After the conference I followed up by interviewing McGraw for the CyLab Business Risks Forum, and asked him to expand on his comment.
"Online games, like World of Warcraft (WoW), are massively distributed. They have fat clients, millions of them, and server farms that are all over the planet. And it is what, in marketing land, we are calling Web 2.0, or 'Cloud computing,' or flavor of the day. So if we want a case study of the future, we need look no father than on-line games. If we understand what is going on with security, and cheating, and economics, and the law, and the technology concerns, all at the same time, we have a very small but important crystal ball."
Poignantly, McGraw's fascinating panel discussion on this "edge of technology" was held in a half empty room; while next store, there standing room only for a session on "Seven Most Dangerous New Attack Techniques and What's Coming Next."
Yes, we are at a profound moment.
But how can we meet the challenge of this profound moment if we are constantly scrambling to catch up, and always in reactive mode?
This is one three big problems that seriously impede our best efforts to optimize cyber security, and all that I saw, heard and discussed at the RSA Conference 2009 put these three big problems into stark relief:
First, in the realm of cyber security one of the most glaring and persistent problems is that the "good guys" always seem to be way behind the "bad guys," and scrambling desperately to keep up. Cyber security as a field has been mostly reactive. It is always at best a few steps behind the adversary. Plugging holes after they are revealed, developing defenses after attacks are carried out successfully, designing technologies around what attackers have already done, instead of what they will do in the future, articulating security programs that are always looking backward, instead of forward, etc. To achieve the lofty goals of securing the US government's information systems in the 21st Century, and to increase the odds of success for the economic stimulus package, we must change this dynamic, we must put the good guys ahead of the bad guys in cyberspace.
Nothing is more worthy of stimulus funding than academic research into cyber security, bold research that plants our flag upstream of the nefarious and the ill-willed, and takes sovereignty over the future by building industrial and personnel capacity, i.e., dazzling security technology transfers and sophisticated cadres of security technologists. (And don't think I am stressing this issue because of my affiliation with such a program, I was stressing the importance of it over a decade ago, in the US Senate "Nunn" hearings on Cyber Security, at which I testified in my role as Editorial Director of the Computer Security Institute.)