The panelists noted the era of the advanced persistent threat (APT), targeted attacks by governments or industrial spies to steal critical information, is upon us, with company after company being hit and critical information stolen. APTs against companies mean absolute security matters, said Schneier, which he added, is freakin hard. We are terrible as an industry dealing with the targeted attacker.

 The buying and selling of software and hardware vulnerabilities is now a big business, pointed out Ranum. He said he wouldnt be surprised if young people going into the high-tech industry ended up getting lured by thoughts or promises of money into putting vulnerabilities into products just to be able to sell knowledge about such weaknesses. Schneier said theres serious money in vulnerabilities, noting that you can sell them to the U.S. government now.

The situation with distributed denial of service (DDoS) is also serious today, with known DDoS attacks now hitting 123Gbps, said Moss. Weve entered a realm where its impossible to defend yourself against DDoS floods that large.

The number of known data breaches just keeps piling up over the years, but consumers that have had their personally identifiable information lost or stolen are finding that lawsuits arent generally effective, Granick pointed out. She also said that the law expects to see a standard of care of a reasonable person, but there theres little formal consensus on that in computer security and among security experts, who often leave people mystified by what theyre talking about.

The panel turned a bit argumentative when it came to discussing Stuxnet and Flame, now believed to be cyber-weapons created by the U.S. with Israel, with President Obama secretly ordering an attack on an Iranian facility suspected of trying to develop nuclear weapons.