"We need to strike a balance between accountability and anonymity," Schneider says, "and we need international agreements."
At least one major software maker may have gotten the message. In a paper published last year, Microsoft Corp.'s Scott Charney outlined steps the company has taken since 2002, when Bill Gates created the Trustworthy Computing initiative that Charney now heads. He notes that the company has made "significant progress" in strengthening its products against attack, but he acknowledges that improving any given piece of software isn't enough.
Charney argues that we must fundamentally "change the game," and that two elements are needed to do that. The first is to build a "trusted stack," with strong authentication at every layer -- hardware, software, people and data -- something Microsoft calls end-to-end trust. The second would implement Schneider's prescription for auditability of events to provide accountability.
However, in the short term, users must do the best they can with existing technology, says Alan Paller, research director at the SANS Institute, an information security education firm. He says cyberthreats that exploit software are of three types: those that exploit vulnerabilities left by faulty coding, those that exploit logic errors in faulty designs, and social-engineering exploits that trick users into doing things they shouldn't do, such as revealing a password.
"The most powerful of the new attack techniques are in social engineering, where they are doing much deeper analysis of the people they are going to attack," Paller says. But part of that is pure technology, he says, "because once you let the guy in, he still has to break some things."
That means defensive technology is needed inside the system so that if a user, for example, clicks on some malware, the attacker can't then insert a keystroke logger or other malicious software in his machine.
Users aren't helpless
So it seems users are in a holding pattern. They're waiting for software vendors to fortify individual products, something they have been doing slowly for years; they're waiting for IT companies to make massive rollouts of trust technologies; and they're waiting for governments and societies to agree on accountability measures. Meanwhile, companies like Heartland and P&G are on their own.
But there are things users can and should do, Scherlis says. "The key phrase is 'configuration management,' " he says.
People underestimate the importance of this because it sounds dreary and dull -- like taking inventory. But very few organizations or users even know what's running on their computers. "Stuff just turns up, and you don't even know what its heritage is," he says.