"Part of the picture is bleak. In the online world, cyber criminals can do their research for as long as they want in absolute security and secrecy then when they're done they can take their exploit, find a way to automate it and post it on a Web site where thousands or millions of other criminals can download it," said Scott Charney, vice president of Trustworthy Computing at Microsoft, in Redmond, Wash. "That doesn't happen in the real world. One burglar, no matter how good he is, can't breed hundreds or thousands of others just like him. The laws of physics kick in."
Charney, speaking at the Authentication and Online Trust Alliance Summit, said that technology and procedures for defeating online attacks and finding hackers has advanced by leaps and bounds since his days at the Department of Justice in the 1990s. But, he added that in some respects the fight against online criminals is not a fair one. The attackers have all the time in the world, the cooperation of other hackers and a virtually limitless number of potential targets. Law enforcement agents, meanwhile, are governed by strict guidelines and in many cases are hampered by a lack of available data once a crime has been committed.
Another challenge for security specialists and law enforcement is the patchwork of state and federal laws in the United States, and the lack of any cybercrime laws in a number of foreign countries. Given the global nature of cybercrime and the fact that hackers often attack systems in a number of different countries at once, these hurdles can often stop promising investigations before they really get started.
"There's a global market for these [attack tools] and the global laws aren't very well coordinated," said Charney, a former federal cybercrime attorney. "There are still a lot of trans-border issues. There are still a lot of countries that don't have any computer crime laws."
Charney also said that software and hardware vendors need to do a better job of making it easier for users to deploy and manage security technologies. Complexity often is the enemy of security, and that can be especially true for home users who may not have a lot of technical knowledge, but who just want to keep their PCs free of malware and spam.
"People buy [software] to be productive, and things that are an impediment to productivity get pushed back in the market," Charney said. "IT isn't intuitive, the threats aren't intuitive and how you mitigate the threats isn't intuitive. The bad guys are creative and they're smart and they won't go away. Still, overall I'm very bullish. The advantages we get from deploying these technologies are huge and they still outweigh the negatives."