2006: The Year of the Security Non-Event

I know it’s the time of year for looking forward, but allow me one parting glance at the big security story of 2006. What’s that, you say? You don’t remember it? That’s because the big security story of 2006 is that there was no big security story.

There was no 9/11 or Katrina. No Sasser or Slammer or Nimda. No ChoicePoint or Bank of America breach. No Anna Kournikova nor even a Paris Hilton. A Digital Pearl Harbor never came to pass; heck, the power didn’t even go out. And when was the last time you got a convincing phishing e-mail about eBay, AOL or Citibank?

Of course, in security-land good news is always bad, and bad news is always good. Every puffy poodle of a cloud drifting overhead must just be distracting us from the storm clouds beyond the horizon. (Once those clouds are drenching us, of course, we’ll want to talk about their silver lining, but that’s a topic for another day.) And such is the case here. The fact is, it’s not good news that 2006 was the year of the security non-event. It’s not that there were no security events. Precisely the opposite: There were too many, of too little collective consequence. Security quit being an event.

The way I see it, there are three reasons for this. Most obviously, publicized events have become all too frequent. Consider the voluminous chronology of data breaches kept by the Privacy Rights Clearinghouse. As of today, the total number of breached records containing sensitive personal information is an astonishing 100,453,858—one record for roughly every three Americans. Sure, there are some big numbers from 2006 on the list. Some 1.7 million records from Texas Guaranteed Student Loan Corp.’s subcontractor Hummingbird. Another 2.6 million from Chase Card Services involving Circuit City credit cardholders. And 1.35 million from the Chicago Voter Database. But page after page reveals mostly losses in dribs and drabs—2,400 records lost here, 13,084 stolen there, 76 accidentally disclosed there. Be honest: Which ones do you remember? None of them, or just the one that prompted a panicked phone call from a relative who’d received one of the dreaded notification letters? Even l’affaires of the U.S. Department of Veterans Affairs—more than 28 million records—seemed to unfold more like a Monty Python skit than Amityville Horror.

Second, attacks have grown more targeted. Gone are the days when a sophisticated phisher would blast millions of e-mail addresses in hopes that a few recipients were actually customers of, say, Washington Mutual, and that a few of those customers would actually divulge useful information. Instead, phishers are buying targeted e-mail lists, even by ZIP code, and sending out e-mails that seem to come from regional banks that serve the area. This accomplishes two things. It increases the likelihood that the message will reach an actual customer of the spoofed institution, and it preys on smaller banks that, thinking they could operate under the radar, may have spent less time building anti-phishing defenses. At the extreme end of this is so-called “spear phishing,” a particularly silly name for a spoof in which e-mails are customized for particular individuals. But a million people falling for a million scams just doesn’t grab attention the way a million people falling for one scam does.

Third, and most concerningly, attacks have grown even more stealthy. It used to be that the point of creating malware was to cause disruption—to create a virus so damaging that it makes CNN. Now, of course, the goal is to make money. Keystroke capturing software and screen-scrapers don’t want to attract attention; they want to quietly snare information, such as passwords and credit card numbers, that can be used to transfer funds or purchase goods. Similarly, bots want to lurk undetected on computers until they’re called into action. Viruses have payloads: They spread for a while, then do something big and get noticed. Nowadays, the payload is just what the coder is hauling all the way to the bank.

None of these trends started in 2006, of course. They just coalesced. This spells trouble for those who are trying to raise awareness about security, because it means there is no single event that can serve as a call to action. But it also means that in 2007, we’re entering a new era. We can no longer pretend that we’re fighting an acute condition. Information security—or the lack of it—is a chronic condition. This isn’t a severe breathing problem caused by a disastrous and unexpected release of toxins into the air. It’s asthma. It can be prevented, treated—or triggered. The question is whether the thousands of small events that happen in 2007 will be preventative steps or just more trips to the ER.