There has been talk in the anti-malware industry as long as I can remember about what sort of event it will take to get people to take computer security seriously.
There were countless airline security events which took place before governments started implementing increasingly restrictive security measures around airports. There were nuclear security incidents before the accident at Chernobyl, but it took that level of disaster before people became fearful of nuclear power in the general populace.
Neither airplanes nor nuclear power became more unsafe than they were before the events. In fact, they're both considered fairly safe compared to other modes of transport or power. But suddenly people became aware of their risks and made changes around the security events.
Regardless of what you think of the effectiveness of the measures which were taken after the fact, the changes were massive. It will likely take a cyber-Chernobyl to get people to take security seriously.
That day could be sooner than we expect at the rate things have been escalating. In my last article I discussed the Anonymous attack on Sony, since then a second organised hacking group called LulzSec has joined the fray, grabbing daily headlines with their hacking activities.
Also, LulzSec and Anonymous announced a joint venture, targeting high profile government and banking sites. Given the number of sites which have already been hit, this is likely not an idle threat.
Will an event like this be enough to get people to appreciate that security incidents affect everyone, not just high profile targets? The Sony incidents hit a combined total of more than 100 million users, but this was not the largest data breach in history. The Heartland Payment Systems breach affected a third again as many people. And the current daily onslaught of Anonymous/LulzSec hacked sites has not noticeably changed the landscape either.
In fact, the campaign reminds me a bit of the ‘Month of Bugs' campaigns in which researchers spent a dedicated month each, focusing on security holes in various different types of popular software.
No major software company was immune from this onslaught and it made for a very busy month for those working in an industry that was targeted. It was busy a whole lot longer than that for those of us working in a security company that reports new vulnerabilities. It was almost as taxing as the virus wars of 2004, when we were having multiple outbreaks of Bagle and Netsky daily.
Yet it went almost completely unnoticed by anyone outside the software industry. Certainly software vulnerabilities still exist on a similar scale five years after the campaign began.
Banks and government sites are already decidedly aware of security issues, but holes still exist. Will hitting these targets cause the ordinary citizen enough inconvenience or fear to change things? We shall soon see.