Business Report

Improvements in the State of Security

Despite all the major data breaches in the news, some aspects of Internet security might be getting better.

Clearly, Internet security isn’t as good as it should be, given that every week seems to bring news of a data breach at a large organization. But is the situation actually getting worse, or is it staying the same? Or could it even be getting better?

Internet DEFCON: Cisco’s ARMS Race index, which the company has published each of the past two years, attempts to give an overall rating to Internet security. A rating between 1 and 4 implies that corporate networks are “virtually not infected” and consumers are barely bothered by computer intrusions; above 9, nearly every network is infected. The 2009 rating above 7 implied that corporate networks were persistently infected and consumer services were subject to “alarming levels of service abuse.”

That’s the question researchers at Cisco Systems tried to answer when they began quantifying the state of computer security in 2009. By looking at several factors, including the size and number of worldwide “botnets” that conscript innocent people’s computers into drones that send malware and spam, the researchers have assigned a rating to the overall state of online safety. Cisco’s ARMS Index (that’s an acronym for “adversary market resource share”) runs from 1 past 9, with 1 being the Edenic bliss of the ARPANet and anything over 9 representing digital dystopia. When the index debuted in December 2009, Cisco rated the world’s security a 7.2, reflecting the researchers’ findings that corporate networks were experiencing “persistent infections.” But by December 2010, it was 6.8, meaning that the same networks were being less frequently hit. And by some measures, the index could improve again this year, according to Patrick Peterson, a security analyst for Cisco who is one of the researchers behind the report. He recently spoke to TR’s deputy editor, Brian Bergstein.

TR: It doesn’t seem like the Internet is becoming a safer place, and yet you saw enough positive trends to lower the number last year. Why?

Peterson: This was actually quite interesting, because we had two wildly divergent trends. One of them was that last year was the best year ever for slaying botnets. There were a number of botnets disrupted and taken offline. We actually saw the aggregate size decrease tremendously. At the same time, infected systems were able to do much greater things to much greater targets. There were a large number of well-publicized infections such as Stuxnet. Another one was the Aurora attack, which was a coördinated attack on Gmail users and was aimed at putting malware in to steal a lot of intellectual property. We’ve seen that trend continue [this year] with the Epsilon breach, the Sony breach, the IMF breach.

In light of incidents like those, how is the index looking for this year?

I would say we are continuing to trend down in terms of what the ARMS index measures, but at a slower pace. At the end of the year my crystal ball is about a 6.6.

That seems counterintuitive, that things are getting better.

After five, six years there’s now a recipe for botnet takedown and disruption. When a botnet’s command and control is decapitated, it can’t send stolen data anywhere. The security community is far more interdisciplinary, and tighter. Five and six years ago if there was a security researcher like me and a law enforcement dude [looking into an attack] it might take us a five or six weeks to get together, if ever. Today there are [regular, structured opportunities] for me to say, “Let me provide data that might be useful.” And Microsoft now has a tool to clean up botnet infections.

But the [ARMS index] methodology might not make sense anymore. When we developed the index, we decided to have one number, which represented the overall threat. Since then we have seen attacks on consumers wane, and we’ve seen attacks on high-value targets increase. So if we had ARMS C for consumers, ARMS B for business could be 7.5. We’ll probably break that apart when we do it again. 2011 is the year of the enterprise breach. I’m afraid the headlines we’ve seen in the last five months are in no danger of going away

Looking at your scale, anything over 9 sounds terrifying: it describes a world in which almost every computer is being used or watched by malefactors. Do you really think that kind of meltdown could happen?

At this point, it’s a hell of a lot less likely than it was when we dreamed this up three years ago. Since Conficker [an Internet worm detected in 2008], a host of measures have happened to make this less likely. The Windows operating system is more secure, software design is better, ISPs are stopping these kinds of attacks. We’ve come a long way from the days of Conficker. The 9.0 is a fictional Armageddon that I don’t spend a lot of nights worrying about. I worry more about one targeted Gmail attack on a White House staffer. Not a lot of people are motivated to make things melt down. A lot of people are motivated to attack successfully, and the [smaller] their footprint is, the likelier they are to attack successfully.