It's no longer enough to create working code. We must now put serious energy and deliberate thought into securing our code, the data it works on, and the users who rely on it. I'm convinced that we are headed toward a series of crises – in fact, the crises have already begun. And as near as I can tell, there's no solution in sight.

There's more malware out there than ever before. Viruses, worms, trojans, rookits, back doors, intrusions, spyware, botnets, cross-site scripting, proxies, SMTP threats, SQL injection, header splitting, keystroke loggers, screen loggers, e-mail redirectors, IM redirectors, session hijackers, ransomware, transaction generators, dialers, denial-of-service attacks, DNS poisoning, SEO abuse, phishing, pharming, data-mining, man-in-the-middle attacks, pump-and-dump stock scams, social engineering exploits, riskware, pornware, identity theft, social-media character assassination...the list goes on and on. Most of this has been with us for years, of course, growing at a predictable (if alarming) rate. All indications are that the rate of infection has grown dramatically in recent months, and it is about to explode.

Part of the story is that hackers are becoming more sophisticated in their attack methods. There's real money to be made in hijacking user data, and the money has attracted a new breed of for-profit hackers. A quick search of the Internet will convince you that it's simple to download all the software components you need to breach most security systems. The software toolkits are powerful, effective, and widely shared. Globe-spanning hacker syndicates are at work 24 hours a day, devising and sharing techniques for breaking through defenses. It's big business.

At the same time, the number of vulnerable platforms with sufficient installation numbers to attract hackers has grown rapidly. Yes, most attacks are still targeted at Windows PCs and Web servers. But recent months have given us dramatic evidence that new platforms are vulnerable. Smart phones, SCADA installations, embedded systems, utility grids, and smart cities are all coming under attack. Portable systems fall into the wrong hands easily and frequently. Revisions to Windows, iOS, Linux, HTML, Java, Office, and Android promise to fall to new generations of malware. A recent report from Columbia University researchers demonstrates that Web-accessible laser printers can be instructed to make paper smoulder, and perhaps catch fire. Hackers can use your phone to track your location or take photographs under remote control. If your e-mail isn't being intercepted, read, and revised, it's because you haven't been targeted, not because hackers are incapable. If you've got the money, you can install a monitor to intercept data flowing through the fiber-optic cables that route Internet traffic across the ocean floor, SSL or no SSL.

Service providers are collecting terabytes of user data, often without disclosing the fact. Providers know what Web sites we visit, what we buy, where we take our mobile phones, when we read and answer e-mail, what we're reading on our tablets, which files we download to our e-readers, and all the details of our banking relationships. Even if they don't intend abuse, the data is now subject to external attack. It's not enough to secure the systems under our control – our service providers' systems must be secure too.

And it's not just hackers we have to worry about. Government and law-enforcement agencies are increasing their power to access data, shut down Web sites, shutter businesses, and track users without the benefit of trial – or even, in many cases, the minimal protection of a subpoena. Congress is debating legislation that would extend much of this power to corporations.

We haven't even talked about cloud computing. IT shops are increasingly called upon to secure data that isn't stored on-site. Data-transfer channels are vulnerable to eavesdropping. Cloud service providers are vulnerable to attack. Providers may store information on servers in a country whose laws are not strict enough to provide base-level protection. Authentication systems and backup programs may not be sufficient to keep data secure.

As if all of this weren't enough, it is clear that skirmishes have already begun in a new generation of international cyberwar. State-sponsored and state-developed malware has targeted users, corporations, industries, and utility grids across international borders. Nations, including the United States, have gathered tremendous resources to blow through conventional firewalls, encryption routines, and user authentication systems with ease. Except for the Stuxnet trojan that apparently set back Iran's nuclear program a few months or years, most of these attacks have been small-scale efforts so far – proof-of-concept demonstrations, little more. When the real cyber-shooting starts, we will all sit in the crossfire.

My research has convinced me that the security technology we are currently employing to protect ourselves is laughably impotent in the face of current threats – much less the new threats that will arrive over the next 12 to 18 months.

This year saw the death of Robert Morris, a cryptographer and computer scientist who contributed to Unix and did research at AT&T Bell Labs for 26 years before joining the National Security Agency's Computer Security Center as chief scientist – essentially, cryptographer-in-chief of the United States. Morris had three simple rules for computer security: “Do not own a computer; do not power it on; and do not use it.”

Morris's tongue-in-cheek advice seems grimly relevant today.

Web recommendation: Ah, the Internet. What did we ever do before we had such an accommodating home for rants and flame wars? I admit it: I can't resist reading the occasional over-the-top Web post and scrolling through the outraged comments that follow. My new favorite is “Why I’ve finally had it with my Linux server and I’m moving back to Windows” over at ZDNet (right around the corner from us, in Web terms). I don't want to start a flame war here, so I'll simply say that I can relate to what blogger David Gewirtz has to say. J.D. says check it out.

J.D. Hildebrand has written hundreds of articles for dozens of publications and online communities dedicated to software development. He believes the system he used for writing this column is virus-free. But hey, what are the odds?