Playing cops and robbers with cybersecurity

If Microsoft's cash bounties convince any hackers to rat out fellow cybervandals, then more power to whoever dreamed up this public relations stunt.

Flanked by some serious-looking guys from the FBI, the U.S. Secret Service and--get this!--Interpol, Microsoft last week announced a couple of $250,000 rewards to anyone whose information leads to the arrest of the authors behind the MSBlast worm and Sobig virus. This is just the beginning of a $5 million fund Microsoft will use to buy off informers.

The announcement was good for a photo opportunity and achieved the appearance of movement. Microsoft needs every bit of good news it can muster. After a couple of years being on the receiving end of escalating cyberattacks, management is clearly frustrated by what it now refers to as "criminals," not misguided geeks.

The new message is simple: Break the law, and law enforcement will go after the bad guys.

But Microsoft remains far from claiming victory over the anonymous authors whose viruses and worms target the company's software. Instead, it is ratcheting up the rhetoric. The new message is simple: Break the law, and law enforcement will go after the bad guys.

There's just one problem. It won't work--not even if they teamed up J. Edgar Hoover, Eliot Ness and The Shadow. Placing a bounty on someone's head may sound like an effective deterrent, but let's get real. For starters, it's just too reactive. In this standoff, the hackers will always hold the initiative. Besides, does anyone really believe a snitch fund will entice digital sociopaths to turn in their buddies?

So what's the alternative to playing cops and robbers?

Start with the deal worked out earlier this year, when Silicon Valley convinced Washington, D.C., to let it decide how to secure information systems. The so-called National Strategy to Secure Cyberspace calls for the government to work with private industry to devise an emergency response system and reduce the nation's vulnerability to cyberattacks.

The strategy document leaves the initiative for making all this happen to the technology industry. I would have preferred something with more teeth. But at least this was a beginning. Besides, Silicon Valley says it can clean up the mess without any government regulation. Now it has a chance to make good on the claim.

Unfortunately, nine months have elapsed since the Bush administration signed off on the agreement to leave things up to the private sector, and most companies still don't have a clue how to go about implementing the plan.

Nine months have elapsed since the Bush administration signed off on the agreement to leave things up to the private sector.

The Global Council of CSOs (chief security officers), which just made its official debut, is expected to play a big role in helping private companies figure things out. But while they're just getting started, the clock is ticking. All it takes is one major outage--courtesy of organized terrorism or an amateur freelancer--and the pressure to fix the system by hook or by crook will become so overwhelming that heavy regulation and legislation will soon follow.

A lot is going to depend on the performance of the new cyberczar, Amit Yoran, who moved into his job at the Department of Homeland Security a couple of weeks ago. If Yoran is able to provide the necessary leadership, the highly regarded former Symantec executive would send a convincing message to the IT industry that the security problem is finally in good hands.