The Observer: Nuts-Behind-The-Wheel Must Accept Blame--And Change Behavior

Comes, recently, word that Microsoft has once again felt compelled to toss a cool quarter-million dollars into the bounty pool, this time to track down the perpetrator or perpetrators of the particularly vicious MyDoom.B virus. As Microsoft continues to dole out funds from its $5 million pool--the most recent ante being its third thus far--the temptation is to lay blame for the effects of the virus at Microsoft's feet, and there's a lot of justification for that thinking. The reality, though, is that the blame ultimately lies with us as individuals and as members of enterprises and institutions.

Yes, Microsoft continues to whittle away at its reputation for being a purveyor of vulnerable, buggy wares. The reputation was well-deserved at one point, and, despite Microsoft's continuing efforts, it's going to take a long while and a long, long period of product remediation before that taint is cleansed in the minds of its customers. MyDoom.B--despite Microsoft's swift but formulaic response--is doing nothing other than prolonging Microsoft's image rehabilitation.

Can Microsoft be doing more? Of course! Is it to blame for the vituperation that continues to come its way? Yes. For its real or perceived arrogance and certainly for its past track record, its customers are slow to acknowledge that some things are simply beyond the control of even the colossus that managed to grab markets by their throats and shove products down the same of its enterprise customers.

That, though, is the stuff of the past and fodder for analysis by minds better than mine. More important is what we are doing in the here and now to see to it that we apply institutional protections and requisite self-responsibility toward preventing such attacks in the future and, when they inevitably occur, minimizing their effects on commercial and personal pursuits.

The answer, lamentably, is pitifully little on the legislative, corporate governance, or personal responsibility fronts.

Sure, there are laws on federal and state books against such attacks, but a look at the prosecutorial record shows that successful prosecutions are rare and that sentences are wrist-slaps relative to the damage caused. Conventional wisdom holds that jurisdictional issues abound; the scale of victimization is off the charts and, frankly, there's little that can be done to prevent the launch of an attack, thus we're reduced to cleaning up messes and backtracking to attempt to identify the perpetrator.

Each of those arguments is valid, yet none is sufficient to account for the dismal track record when it comes to successful prosecutions and sentencings that will cause members of the hacker culture to at least think twice. Is there anybody out there offering odds that their state legislatures or the federal government will do anything swiftly and effectively to remedy the problem? I rest my case. In the future, perhaps an incensed electorate will make itself heard. For the here and now, it's up to us to play the hand we've been dealt.

Which leads us to corporate governance and successful implementations of security policies that look good on paper but fail to hold water in the real world. Enterprises of any size are likely to have some security policy in place. The best of these policies are implemented as living, breathing parts of a corporate culture. Too often, though, our readers have told me that security is as much a part of the operating culture of their enterprises as cleaning up after one's self at the coffee machine. Some do the right thing and others don't, with very little in the way of reinforcement of appropriate behavior and nothing in the way of corrective (eventually leading to punitive) actions.

This can't go on, despite the fact that no enterprise larger than a one-person company can truly say that it can define the edge of its enterprise network. This simply isn't a green-screen, self-contained world, and it hasn't been for a couple decades now, but so many enterprises remain convinced (either from inertia, lack of comprehension, or innate ostrichlike tendencies) to do much more than pay lip service to security. It's long past time for public companies to assign responsibility for security oversight the same weight among members of committees within their boards of directors as, say, compensation. Companies have a far better chance of recovering from board-approved out-of-whack pay packages than they do of ever recouping profits stolen from them as a result of board-ignored inept security policies.

Other than financial institutions where security provisions are mandated and those insightful enterprises and institutions where security has astutely come to be seen as a critical part of the infrastructure, the popular response, based on experiences shared with me by your peers, is that the protection policy du jour is to rely on off-the-shelf commercial solutions and prayers that they'll be up to the challenge. The majority of the time, they are, but there's a fatal flaw even to those.

That flaw is us. The nut-behind-the-wheel syndrome recurringly is what bites us on the bottom. We're either too blasé about the risks to care or too ignorant of the possible damage to pay attention, but attacks designed to cause the most widespread and visible damage don't and can't spread globally unless we do the spreading.

We can blame Microsoft for throwing in more back doors than Mrs. Blandings gone mad, we can blame the feds and our local legislators for being slow to adapt, and we can blame corporate overseers for being lax in self-enforcement, but blame, or at least a portion thereof, lands in our laps.

Time to play smarter.

To discuss this column with other readers, please visit Lou Bertin's forum on the Listening Post.

To find out more about Lou Bertin, please visit his page on the Listening Post.