I’d like to share an essay that knocked me out of my normal orbit yesterday and I think is well-worth reading.
In March, Professor Odlyzko published a contrarian view to the current state of cybersecurity,‘ Cybersecurity is not very important ‘ (pdf). He operates within the fields of computational complexity, cryptography, mathematics, and the diffusion of that knowledge of technological innovation.
The abstract summarizes the paper well:
There is a rising tide of security breaches. There is an even faster rising tide of hysteria over the ostensible reason for these breaches, namely the deficient state of our information infrastructure. Yet the world is doing remarkably well overall, and has not suffered any of the oft-threatened giant digital catastrophes. This continuing general progress of society suggests that cyber security is not very important. Adaptations to cyberspace of techniques that worked to protect the traditional physical world have been the main means of mitigating the problems that occurred. This “chewing gum and baling wire” approach is likely to continue to be the basic method of handling problems that arise, and to provide adequate levels of security. (emphasis added)
Here are some of the most interesting bits:
- ‘Cybersecurity’ isn’t as important as many ‘non-cyber’ dangers such as asteroid strikes, hurricanes, and pandemics.
- The ‘digital Pearl Harbor’ hasn’t happened yet. When it does, the world will adapt to it.
- Cybersecurity generally, and information security in particular, rely on the ‘real’ world for resilience: repair via backup+restore, legal processes, and insurance.
- We don’t know how to build secure systems of substantial complexity, but we can build small systems with limited functionality that are secure such as logging systems.
- Many ‘obvious’ security measures such as multi-factor authentication have been traded off to meet other goals such as convenience.
- “There are many ways to improve cybersecurity even without new inventions.”
The assertions and arguments supporting them blew up my day with intense questioning and thought.
For now let’s dig into the last point on improving cybersecurity even without new inventions.
There’s value in the mundane and simple
There are many ways to improve cybersecurity even without new inventions. As a recent piece notes, “most of our security vulnerabilities arises from poor practice, not from inadequate technology”. What that means is that one has to be modest in expectations for anything truly novel. It may be a worthwhile goal to try for a “moonshot” or “silver bullet” technological solution, in order to inspire the designers. But even if some dramatic breakthrough is achieved, it will still have to compete with a slew of other, more modest “Band-Aid style approaches. So other factor than pure effectiveness, such as ease of use, may easily dominate, and result in slow or no adoption.
The straightforward way to improve cybersecurity is generally mundane stuff we already know about such as:
- Robust authentication and access control systems, e.g. multi-factor auth
- Safer tools and languages that prevent, e.g. buffer overflows
- System and application library updates and quick deployment
- Deploying processes into appropriately isolated security and fault domains
- Detection of unexpected or unauthorized changes
- Reliable system backup and restore
When you enhance your build, delivery, deployment, and operational systems and processes with the capabilities above, you’re “Doing The (mundane) Work” to make your systems safer.
I hope you find some JOY in that.
#NoDrama
p.s. Bruce Schneier remarked that the cyber world’s use of the physical world for resilience breaks down when computers are physically capable. That’s an important thread to explore, too.
