I'm reading a book by Michael Lewis called Boomerang. It was written about a year and a half ago in the aftermath of the stock market crash and the U.S. subprime mortgage mess. The book goes through the impact of the financial crash from the perspective of four different countries (Iceland, Ireland, Greece and Germany) and a couple of small local U.S. governments (San Jose and Vallejo). It's a fascinating read and, like his other books, take a complex subject and turns it into something understandable.
If you haven't read his other book on this topic, The Big Short, it's worth a weekend to understand what happened in sub-prime. But this blog isn't meant to be an advertisement for you to buy Michael Lewis books; it's about a thought that occurred to me while reading that relates to security.
In each of the examples Michael Lewis gives, there is this underlying thread of no one really being held accountable or getting in any sort of trouble. In fact, at the end of the book, he talks about the lack of an obvious specific avenue for people to get riled up about and focus their attention on. There is some of aspect of this in the Tea Party and Occupy Wall Street, but you have to ask, “What are they trying to accomplish?”
Both seem to be pretty frustrated and vocal (less lately), but it's hard to tell exactly what they want or who they want to get in trouble. I think this is similar in security.
We all know that attackers continue essentially unabated to attack our companies and our government. There are infrequent news alerts that a botnet being shut down or the plans for one stopped, but those news items are usually met with disinterest at best. And rarely does anyone get in trouble.
Just like in financial mess, no one really got in trouble for the massive losses sustained around the world. A very small percentage of people may get a fine or short jail time. If a fine was paid, it was more like by the companies, but no one really got in trouble. They just paid the fine, admitted no wrongdoing, and moved on. As Jon Stewart said in one of his segments, “They broke the law, made a bunch of money, got caught and paid a small portion of the profit back.”
In security, we know people are doing bad things. They are likely breaking the law. Why don't more people get in trouble? If there is no potential downside for an action, people will continue until the risk is too high. And risk varies. It's why some people still try and smuggle drugs. The downside is low for them, all things considered.
As it relates to security, have we just accepted that it's ok for attackers to steal stuff? If we don’t care and there really isn't much downside, why would it ever stop? Maybe we're in the middle of a natural lifecycle where there is nothing to influence a change in direction. At some point, the risk will be too high (they will get in trouble) and people will move to other things. But we're not there yet and people are committing cybercrime with relative impunity.