One billion-plus accounts stolen in one online heist. The U.S. presidential election messed with by another country. Corporate secrets stolen and released on the internet on a regular basis. More and more data held hostage by ransomware. Stock markets routinely manipulated by hackers. Denial-of-service attacks whacking websites all over the place.

Will computer security ever get better? Or is this the way things are and we simply have to live with it?

For a long time I’ve speculated that it would take a tipping-point event for the world to stop treating the horrible current state of security as business as usual. It would take a major shutdown of most of the internet or the major stock exchanges for a day or longer. Nothing else would be shocking enough. Everything else is business as usual.

But maybe a global catastrophic event would not be enough. Maybe what we have now is what we have for the foreseeable future. I’ve long worried that this might be the case, but I haven’t wanted to admit it as realistic possibility.


Even after the huge financial crisis, from which the world is still recovering, relatively weak regulations were put in place to stop it from happening again. In the United States, those regulations () are likely to be undone by the next Congress. This shouldn’t surprise anyone: No one in government was fired for undermining regulations prior to the meltdown, which made the whole mess almost inevitable.

The point is that the huge theoretical risk of bad internet security is acceptable to almost everyone … until it’s not. Even if the worst happens, it’s unlikely anyone will actually get in trouble, much less fired. If you think of risk management that way—the real way every human being measures it—then what we have is good enough.

I don’t like this idea at all. But I need to stop living in a dream world where everyone suddenly realizes how bad internet security is and actually demands something better. The fact is, we could make the internet significantly more secure today for relatively low cost and most users would support it. But lack of accountability means it’s not going to happen.