The yin and yang of cybersecurity by Stephanie N. Mehta @FortuneMagazine December 21, 2009, 3:14 PM EDT E-mail Tweet Facebook Google Plus Linkedin Share icons On the Internet, the good guys and the bad guys are inextricably connected. But what happens when one side gets the upper hand? By Doug Howard, chief strategy officer, and Kevin Prince, chief technology officer, Perimeter E-Security (The following is an edited excerpt of the forthcoming book, Security 2020, scheduled to be published next year.) Since the inception of computers and more specifically, our global reliance upon them, the number, severity, complexity, and source of security threats have all increased exponentially many times over. Why do threats emerge? Sometimes a developer wants notoriety (that was the primary motivation in the late 90’s and the first few years of the new millennium) but today the main force behind digital threats is the hope of monetary gain. Political and religious motivations are coming on strong, too. At the same time, threat mitigation solutions and tactics constantly are developing to deal with these threats. These solutions evolve over time and balance out each each new threat. The problem comes when threats emerge faster than solutions, and companies lose their balance. The “white hats” (the good guys that help develop and implement solutions) and “black hats” (cyber criminals) have a relationship not unlike yin yang in Chinese philosophy. Seemingly opposing forces are interconnected giving rise to each other in turn. Yin and yang are thought to arise together from an initial quiescence or emptiness and continue to move in tandem until quiescence is reached again. For example, dropping a stone in a calm pool of water will simultaneously raise waves and lower troughs between them. This will radiate outward until the movement dissipates and the pool is calm once more. According to Chinese philosophy, Yin and yang will always have the following characteristics (And so, too, do “white hats” and “black hats”: They are opposing. The good guys are always trying to stop the bad guys. The bad guys are always looking for the next way to outsmart the good guys. They are rooted together. For example, the discovery of a critical vulnerability will simultaneously start a flurry of development for patches and fixes by the good guys and malware and scripts to exploit it by the bad guys. They transform each other. New technologies and tactics are developed to counteract the effects of previous technologies and tactics. One cannot exist without the other. If all the cyber criminals disappeared tomorrow, you would have no need for security professionals. (Without cybercrooks, our firm, Perimter, and many others would be out of a job. ) But there is one characteristic of information security that is not always true. Yin and Yang are always balanced, but information security is sometimes out of balance. What causes these forces to become out of balance? For starters, new threats can emerge and evolve so quickly that mitigation solutions are not available timely enough. Sometimes companies balk at spending money on new solutions, or they simply don’t have the expertise or understanding to deploy, manage, or monitor barriers to cybercrime. Any of these elements individually can cause problems in the information security space. (When all of these elements are true at the same time, you have a perfect storm for massive, worldwide impact that causes catastrophic damages and enormous economic loss.) It’s terrible to say, but sometimes it takes a cyberbreach of significant size to educate companies and consumers about the threats and to get them focused on solutions. After the first denial-of-service attacks (attacks that block legitimate users from accessing sites or applications) in 2001, a number of upstarts and existing security firms rushed to market with technologies to thwart so-called DOS attacks, and companies quickly moved to implement them. Are we on the verge of a cybercatastrophe? Certainly the black hats are looking for new ways to cause chaos. With hard work, good cyberslething and a bit of luck companies like ours will keep pace with the bad guys’ attacks – but companies need to do their part and get smart about the potential threats. If not, that stone dropped in a pool of water could turn into a tsunami, and it will take a lot of technology, manpower and time to achieve digital quiescence. Howard is chief strategy officer of Perimeter E-Security , a Milford, Conn.-based provider of information security systems to companies of all sizes. Prince is chief technology officer.