Taking a step beyond viruses, worms — the now-common term coined by John Brunner in his 1975 novel, The Shockwave Rider (Harper & Row) — began wriggling into the security landscape in the late 1980s. Whereas viruses simply infect a computer program (or files), worms go further by copying themselves between systems. Using security flaws known as back doors, worms propagate without the help of a careless user. The 1988 Morris worm penetrated and expanded on both DEC and Sun machines and infected about 6,000 of the 60,000 hosts on the nascent Arpanet. (Robert Morris, the worm’s creator, was the first person to be prosecuted and convicted under the 1986 Computer Fraud and Abuse Act.)
A critical point in the evolution of the Internet — and the rising risk of information security — came with e-mail, the first sanctioned commercial use of the Internet. History credits Ray Tomlinson with inventing e-mail for Arpanet in 1971, but CompuServe, MCI Mail, and OnTyme first offered interconnected e-mail services to the masses in 1989. That same year marked the introduction of hypertext and the World Wide Web. Suddenly, the increasingly ubiquitous personal computers could share information through simple dialup services. By 1991, the number of host sites on the Internet stood at 600,000 — 10 times the number in existence three years before, when the Morris worm had wreaked its havoc. A year later, hosts passed the 1 million mark, and the number began doubling every three months.
Over the following decade, distributed computing contributed to massive increases in productivity but also introduced a cybersecurity arms race. Empowered users added devices to the network while IT professionals sought to add firewalls and other forms of protection to block increasingly clever and malicious hackers. Today, corporate IT executives shop the aisles of the annual RSA conference in San Francisco for literally thousands of security solutions. But individually, each solution provides little real security.
Similarly, individual users suffer productivity losses ranging from the minor intrusion of spam to the catastrophic malware-driven computer crash. Headlines make users increasingly wary of privacy risks as diverse as the relatively benign intrusion of cookies that track user behavior and the fear of identity theft through corporate hacking, such as the 46 million customer records breached in a 2007 incident involving retailer T.J. Maxx.
Despite spending money on increasingly sophisticated tools, CIOs often feel like the Dutch boy plugging the hole in the dike with his finger. Other senior executives rarely appreciate the magnitude of the risk or the amount of backroom work required to minimize that risk. Mostly, the CEO sees an ever-growing IT budget for a wide array of tools and patches, but no comprehensive solution. To change that dynamic, executives should reflect on the lessons of the quality revolution. While computer scientists were envisioning the opportunities of the Internet and the pending risks, quality professionals managed to recruit the executive suite and the masses to produce a sea change in attitudes about the importance of, and expectations for, product quality.
Learning from Quality
Preventing the spread of malware presents a challenge similar to the elimination of errors in the operations realm, and we propose that the evolution of thinking about product quality offers managers useful lessons about how to eliminate malware. Expectations about product quality have shifted dramatically over the past 40 years. In the 1970s, consumers had become accustomed to buying new products, whether toasters or automobiles, that had been designed, built, and shipped with inherent flaws, and companies commonly sorted through supplier shipments to ensure an “acceptable quality level” (often 95 to 99 percent), which was deemed good enough for the captive consumers of that time. Today, consumers expect new products to work flawlessly from the moment they buy them. Companies no longer inspect incoming goods but hold suppliers accountable to delivering “Six Sigma quality” measured in parts per million, with single-digit targets.