Leader: Why the Cisco router flaw row makes us all losers

Do we need to rethink how we tackle security?

Do we need to rethink how we tackle security?

News of a potential weakness in Cisco routers has been causing a few sleepless nights. Sleepless nights for hackers who are working to exploit the problem, and sleepless nights for IT bosses wondering when the first attack will come.

Hackers, angered by Cisco's attempt to squash news of the potential flaw, are working non-stop to find a way to exploit it.

As one hacker put it: "The reason we're doing this is because someone said you can't."

Which is a fine response if you're an 11-year-old trying to steal one of your mum's freshly baked cookies.

But perhaps slightly less responsible when you are talking about developing an attack on the devices which direct traffic across the internet.

Because even if the hackers who are working on the attack are simply doing it for the thrill of the chase and to beef up their counter-cultural credibility, and have no intention of ever using it maliciously, someone else will.

Which means it's something companies have to start worrying about. No doubt many Cisco customers are deciding to get round to applying fixes to their router software to protect against the flaw.

The whole sorry episode puts the spotlight squarely back on IT's strange security ecosystem - where hackers can claim they are helping the industry by publicising security problems, and where vendors can be cast as the baddies for trying to suppress those details.

The user then is stuck somewhere in middle, trying to keep up with the latest must-have bug fix.

Perhaps some good will come of this. Companies will update their software to protect against the flaw, so that if and when an attack is launched it won't lead to widespread damage - which could have happened if a hacker had stumbled onto the flaw and decided to launch a sneak attack.

And perhaps the excitement the whole incident has provoked will give the industry cause to stop and think about the way it deals with product testing and security.

Of course no products can be perfectly secure when they are shipped, because that would stop innovation dead in its tracks. But at the moment there is a sense that too often the industry releases products too soon and just waits for the security researchers and hackers to spot flaws.

But as IT becomes so pervasive, can this uneasy balance - which leaves customers permanently scrambling to catch up - remain unchanged?