There hasnt been a lot of good news on the Internet security front lately. Major security holes have been found in popular commercial and open-source applications, security software companies have been failing, and many businesses are cutting back on security staff and implementations.
Of course, all this is coming at a time when Internet security is more important than ever, both in its status as a core element of the economy and in its susceptibility to attacks from hostile entities. These trends have been enough to make me question some of my core beliefs in how security works.
Traditionally, Ive supported the way security companies and researchers have handled vulnerabilities. When a problem was found, they worked with vendors to announce and fix the problem; when a vendor resisted this process, the researchers carefully released information in conjunction with trusted entities such as CERT.
However, in the current environment, cracks are appearing in this structure. Some security companies are more concerned about PR and drumming up business than about doing the right thing. Software companies continue to fail to release secure code. All this is putting more stress on security administrators, who are seeing their staffs cut and their salaries fall.
These events make me consider something I would have recently been very much against. Maybe it is time for government to step in and help clean things up, preferably in a vigilance and peace-keeping mode, rather than in a regulatory mode.
Right now, the Internet is in what John Locke called the state of nature, where anyone can take from and damage those who cant protect themselves. According to Locke, the main role of government is to protect citizens from this kind of environment. We need something because the current situation clearly is not working.
Is there a remedy the government can provide for Net security? Let me know at firstname.lastname@example.org.