According to privacy and security expert Stephen Cobb, a rising tide may not lift all boats. Instead it may sink them. Cobb recently predicted that the increasing flood of spam and fraud would begin to drive consumers and perhaps even some companies away from the Internet. Surveying the situation, Cobb said, "There's a limit to how many worms, phishing schemes and fraudulent messages consumers and companies will take."
There's evidence this is already happening. A worldwide survey conducted in the fall of 2003 by the Transatlantic Consumer Dialogue showed that spam negatively impacted online shopping for 52% of respondents. One out of five didn't shop at all online because of spam.
Doug Peckover, president of the software firm Privacy Inc., put the growth of spam at 2% a month.
"According to one of our sources at IBM, more spam was blocked in July of 2003 than all of 2002. The way things are going, it's possible that we'll block more spam this coming July than in all of 2003," he said.
Ron Moritz, senior VP and chief security strategist at Computer Associates, doesn't see the doom cited by Cobb and doesn't believe consumers and companies will turn their backs on the Internet. But he readily acknowledged a looming problem.
"This year, worms created nuisances -- and spiked the stocks of consumer antivirus providers -- but in retrospect ultimately caused little damage. With minimal advances by the bad guys, however, catastrophic damage could occur," said Moritz.
As for what can be done, experts advocate antivirus and content filtering. Beyond that, they promote the use of alternatives to spam filtering, such as an antispam router. Proactive privacy protection systems are another possibility. Security managers also need to address the social engineering side of the problem.
"You need to be actively enforcing strict controls over company e-mail usage and protecting your mail servers from both outbound, as well as inbound, abuse," said Cobb.
A final tool is a financial analysis. Many companies lack a clear picture of the cost of spam and related activities. Quantifying this expense leads to a better idea of how much to spend on a solution. This ties into the idea of making security management strategic instead of tactical in nature.
Collective solutions include fully implementing such things as IPv6; strong authentication of Web sites and e-mail senders; and upgrading the intelligence of routers and switches so that malicious activity can be detected and stopped as soon as possible. Individual companies and security managers can band together to push for such solutions.
Other possible fixes include the equivalent of an electronic stamp, as well as legislation to control spam. Unfortunately, in the past the latter has been found wanting. Based on this experience, Privacy's Peckover warned, "Do not rely on industry self-regulation."