The terrorist attacks of Sept. 11, 2001, launched two wars and ushered in sweeping new federal security laws. But they had little to do with making computers or the Internet any safer.
In fact, said retired FBI Special Agent C. David Shepherd, CEO of the Las Vegas-based Readiness Resource Group, public agencies and private-sector companies have always been trying to protecting their systems.
"I don't think you can say this all started after 9/11," said Shepherd. "It's is a constant threat that you can't put a date to. The bad guys had been doing this before 9/11 — as soon as somebody saw a way to make money or to get back at somebody."
Tim Armstrong, malware researcher at Moscow's Kaspersky Lab, agreed.
"I suppose it [9/11] had repercussions in a technological realm," Armstrong said, "but I don't think that there was such a direct correlation that IT people immediately said, 'I better button up my server because these terrorists attacked a building.'"
Shepherd, the former chief of security for the Venetian Resort Hotel Casino in Las Vegas, said the gaming industry had to protect its systems well before 9/11. Casinos keep on file the bank account information, Social Security numbers, home addresses and cellphone numbers of some of the richest people in the world.
"We had to protect everything we could, in every conceivable way," Shepherd said.
Fitful advances
Advances in cybersecurity haven't been driven by physical attacks or by government agencies so much as they have been by sheer necessity, Armstrong said.
"For example, the explosion of Java malware was a direct result of other technologies like Adobe catching up on their patch cycles," Armstrong said. "Things that the cybercriminals relied on earlier became difficult to compromise, so they lost interest and moved to a different technology that hasn't been so closely scrutinized."
Armstrong said many corporations could do more in terms of cybersecurity, but don't due to the expenses involved. It costs a lot of money for companies to review all the code for their websites, not to mention having a full-time security team on board and providing ongoing security training for all employees, he said.
"There's also a certain amount of, 'It won’t happen to our network,'" Armstrong said. "But Sony was hacked over 20 times in one month, because they'd fix one thing and not look at other things because it was just too expensive."
The irony is that it costs more to fix a system once it's been compromised, Armstrong said.
"The money spent reacting to breaches will be more than if you had [secured your systems] to begin with," Armstrong said. "Consider the long-term loss of customers and the bad PR. But companies are hoping it doesn't happen and it's a gamble. C-level executives are saying, 'If we spend all this money and nothing happens, is it wasted money?' It's hard for them to justify [the spending]."
Many companies, even large ones, don't perform even the most basic tasks to protect their networks, Armstrong said. Shepherd agreed with that sentiment.
"We can never say that everything is secure, because every time you turn around, there's someone trying to break into your system," Shepherd said. "It is an ongoing process to secure your systems. When you say you're secure, that's your first mistake."
Armstrong said many security breaches of the past few years could have been avoided.
"You have security flaws that are two, three years out of date that are left unpatched," he said. "Maybe for a short time 9/11 had an impact, but I think in the long term, at least on the technology side of things, it really didn't that have that great an impact."
The problem now is that there are more and more people trying to break into systems, which means everyone has to stay vigilant in trying to protect their networks, Shepherd said.
"There's no other way," Shepherd said. "You have to stay on top of it. It's the silent war that people aren't paying attention to as much as they should."
If cybercriminals want to compromise a company or a system, they will if they have enough time and the motivation, Armstrong said.
"If they want to get into your network, they eventually will," Armstrong said. "There's no 100 percent solution. ... Add to that a lot of the companies out there [that] aren't making some of the basic security changes to their networks, and you have a bad recipe there."
The future of cybersecurity
One of the biggest threats facing the U.S. is a potential cyberattack that would impact national security, Shepherd said.
"Everyone is looking, or should look, at how to keep someone from knocking out our power, our water, our telecommunications," he said. "If you look at when Russia attacked Georgia [in 2008] — that was preceded by a cyberattack that knocked out systems."
"We need to pay more and more and more attention to cybersecurity," Shepherd said. "It is an ongoing threat and it's a continuous threat. You can be in any foreign country and try to hack into the systems here."
Shepherd recalled the words spoken by William H. Webster, former head of both the FBI and the CIA and current chairman of the White House's Homeland Security Advisory Council: "Security is always seen as too much until the day it's not enough."