An unavoidable realization when working in information security is that you’re profiting from decades of mistakes.
Whether you’re playing defense or offense, one way or another you pay your rent thanks to the misconceptions, ragged implementations, and carelessness of the generations of technologists that came before you. The best hackers on the planet are the best because they’re close to those mistakes and the technologies that allowed for them.
No surprise, then, that pretty much anyone with a long career in information technology understands that overhaul, not incremental patching, is the only definitive solution to the security woes that plague us.
It’s a losing battle. Such a radical overhaul will likely never occur. Hell, we can barely contemplate a global move to IPv6. Even if we collectively decided to move on to Computing 2.0 our conceptual scope can’t account for all potential vulnerabilities. It’s the human condition: we’re all but blind to faults at the time of a creative act. When it comes to something as complex as computers even hindsight isn’t 20/20; unforeseen vulnerabilities in old software crops up every day.
So, why? I’d argue that the economics of security don’t work out. Right now, for every white hat making dollars off protecting a network there’s a black hat with more to gain from breaking into that network.
Now think beyond one network. Spread information security liability and consequences across all industries, across any portion of the global economy that depends on networks to function (ie, pretty much all of it). Do we have more to gain by collectively sponsoring security initiatives? Of course. Will international governments, militaries, private industries, and non-profits ever coordinate rather than compete? That’s a rhetorical question best left unanswered, suffice to say that to date, competition has not left us more secure.
Yeah, I said it. I’m as pro-market as next post-libertarian, but markets don’t create security. Yet.
Decades ago, people said the same thing about markets and environmentalism. They said that polluting was always cheaper than being green, so industry would continue to pollute. But through advances in technology and revolutionary economic ideas like selling “pollution credits”, industry and environmentalism are no longer polar opposites.
Something similar needs to happen in information security before we see substantive improvement. A combination of technological overhauls and economic refactoring will make security cheap and economically efficient. It’s nice to see that people are thinking about the technical end, but I’m not sure who’s thinking about the economic end.
Talk to me if you know, or if you have thoughts on this subject. Comments are enabled for a change.
0 comments:
Post a Comment