Sunday, August 17, 2008

6,000 to 6,000,000,000 in 25 Years

On November the 7th, 1988, USA Today reported that the world's first Internet worm, the Morris virus, had effectively propagating itself to 6,000 computers:

The "virus'' - a rogue program planted by a high-tech vandal - showed up last Wednesday, duplicating itself rapidly and using vast quantities of computer space. It apparently didn't destroy any information, but it clogged an estimated 6,000 computers at universities and military labs.

Though there is some dispute over this estimate, that 6,000 number fairly accurately describes the reach of a virus back then (it was estimated that 10% of 60,000 hosts connected to the Internet were affected.)

Today, a 6,000 PC outbreak would barely rate a mention outside the targeted organization.

Part of the reason is the massive scale of our telecommunications networks, worldwide. Two years prior to the publishing of the USA Today article, the number of hosts on the Internet was less than 2,000. In the year immediately after the publication, the number more than doubled - to 130,000 (

The growth has not abated. Today, the number of networked devices in need of protection has grown to an estimated 3 billion, possibly as many as 3.5 billion, if you include computers along with consumer cell phones.

This hard-to-believe 3 billion cell phone estimate comes from a reputable source - Jan Chipchase, one of the lead researchers at Nokia. He estimates that within another two years, i.e. by 2010, another billion cell phones will come online (according to the ITU, China turned on its 601 millionth cell phone at the end of March, 2008.)

Which means that if current trends continue, we're talking close to 6,000,000,000 networked devices online by the end of 2013.

This remarkable difference in scale - and the fact that in three to five years, the total number of potentially vulnerable networked devices could be almost 1,000,000 times larger than it was when USA Today reported on the above story in 1988 - is interesting to ponder in terms of past and future risk mitigation efforts.

As Chipchase reported in his TED talk, there are three objects that consumers grab when they leave home - their keys, their money, and their (increasingly, Internet-enabled) cell phone.

Yet, if several of the start-ups that myself and others are involved in have their way, within a few years, you will simply grab your cell phone on the way out the door: your house security and your cash will be embedded.

The door will lock behind you (upon you entering the correct PIN), and your SIM will be loaded with more cash than you currently carry with you in your wallet. Which means your entire assets are going to be IP-based and in need of protection - the kind of protection currently offered by a mere handful of non-government threat mitigation companies.

This is worthy of study. I happen to think that the researchers and engineers at the antivirus and antispyware and firewall companies have done a pretty stunning job of keeping devices (and their users) protected over the twenty years since the Morris worm outbreak.

But have we factored in enough R&D, enough new staff hires and training, enough process automation, enough industry cooperation, to take into account the fact that a consumers entire asset base will be online, not to mention the exponential rise in networked devices?

Are we adequately prepared for the fast-approaching situation in which the average consumer will effectively place their assets (or access to them) entirely in digital form, lock their houses via the Internet, or trust their lives to a networked heart monitor or medicine dispenser?

Back in 1988, there were few assets at risk - and no antimalware software. Authentium (Command) was one of the first to release a professional antimalware scanner in product form, with F-Prot Professional, in 1992 - and at the time of our v1.0 release, we protected computers from an incredible one hundred viruses.

Now, our complete update file contains almost one million signatures, a number that, like Moore's law, has been doubling roughly every eighteen months since that first release.

The fact that both key variables - the number of networked devices and the number of signatures - are increasing trending exponentially suggests that in the next few years, we are going to see some quite different approaches to security emerge, if only to alleviate the tax on networks due to update (and scanner upgrade) delivery.

Like the innovations of before, these innovations will come from the private sector, but this time, the stakes are significantly higher: as the world moves to a scenario in which a majority of the world's population and assets are online - including all the criminals, device blueprints, and software exploits.

Our own SafeCentral service provides a hint of one such innovation - it doesn't use definition files, and doesn't require knowledge of the malware targeting the user. There will be others.

Note: Yes, I know that some of the cell phones I'm referring to here are not "Internet-enabled" as such, but that doesn't mean they're immune to malware - the core subject of this blog entry. If you're interested in what cell phone viruses look like, read this.

No comments: