In my last column,
I reviewed the top security developments of 2004. Now I’m going to extrapolate
on the trends that I see affecting IT security in 2005, both here and abroad.


First, I’ll begin with a few easy predictions.

  • Malware attacks will get worse, or at least more
  • The Homeland Security Department and the White
    House Office of Science and Technology Policy won’t do anything helpful for
    network security professionals, but some new regulations may cause more
  • More serious flaws will be discovered in
    non-Microsoft browsers and operating systems. This is likely to occur on an
    accelerated basis simply because many businesses are turning to Microsoft
    alternatives, making them bigger targets.
  • Phishing attacks will continue to surge.
  • The time between discovery of vulnerabilities
    and the appearance of exploits will grow ever shorter.
  • There will be an increasing realization that
    antivirus software with weekly updates is inadequate to combat threats that
    appear, spread like wildfire, and compromise millions of PCs and networks within
    a few hours.
  • The CAN-Spam Act will be viewed as a total
    failure. California had proven that regulating spam doesn’t work and was
    planning to outlaw it completely, so Congress trumped state regulators by
    passing a weak “antispam” law, which actually provided legal loopholes for spamming
    people, thus protecting direct marketers. Spam volume is still surging from
    this boost, and 2005 will be the worst spam year in history, to date. Spam
    killer tools are improving and will begin to reduce the threat by the end of
    2005, unless, of course, Congress gives even more unwitting legal protection to


Spyware will quickly become the biggest single threat to
corporate IT departments. Individuals will plant spyware to watch their
neighbors in the next cubicle; executives will authorize spyware to watch
workers; outside hackers will use spyware to steal IT secrets; competitors will
use spyware to steal business secrets; and script kiddies will flood the world
with spyware just because they can.

Having authorized spyware makes it harder to deal with
unauthorized spyware. Spyware not only lets people steal your passwords and
other corporate information, it also compromises your clients’ secrets and that
will lead to calls for legal action to stop the spread of spyware and punish
companies that fail to control it.

Legacy of failure

When Microsoft updated Windows XP with Service Pack 2, it
was the first time that the company chose better security over legacy support. Since
Microsoft got away with it, other companies, including Linux vendors, will probably
follow the lead and begin to patch holes and update software, even if the fixes
disable popular but dangerous legacy features.

Since legacy support is a major cause of software
vulnerabilities, this will have a slow but positive effect on improving software

Let’s talk money

There are also some less obvious developments that I expect
to see in 2005 and beyond, and some of these developments are not directly
related to IT security but involve economic issues that affect U.S. businesses
and IT departments in general. Keep in mind that I’ve seen a lot of IT history
going back to the punch-card computer days, so my guesses are usually fairly well-grounded.

Look for more big foreign buys of U.S. IT businesses, such
as the recent purchase of IBM’s PC division, but also look for high-profile
failures of some of these purchases after a few years. A few decades ago, Japanese
companies bought up a lot of U.S. real estate (which freed up U.S. capital for
local investment). The market collapsed, leaving the Japanese holding the bag. Look
for Chinese companies to use that country’s massive trade surplus with the U.S.
to buy up things that U.S. companies will be glad to get rid of.

Other important trends are also related to the U.S. deficit
and the fall in value of the U.S. dollar. Gold and oil are mainly purchased
with dollars, so the rising price of both just means the dollar is being

Government policy is obvious—a lower dollar means improved
trade deficits as goods bought mostly from Asia become more expensive in the
U.S., increasing the competitiveness of U.S. workers and making computers assembled
in the U.S. comparatively cheaper.

On the white collar side, IT managers and software
developers (and even help desk workers whose jobs have gone overseas) will
become more competitive in the global market and some jobs could migrate back
to the U.S. as a result.

Government and industry self-interest will both drive this
trend as they realize fewer good jobs in the U.S. means fewer people will be
able to pay taxes (especially Social Security taxes) and buy goods from U.S.
companies. Buying goods cheap from China doesn’t help a business if there are
no local buyers they can resell to.

The government has encouraged the retraining of displaced
U.S. workers in computer technology for the past decade but there has been
little work for those graduated in the past five years (especially in rural
areas). Many of the jobs they trained for went overseas instead. However, rural
America (such as my part of central Pennsylvania) has a much lower cost of
living than big cities, and IT workers can live quite well on a salary only
half of what they would need in Arlington, Virginia or Silicon Valley. Thus,
some U.S. companies are looking at “homeshoring” some jobs to workers
that can telecommute rather than sending those jobs overseas, as reported by

End sum

Security professionals and administrators will continue to
be under pressure on a variety of fronts in 2005, with spyware, phishing, and
patch management continuing to cause headaches.

The best news for U.S. IT professionals is that I look for a
resurgence of IT jobs in the U.S. in 2005 as U.S. workers become more
competitively priced, and the cost of overseas outsourcing climbs due to the
fall of the dollar.