Consider the following thought experiment: divide the world into two camps: the first consists of legitimate organisations that follow the rules and get on with their missions, while the second exists solely to steal from the first. Let us refer to the first as the blue camp and the second as the red camp.
Naturally, for the reds, this is a numbers game: find the blues' vulnerabilities and exploit them. The higher reds' conversion rate from contact to payment, the more money they will make. It would be a mistake to believe that just because the reds are criminals means they are stupid, because they are not. The activities of the reds are frequently very profitable, and some of this money is invested back into the "business" to develop better methods of taking money from the blues. After all, the higher the conversion rate, the higher the income, the more productive the reds' methods are.
To misquote and misuse Newton's third law, "for every action, there is an equal and opposite reaction," to defend themselves, the blues must work harder and harder, which includes developing their own tools and techniques. This has now devolved into an arms race. Those in the red camp must constantly improve their techniques in order to maximise the output for their "businesses," while those in the blue camp must constantly improve their defences in order to minimise their losses.
A well-organized red will make enormous sums of money, and criminal activities will be run as a business. Employees will pay taxes, there will be a management structure, and who knows, perhaps they will even have pension plans in place. My point is that the red camp is tolerated to the point of legitimacy by its local authorities. There are a variety of reasons for this, ranging from obvious financial reasons (bribery) to illicit political reasons; the red camp is thriving.
Organizations that take cyber security seriously and have a structured defence are doing well in the blue camp. The defence should, of course, be proportional to the threat. A builder's merchant, for example, would not be expected to have the same cyber security in place as a bank. Reasonable and structured responses are essential in this situation.
There are a number of schemes available for this purpose, including Cyber Essentials, Cyber Essentials Plus, and ISO 27001, to name a few. As time passes, these schemes evolve to provide varying quantified and structured defences. As the reds advance, so must the blues, and these schemes are doing a good job of keeping up with them at various levels.
Who knows where the ongoing arms race will lead, and to return to the original question, "what will be the end result of the cyber-criminal/cyber-security war?" My prediction is that we will live in a world where malicious artificial intelligences (AIs) try to steal from the blue camp, which will be defended by its own AIs. When people can't tell whether they're talking to the person they think they're talking to or a machine pretending to be that person, we'll need AI to help us authenticate what's real. In a world where nothing can be trusted, mere humans may be unable to communicate safely online without such assistance.
However, we are not there yet, and organisations should look to adopt the appropriate scheme for the level of security they require for the time being.
