Since September 11, 2001 airport security in the United States has become more strict and annoying for passengers. Yet you regularly see stories in the media about how tests of these security systems often reveal that all this security is regularly bypassed. The DHS (Department of Homeland Security) issues press releases about measures taken to deal with the problem and all is forgotten until the next outbreak of embarrassing media tests of the security.
The situation is worse when it comes to Internet security, even though most large companies (and many smaller ones) employ security firms that will carry out “penetration tests” of networks to see if they are secure. More companies are becoming aware of the fact that these penetration tests are pretty useless and the reason is the penetration testers have lots of restrictions on what they can do. Many of the things hackers do are illegal and these transgressions are not generally allowed for those performing penetration test on company security, even when executives are willing to allow anything. The lawyers point out that letting penetration testers act like actual hackers would involve illegal acts outside the premises of the company being tested and expose the company to prosecution. A few companies ignore the legal risk and find penetration testers equally willing to do what it takes. But this is rare.
The existence of this flaw is one reason security firms constantly pester the government to build a very expensive but realistic test bed. This is a reproduction of most of the elements that can be exploited by hackers to get into an Internet network. So far no government has been willing to put up the cash needed (up to half a billion dollars) to build such a facilities. In the meantime many governments (especially China, North Korea and Russia) let their hackers break all sorts of international laws just for practice.