Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Securing the 'Net -- at what price?

Taylor Armerding | July 3, 2015
There is unanimous agreement that 100 percent security is not possible. But at least one expert says it could come close to that, for US$4 billion. Others say it could cost less, but would require a lot more than money.

Is it possible to secure the Internet? And if so, what would it cost?

According to Jim Manico, a global board member of the Open Web Application Security Project (OWASP) Foundation, it is. And he suggested a price of US$4 billion, in a recent "open letter" to President Obama.

Manico said if the government would write him a check for that amount, "or any amount of money deemed enough to instigate change -- I'll show you how to help secure the software that drives modern businesses and the Internet at large."

If he's right, it could be one of the best, most efficient investments the federal government has made.

Yes, $4 billion is a lot of money -- enough to put an individual at the top end of the 1% income bracket. But it is less than 1% of the money lost to cybercrime annually, which according to a report by Intel Security and the Center for Strategic and International Studies, is $575 billion, with $100 billion of that coming from the U.S.

And compared to the 2015 federal budget of nearly $3.2 trillion, it is not even a rounding error -- barely more than one-tenth of 1%. The government spends that much in less than half a day.

But, of course, the question is whether it is even possible. Experts are generally unanimous that there is no such thing as 100% security. What makes anybody think the World Wide Web can be secured for $4 billion, or even $400 billion?

That depends on the definition of secure. In an interview, Manico agreed that there is no such thing as perfect security, but said it is indeed possible to make vast improvements.

He said $4 billion "is an arbitrarily large number," but would be enough to, "actually get it done, or get the long-term processes rolling and hiring the right teams to work on the problem described."

He noted in his letter to Obama that the route to security is to improve the, "standards, frameworks and languages developers use to build complex software," adding that the technology already exists to protect software from threats like SQL injection and cross-site scripting (XSS).

He gets general agreement on that from Mark Stanislav, security evangelist at Rapid7, who said perfect is not possible, but perfect is not the point either. The point, he said, is that the Internet could be a lot more secure than it is, for a lot less than $4 billion.

"The information security industry has known how to effectively reduce common application security bugs like SQL injection, cross-site scripting, and buffer overflows for decades," he said, "but while frameworks and standards implore and enable developers to prevent those issues, there are still mistakes that can lead to their introduction."


1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.