The second is a decentralization of IT responsibility, some of it going to non-IT people. "One change -- such as a simple change in access privileges by an administrator, or a change to a business rule by a marketing expert -- can ripple across a worldwide enterprise," Scherlis says.
The third factor, related to the other two, is the extreme speed with which actions -- simple mistakes as well as attacks -- are propagated through networks and systems. "All three of these changes contribute value and agility to the enterprise, but they also reshape the security picture," he says.
Scherlis says that a few years ago, an organization would have put an "enterprise firewall" between its internal systems and external networks. Later, when it became obvious there were bad actors or bad software inside the company, the company would have turned to departmental firewalls and, soon after that, to firewalls on individual computers. Then, when that proved insufficient, the company would have started putting shields around individual applications.
Now, Scherlis says, even that is not enough as systems get more and more fragmented yet interconnected. "Modern applications contain frameworks and libraries from diverse sources, and they stretch across multiple computers," he says. "So now you need to consider perimeters inside the application, at the application programming interfaces."
Even the simplest of modern applications may contain thousands of individual executable components, from multiple sources. "That makes the software assurance problem really hard," Schneider says.
Turn the tables
Fred Schneider, a software security and reliability expert at Cornell University, goes even further, saying that the whole notion of building defensive perimeters -- at any level -- is outdated.
"Today, people discover vulnerabilities because someone uses one in an attack, and then they fix it. They are walking around finding holes in the dike and patching them. This is playing catch up and letting the attacker define the problem. It's an inherently losing mind-set."
But, he suggests, "what if we turned the tables in a way that allowed us to stay ahead of attacks?"
Many Internet-borne attacks come via spoofing; you get a message purporting to be from Citibank, but it's not, and it contains some malware. "Suppose every message on the Internet could be attributed to the person who sent it?" he says. "Then, when someone launched an attack, you could find out who sent it and arrest them."
He says this would change the mind-set from one of prevention to one of accountability. People would behave not because their misbehavior is blocked, but because they could be caught and held accountable.
"The problem with the current prevention mentality is you have to protect everything," Schneider says, "but the attacker only has to find one chink in the armor."
Although not trivial, implementing such accountability on the Internet is technically feasible. But there are two big barriers to making it happen, Schneider concedes.
One is an expectation of anonymity that many users would not lightly relinquish. The other is that vagaries of local law and custom could render attackers outside the U.S. difficult to bring to account.