some observers believe that even this enormous private-sector investment in security is not sufficient. A study prepared by Bloomberg News, in cooperation with a research firm called the Ponemon Institute, concluded that a core group of industries and government agencies would need to boost security spending by nearly 800 percent to achieve 95 percent protection against electronic attack.

Financial companies were said to require a 1,300 percent increase in spending to achieve such a level of safety. The Ponemon Institute estimated that the current average level of safety from online attack is only about 69 percent.

Interestingly, respondents to this study had to be promised anonymity to participate, because it is so risky to discuss the details of cybersecurity programs.

Storm-tossed electronic ocean

This, of course, led to calls for government to compel the necessary increases in security spending, through some combinations of incentives and mandates. Part of the problem is that computer systems have become tightly connected through the Internet. A high-security system exposes itself to danger by allowing connections from a lower-security system. This leads high-security system operators to desire minimum standards of integrity for every system they interact with.

That was much easier to arrange when ???online??? connections involved modems dialing into carefully protected phone numbers. Now that online interconnectivity is a real-time, always-on sea of high-speed communications, security threats are greatly magnified. Nearly every computer device has a theoretical connection to every other device.

Yesterday???s critical systems were fortresses with occasional leaks in their data plumbing; now they???re tiny boats forever adrift in a storm-tossed electronic ocean. And we have yet to witness the Internet equivalent of a hurricane sweeping across that sea of data: an orchestrated cyber-attack launched by a hostile foreign power.

One of the greatest concerns facing private-sector security operations is the question of legal liability. Legislators want private teams to coordinate with each other, and the government, to detect and defeat large-scale online threats. Private corporations worry this could get them sued by angry users for violating their privacy.

The value of the data at risk from electronic sabotage is difficult to determine, and no corporate manager relishes the thought of conducting that evaluation before a jury, with millions of dollars in damages on the line. It???s difficult to determine what a reasonable investment in defense measures should be, when the value of the digital property at risk cannot be readily calculated.

Another serious problem facing private security teams is the danger of making their defenses so tough that legitimate users find it difficult to access their systems, compromising the value of the products and services they offer. There???s an old saying in the computer world that 100 percent security can be achieved only by unplugging your computer. No profitable electronic enterprise wants to risk ???unplugging??? itself from the Internet, by implementing security procedures its customers find excessively inconvenient.

Even the strongest proponents of cybersecurity legislation acknowledge that the private sector will take a leadership role in protecting America???s online infrastructure. The challenge is to achieve the right level of  information sharing and data security without imposing ruinous costs on private enterprises, or compromising the flexibility of the fast-moving online security industry by submerging it beneath a bureaucratic quagmire.

Business managers are keenly interested in defending their operations from serious threats, but less enthusiastic about spending massive sums to buy protection from hypothetical menaces. On the Internet, hypothesis can become practical reality with astonishing speed.