The triage tent in the hospital parking lot is full with nurses and technicians wearing protective masks as they test patients for H1N1. The crisis has already hit and we are not in season yet. They have performed over 6,000 virus screening tests admitting 100 patients and losing two to death. Such is the fertile breeding grounds for the H1N1 virus. I couldn't quite imagine bringing my servers to such a location for analysis and potential admittance.

Figure 1.  New Malicious Code Threats
Source: Symantec

Unlike cyber malware, viruses such as the H1N1 are usually quite predictable as to when they will hit and how they will spread. Each year the fall season brings us a new strain or two that spreads in high human traffic areas such as schools, the workplace and in mass transportation. Pharmaceutical companies awarded the contract to develop the vaccine try their best to predict exactly what the strain will be in the fall since they do not have samples available to analyze. The virus mutates throughout the year as it interacts with organic tissue learning the host and responding to host anti-bodies as a method of survival. These viruses do not care if they kill the host. Their intent is survival and survival only -- at all costs.

Computer viruses are manufactured with specific intent. That intent has changed over the years from simple annoyances that were easy to see, discover and respond to, to low and slow malware with the intent of stealth required to steal items of value for later monetization. Outside the realm of state sponsored cyber-warfare, the criminal element has taken over the virtual virus world since it is much easier, cheaper, and less risky to steal items of value in this manner than it is to perform the same in the physical world.

Figure 2. Flu tracking
Source: Google

Figure 3. Flu tracking last 9 years
Source: Google

What is interesting is the parallel growth of human and computer virus outbreaks over the past 8-9 years (Figures 2 and 3 compared to Figure 1). We understand the reasons for the computer growth but human virus outbreaks are far beyond my pay grade.

There are many similarities between human and computer viruses and much that can be learned from each other (Figure 4). Human borne viruses have an innate intelligence based upon survival that drives their ability to mutate. The current ability for computer viruses to mutate is based solely upon the developer to author modifications that can bypass and hide from existing computer defenses driven by the need to capture more information and generate more revenue.

Figure 4. Human and Computer Virus Comparison

The major worry for future computer-borne viruses is the eventual capability to incorporate artificial intelligence where the virus mutates without human intervention becoming more lethal and stealthier as a method of survival. A learning cyber virus that makes its way across the Internet from corporation to corporation; device to device; gathering information and learning ways to survive through simple trial and error or cause and effect while extracting items of value for monetization. This Artificial H1N1 will self-repair; will clean its own tracks; will hide when it has to and appear when it needs to. It will be able to steal information while at the same time destroy the host if needed.

Until that day arrives, we can evaluate and improve our understanding of how human viruses work as a method to build better software and operating systems that strength the computers immune system as a core component of the commercial development process. Anti-virus and computer vaccines of some type will always be required but maybe someday they will only be needed on an annual basis. This requires much greater maturity in our software development lifecycle and a focus on survivability; something that is not necessarily in the top ten of every developer's job description or every software companies' core values.

One thing I believe that is true in this whole equation is that the criminal element adapts and innovates much faster than commercial software companies. This speed will force maturity but it will be reactive in nature and eventually may mirror the human vaccine process where a best, educated guess is the method used to manufacture a vaccine that is not administered to all computers, but only those that want it and are most at risk.

SC Magazine turns 20 in November, but, if Marcus Sachs is correct in his forecasts, this milestone anniversary is no portent of long-lasting good times.

When he says that, the director of the SANS Internet Storm Center isn't making predictions on the viability of 21st century journalism. (There're enough bloggers to pontificate on that subject, anyway). Instead, Sachs is reflecting on the future of information security, which he believes will look drastically different in another 20 years.

In fact, he says, it won't be much of an industry at all.

“It's going to become part of the other manufacturing processes,” he says. “This may be the last decade or two where [IT security] is going to be a separate skill. This stuff can be built in. There are not too many magazines for boilermakers anymore.”

Sachs made it clear that was not trying to perpetuate a “doom-and-gloom” scenario for the IT security space. He just wants security professionals (and magazine publishers) to be aware that the industry likely will shift from standalone to baked-in.  

“Look over your shoulder and see what's happened with other technology waves over the years,” he says. “We will continue as a human society. But infosec is not going to last forever. I don't care what anyone says.”

Bruce Schneier, chief security technology officer at BT, says that as more businesses embrace cloud computing as their preferred IT delivery model, security will be almost entirely outsourced.

That means on-demand platform providers such as Google or Facebook, or managed security companies, such as IBM, will be responsible for purchasing and implementing security. A person inside end-user organizations will be charged with overseeing this process, but he or she won't need to look after anything in house.

“Nobody actually wants security ever,” he says. “You want the thing that you want. You're forced to deal with security because the stuff you buy (stinks). But that [will] become hidden.”

Schneier says information security won't be much different than, say, buying a car, where all of the safety elements, such as brakes, already are constructed in to the final product.

