On a macro level, one of the biggest problems faced by all participants in e-commerce is a chronic lack of communication about attacks as they happen. It’s understandable in a sense — most companies are naturally apprehensive about disclosing that they’ve been hit by a cybercriminal attack. But the cybercriminal community in part counts on this reticence. Because of it, “the attacking community is able to replicate the exact same thing with the exact same infrastructure, with the exact same subject line of the email, and the exact same line of the attachment from company A to company B, to company C, to company D, to company E,” Witty says. “Which is why you’re seeing so much focus now on information security legislation in congress, because there really needs to be a better sharing framework and structure so that when company A has an issue, they can share that with companies B, C, D, E and F without assuming liability associated with the completeness of that information, or the accuracy of that information, or what company B decides to do with it. It’s kind of the good-Samaritan concept.”

It’s difficult to overstate the importance of the role that information sharing plays in thwarting breaches and other online malfeasance. The ability to share details about an attack — even anonymously — with others in the e-commerce community is one of the greatest weapons that businesses and financial institutions can wield in the war against cybercriminal mayhem. Some sectors of our economy have been sharing details about cyberattacks for years. “In the Clinton administration, the Financial Services Information Sharing and Analysis Center was stood up in 1999,” Witty offers. “There have been banks sharing anonymous attack data with other banks for 15 years. By the way, it doesn’t have to be a successful attack, either.”

The situation is improving, but it’s still far from ideal, as many sectors have been slow to recognize and establish the controls they need to defend themselves against the ongoing siege. “Financial services has a robust information sharing and analysis center,” Witty says. “The energy sector has a fairly robust one. Retail just stood one up after the Target breach. [But] a lot of sectors don’t have one. So it’s not a question of ‘if’; it’s ‘how.’ There just isn’t the underlying plumbing in a lot of cases.”

Back in February, President Obama issued an executive order calling for the creation of Information Sharing and Analysis Organizations (ISAOs), in an effort to encourage businesses to form their own groups for sharing attack data. “I think you’re going to see that increase in companies’ willingness to share is going to increase as it becomes the norm that everybody’s being attacked,” Witty suggests. “It’s just helpful to receive information about how everyone is being attacked.”

Information sharing is currently at the center of legislative efforts, balanced by weighty concerns about personal privacy with regard to companies’ sharing of personal information with the government. “There’s a lot of back-and-forth on that,” Witty says. “That is absolutely not what the intent of the information-sharing legislation is all about. It’s about sharing highly technical [information] — ‘How does this particular malware backdoor work?’ or ‘What is the subject line of the email that this fraudulent phishing campaign came in through?’ … They’re highly technical indicators, none of which has anything to do with personal privacy.”

Even as information sharing occupies center stage of the legislative discussion, both Witty and Phillips are among those looking ahead to where the future battlegrounds of e-commerce security — as well as both national and personal information security — will be. For Phillips, the cultural shift that has enabled people to begin evolving their e-commerce security dynamics needs to progress to a point at which people will be inspired to act on their own behalf, holding the manufacturers of the technology, the gadgets on which people everywhere increasingly rely, accountable for at least a portion of the security that is now largely incumbent on the end consumer to maintain. “I really just think that as a culture, we have to push people to make the manufacturers of these things accountable for delivering these things and minimally doing some degree of security themselves, because as consumers, we won’t know what’s going on with these products when we get them, and we shouldn’t be expected to know — and it shouldn’t be in some 500-page, really small print [document] that if I don’t click something, then I’m willing to send [data] out of my house.

“Remember when we first got our home wireless ports?” he continues. “They were all unencrypted. And it just took a lot of pressure from the consumer to say, ‘Look, I should not be expected to try to figure out how to put encryption on this thing.’ Then the legislation came out that said they had to all ship with it enabled. It’s just that simple, but the point is that if people don’t come together and make this point as a collective, that’s when we’re just going to continue facing these things. And there are ways to secure these things — it’s not that they’re not securable. [The threat actors], they’re very much aware of the vulnerabilities in a lot of the stuff that comes out. And that’s what makes it easy for them. From a legislative perspective, we’re not doing anything to prevent it.”

According to Witty, we should expect the discussion of e-commerce security to extend far past our own borders when the information-sharing issues eventually are more or less settled. “We need to define norms of behavior when countries are starting to use cyberweapons against companies, and what types of activities are OK, or what type of activities could trip a line that everybody agrees is going to start moving toward active war-type stuff,” he cautions. “That’s not defined right now. There’s no agreement on that between countries internationally. … The next step is going through this discussion around norms, and really starting to define that every country’s going to do clandestine operations, and have intelligence collection processes and that sort of thing. Espionage-type stuff is going to happen, and computers are going to be used as part of that process. But there are certain things that would be considered non-normal, like stealing intellectual property from a company specifically to win a big trade deal. Those types of actions. That’s where I think the conversation’s going to end up going once information sharing is kind of behind us.”

What’s perhaps most dangerous and most concerning in all of this is the urgency with which these matters need to be dealt with, contrasted with their complexity — because we are already far behind the ever-advancing technology that continues to nuance and enhance our lives in ways that we never imagined, all while bringing fresh security concerns to the fore with each new development. “The pace of technology has outpaced our ability to secure it,” Witty says. “Generally speaking, there are 7 billion people on our planet. There are 6 billion mobile phones. That’s kind of interesting. There are roughly 20 times as many devices connected to the Internet right now as we have people on our planet — that’s according to figures from Cisco. Just how hyper-connected we’ve gotten, how hyper-social and hyper-mobile — that creates a dynamic that the human race has never seen before. Completely unprecedented.

“If you look at the global market for cybersecurity in 2015, products and services, it’s basically a $77 billion market,” he continues. “That is at an all-time high. If you look at the cost of breaches and fraud, and cybercriminal activity in 2014, McAfee estimates that that was a $575 billion conservative estimate. … That amount of funding has basically caused a very large shift in the way that we need to think about this problem, because you’re not talking about a part-time adversary. You’re talking about somebody who’s highly motivated, highly funded and highly technical.”

The motivation clearly is there for the black hat elements to continue bullying their way around the Internet and exploiting vulnerabilities to their advantage. Because their methods and technology are constantly in flux, defending against these threat actors can never be a static responsibility, particularly in the fields of e-commerce, finance and healthcare, where so much is at stake. Information security professionals will need to exhibit an ever-greater elasticity of insight and reasoning, and, crucially, learn to communicate and collaborate as a community for the best chance of stanching the hemorrhage of data and resources that chips away at our legitimate commercial, financial, personal and national interests.