FACT No. 1: As you are all far too painfully aware, cyberthreats are increasing in volume, severity, and complexity.

FACT No. 2: Customers (that is, you) are footing the bill and liking it less: flawed software costs the U.S. economy $60 billion every single year, according to the Commerce Department.

FACT No. 3: Asked about these issues, most IT vendors cluck their tongues, agree that the situation stinks, promise to focus more on security, and then go about business as usual--which means they'll increase by 50% the size of the "Caveat Emptor" stamp they put on their products and contracts, and they'll stick it on every page instead of every other page.

PREDICTION No. 1: As discussed previously in this space, the attackers won't stop--they will have to be stopped.

PREDICTION No. 2: Tight budgets and increased scrutiny--financial, operational, and now legal--will drive these staggeringly wasteful products and services out of the dark basement and into the light where they'll be isolated, evaluated, and eliminated.

Other Voices "NT had a good run--I'm sorry to see it go only in that it became a standard, well-understood, and workable OS, with a wide base of expertise available, and I fear it will be awhile before I'm as familiar with XP as I am with NT. Of course, by then we'll all be switching to Longhorn or its successor." -- LAN administrator, commenting in John Foley's Windows Weblog, July 8

PREDICTION No. 3: Technology vendors--whether they make servers or storage devices or databases or routers or operating systems--will be evaluated more vigorously than ever before on not just their current security capabilities but also on their ongoing commitment to at least sharing the security burden with their customers, rather than leaving those customers to carry the full load by themselves.

PREDICTION No. 3a: Technology buyers will begin, this year, to say "up yours" to those technology vendors that don't aggressively demonstrate not just a willingness but indeed a desire to help their customers gain control over this potentially disastrous situation. (Unsolicited advice to technology vendors: If you are among the unfortunates on the receiving end of the "up yours" colloquialism, do *not* interpret it as shorthand for, "So you're asking me what I'm going to do with my vendor-by-vendor spending allocations for next year? First, I'm going to up yours." While it's understandable that you'd want to interpret it that way, trust me--that's not the right translation.)

PREDICTION No. 3b: Industry groups have begun to exert considerable pressure on technology vendors, and those efforts will increase dramatically in size, scope, and intensity. They won't be "lobbying" for changes and improvements--they'll be demanding all that and more. They've had enough, and they're pushing back. And this is just the beginning.

PREDICTION No. 3c: If the community of technology vendors does not take up this cause passionately and urgently, then by the end of this year we'll all hear about how Congress is going to step in and legislate the issue. The World's Greatest Deliberative Body has already begun to insinuate itself through the actions of the elegantly named and tightly focused "House Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census." (P.S.--Which would you rather do: sit through one of those meetings, or review your company's phone-call logs for the past three quarters?) As we reported last week, that group's chairman, Rep. Adam Putnam, R.-Fla., co-authored an amendment to the 1996 Clinger-Cohen Act that would make information security a required consideration when government agencies buy computer systems. Putnam is monitoring self-regulation efforts by groups such as BITS in the private sector."

PREDICTION No. 3d: The makers of technology will never again use the explanation, "Hey, this stuff is so complex, it's just not possible to make it completely hacker-proof." And while they should drop that line because it's inherently lame and pointless, some will do so because their legal departments will advise that such statements constitute clear and prior knowledge that we make flawed stuff and that we know we make flawed stuff but that we still go ahead and sell it anyway. In court, that type of audit trail would require a particularly nuanced type of defense built on the question of precisely what the definition of "flawed" is, a courtroom approach leaning heavily on the famously successful precedent of what "the definition of 'is' is."

PREDICTION No. 3e: By this time next year, a recent call-to-arms from Oracle's chief security officer will become standard procedure at many IT vendors: "The next frontier is for vendors to drop their competitiveness," says Oracle's Mary Ann Davidson. "Developing secure code is not a trade secret. Vendors need to start calling each other up and sharing development techniques. The hackers certainly share attack and vulnerability information."

PREDICTION No. 3f: I'll see you next week, but not before a lot of you tell me that I or my predictions or both are crazy.

---

To discuss this column with other readers, please visit Bob Evans's forum on the Listening Post.

To find out more about Bob Evans, please visit his page on the Listening Post.