What's really wrong with PC "security"

Why do Wintel people defend the indefensible while spending billions on reactive "security" that never solves the problem? Stockholm Syndrome describes the behavior, and it's not hard to see who's captive to whom there.
Written by Paul Murphy, Contributor

It's nightmare time! Ready?

Ok: you're among millions of people lined up along an endless cliff looking down a thousand feet to raging waters and black rocks. The crowd surges, you barely cling to the edge as clouds of your fellows scream all the way down -and now you see people selling parachutes but just as you get one, the scene changes. You're on a beach with an incoming tsunami only a few hundred yards off shore. Again, you survive, barely; but the beach is covered with those who got tangled in their parachute harnesses and drowned - and now you see people selling floats but just as you get yours, the scene changes. You're on dry grassland, and through choking smoke you see wind borne flames sweeping toward you.

Wake up! that's the Windows security business as seen from the customer perspective: everything's reactive; awareness follows disaster, and retroactive remediation just increases the burdens you carry into the next failure.

Now look at it from the seller side: somebody creates a cliff and after enough people fall, you get a sellers market for parachutes; somebody creates a tsunami, you get a seller's market for life preservers; somebody creates a grass fire, you get to sell smoke scrubbers in volume.

So why do customers put up with this when Unix on SPARC or PPC offers near total immunity to all of it and even Mactel and Lintel, despite their reliance on x86, offer much more difficult targets to attackers?

Some contributing reasons are obvious: for example the moral hazard imposed on IT staff by asking people whose jobs depend on the employer's continued vulnerability to develop effective counter-measures has to be a factor - and, similarly, the typical executive assumption that computers are career killing tarpits of cost increases, public failure, and unmet expectations combines nicely with the fear of social contamination by nerdish thinking they learnt as high school's pretty party people to explain why so many leave foxes in charge of the IT hen house.

By themselves, however, these are partial, and insufficient, explanations. Overall, the industry's behavior is so utterly irrational that something more is needed - and I have a candidate: Stockholm Syndrome.

Held for long enough, or under sufficiently brutal conditions, kidnap victims start to identify with their abusers - and will often continue to defend the criminals involved long after they've been physically freed.

Thus this blog post will draw angry responses from Wintel people who will maintain worms and viruses are simply nickel and dime costs of doing business, a testimonial to the market success of their favorite architecture - and that the only reason these kinds of attacks don't pose much of a problem in the Unix community is that there simply aren't enough Unix targets to bother with.

In reality, the cost of the Windows Security illusion runs into the tens of billions of dollars per year; millions of individuals have suffered significant harm from individual attacks; companies exposing confidential data to attackers have been driven out of business; major government organizations, from the U.S. Air Force to The British National Health, have suffered embarrassing shutdowns and losses - and it's all an unending testimonial to the many points of failure built into the Wintel architecture

Stockholm Syndrome describes the relentless focus on after the fact reactivity - I mean, sure some people defend the PC security industry because their jobs depend on it; and, yes, many bosses look the other way because they lack courage or commitment, but the real bottom line is that the industry's behavior looks like Stockholm Syndrome writ large: a long term, deeply emotional, and utterly irrational continuing defense of the indefensible.

Editorial standards