“You don't have to buy an air conditioning but say, ‘I have to get these wires shielded because they're dangerous.'” he says. “That doesn't happen.”

However, John Pescatore, a vice president and research fellow at Gartner, isn't ready to wheel in the coffin. He says there may never come a time when security isn't something that has to be bolted on at the end.

In challenging Schneier's comparison to automobile safety: “That's thinking that the IT world will be as stable as the mechanical engineering world,” Pescatore says. “You can't do that in IT security. Nobody can make the driver think the traffic light is green when it is red.”

Of course, in the cyber world, somebody can make users believe they are somewhere on the web where they actually are not.

Pescatore says internet security will live on as successful trade because the cyberattack surface is far-reaching. Infrastructure administrators make mistakes and they do not have the capability to keep up with sophisticated threats like security-specific providers do.

“The vision of being able to treat it like a utility depends on software engineering to not be an oxymoron,” he says. “You cannot treat the internet like infrastructure, like you can [for example] water. Security will still be separate from the infrastructure.”

He does believe the delivery model for security will change. In some cases, wired and wireless carriers (Pescatore expects a huge rise in wireless use as the perimeter dissolves and speeds become lighting fast) will offer security-as-a-service (SaaS) to organizations. In other cases, businesses themselves will still manage their own security, but it will be delivered by SaaS providers.

“I think 20 years from now, plenty of enterprises – in fact, most – will still have their own local data centers,” Pescatore says.

Sachs says he wholeheartedly disagrees with Pescatore. In the meantime, though, while the existing model is still active, he also notes that he expects security vendors to be forced to license their products – much like other manufacturing firms must do – to ensure that their claims are valid.

This has to happen, especially considering the world now fully relies on software and hardware – yet there is no accountability for a broken security product and no formal means to investigate a product failure, Sachs says.

“There isn't any other industry – from dog groomers to plumbers to real estate professionals – that doesn't require the professions to be licensed,” he says. “[IT security] doesn't really have to measure up to any type of performance standard.”

As for the threats, Schneier is convinced that internet service provider (ISPs) must take the initiative on solving the internet security dilemma.

“Who else can make sure my mother's anti-virus is up to date besides an ISP?” he asks. “The basic security rule is that the entity that is in the position to mitigate the risk needs to be responsible for the risk.”

Sachs, meanwhile, believes that a lot of today's most pernicious attack methods used by criminals, including phishing and identity theft, will largely be solved in the future. The criminals will move on to their next moneymaking method. What exactly that will be depends on what technology emerges over the next 20 years, he says.

Pescatore says retailers, in particular, will continue to get crushed. Encryption may become unbreakable – but key management still will offer the same headaches as it does now.

“If there wasn't going to be hacking, it would have died first in retail,” he says. “But people are clever or employees are dishonest. Retail is 2000 years old and the theft hasn't gone away.”

One thing we know: SC Magazine is 20 years old, and the need for information security hasn't gone away yet either.

What is most different about the industry or your job duties now compared to when you first started?

“It used to be about protecting against clever programmers, who may have not intended harm, as with the Morris worm or the VM Christmas worm. Now we're defending our nation against criminal and terrorist enemies.”
 
Give us your boldest prediction for the next 20 years.

“If IPV6 ever takes off, we'll have to reinvent the business of security. We're all players in a new game, and the rules may change.”

When you think of the last 20 years in the information security space, what groundbreaking events come to mind that have shaped where we are today?

“We used to worry about protecting networks and not letting anyone in. Now we need to do security to let people in and provide access to data to those who need it. It's all about the data.”

You probably haven't been reading SC Magazine for 20 years, but in the years that you have, what about the publication do you most enjoy? 

"I like the depth of coverage in an area that typically gets short shrift. I like that fact that there is a publication that focuses solely on what I believe are the greatest challenges we face for the foreseeable future."

When you think of the last 20 years in the information security space, what groundbreaking events come to mind that have shaped where we are today? 

"Oddly, the movie War Games first comes to mind. I see this as the first time that the public at large had any sense of both the importance of these cybersystems and their enormous inherent vulnerabilities. Another major event that I think we will look back upon has been the recent incidences of cyberwarfare, in specific the Russian attacks on Estonia and Georgia. I see this as the start of a whole new era of military conflict — akin to how the gun changed the world."

What is most different about the industry or your job duties now compared to when you first started? 

"I've always been 'policy focused.' The only difference now is that I find myself increasingly pulled in to more technical issues in order to work policy challenges. So I'm having to learn technical aspects."

Give us your boldest prediction for the next 20 years. Threats? Compliance? Technologies? 

"In 20 years integrated technologies — from biometrics to secure operating systems — will make the hacks of today nonissues. Within this same timeframe the United States will suffer at least one if not more major cyberattacks, attacks that will cost our nation billions of dollars and fundamental put at risk at least one or more elements of our society/economy. It will make 9-11 look minor."