This is by no means an effort to equate terrorism and its horrible aftermath to an intrusion or data breach (which is trivial by comparison), merely an attempt to use current events in the physical world – which people tend to understand more readily – to help make sense of computer security – a complicated and multi-faceted problem few understand well.

1. You are vulnerable to attack at any time. From an attacker’s perspective the Boston Marathon is a great opportunity (lots of people close together), but a rare one (only happens once a year). Your business on-line however, is an opportunity that presents itself 24/7. You can no more protect your enterprise against attack than the marathon could have been run inside of a giant blast-proof Habitrail. Anyone who tells you different is asking you to buy the digital equivalent of a Habitrail.
2. It doesn’t take much to cause damage. In cyberspace everyone is atwitter about “advanced” threats, but most of the techniques that cause problems online are not advanced. Why would you expose your best weapons when simple ones will do? In the physical world there is a complicating factor of the difficulty of getting engineered weapons to places that are not war zones, but like the improved explosives used in Boston, digital weapons are easy to obtain or, if you’re clever enough, build yourself.
3. Don’t hold out hope for closure. Unless what happens to you online is worthy of a multi-jurisdictional – even international – law enforcement effort, forget about trying to find someone to pay for what happened to you. If they’re careful, the people who attack you will never be caught. Crimes in the real world have evidence that can be analyzed; digital attacks might leave evidence behind, but you can’t always count on that. As I put fingers to keyboard one suspect behind the Boston bombing is dead and the other the subject of a massive manhunt, but that wouldn’t have happened if the suspects had not made some kind of mistake(s). Robbing 7-11s, shooting cops and throwing explosives from a moving vehicle are not the marks of professionals. Who gets convicted of computer crimes? The greedy and the careless.

The response to the bombings in Boston reflect an exposure – directly or indirectly – to 10+ years of war. If this had happened in 2001 there probably would have been more fatalities. That’s a lesson system owners (who are perpetually under digital fire) should take to heart: pay attention to what works – rapid response mechanisms, democratizing capabilities, resilience – and invest your precious security dollars accordingly.

1. You Cannot Stop Attacks. Anti-virus isn’t  intrusion prevention doesn’t  Anything a good guy can buy a bad guy can buy…and then find their way around. Even security products have holes in them. Some of the cleverest bad guys will target your people, who have a tendency to act irrationally and for whom there are no rule sets you can configure. You’re going to get attacked; you probably already have been and you just don’t know it yet. There was never anything you could have done to stop it except get offline, and you cannot do that.
2. You Cannot Raise Attacker Costs. That is to say, you can’t raise their costs without a corresponding financial escalation on your part. Did you think people promoting that approach weren’t trying to sell you something? You buy hardware and software to help you carry out your business. You buy security appliances and tools and advice because you’re not in the security business. The bad guys break hardware and software for a living: that’s their business. In order for you to raise their costs you would have to get into the security business in one way or another; doing what the bad guys do – or paying someone to do it for you – and fixing what’s broken before someone else finds out about it. “Raising attacker costs” is just another way of saying, “spend more money on security” and tight budgets mean you cannot do that.
3. You Cannot Break the Mold. If you minimized your investment in traditional security mechanisms – did the bare minimum regulation and good sense required – and spent what you saved in a reward scheme for employees who followed security policy, would you reduce the number of incidents you suffered in a year? If you re-focused your energies towards “preparation” and not “prevention” would incident response still be an expensive catastrophe or just a cheap nuisance? You’re doing what everyone else is doing and everyone is coming up short, yet if you’re not doing what everyone else is doing, “they” tell you you’re doing it wrong. That’s how victims console themselves apparently, but you cannot afford to be a victim anymore.

People say collective defense is not something we’re wired to readily accept, but no one seems to mind that everyone has signed up for collective victim-hood. Even those who would set the standards for security can’t get it right, so why are we not letting people try something novel, without fear of punishment or penalty? If it doesn’t work it doesn’t work, but that’s no worse than the situation we’re in now. “Everyone knows” thinking says that if you build the wall a little higher, the moat a little wider, and put out more pickets and canaries, that this time everything will be OK. How long have you been doing that? How’s that working out?

2. The guy who talks about the latest digital attack as a “wake up call.” This is a term that was first brought up in the 90s. It’s been reused and recycled just about annually since then. That’s not called a “wake up call” that’s called “hitting the snooze button.” We don’t make progress in computer security because too many people don’t realize they’re characters in Groundhog Day.

3. The guy who mangles martial analogies while trying to address digital problems. You can’t have a “digital Pearl Harbor” if the fight has been engaged – and warnings have been issued  – for ~30 years; A Maginot Line-type network defense would actually be useful (you just don’t know why the French actually built the real Line);  “laws and norms” of war are only followed because it’s relatively easy to catch violators in meat-space (not true in any meaningful time-frame in cyberspace). All models are wrong, some models are useful, most people trying to make a point in computer security don’t know enough about security OR military history to make a lick of sense.

Countries that stand accused of evil-doing online whip out the ready, simple, and perfectly legitimate counter-argument: prove it. Nowhere does the nuclear-cyber analog fall apart quicker than when trying to compare the IR burn associated with an ICBM launch with the practically un-attributable bullets fired online. Preponderance of the evidence? Sure. Proof you’re confident enough to bring to the UN Security Council? Not so much.

Third time is the charm: nuclear weapons and the impact of their use on humanity are not analogous to what digital weapons or “cyber-attack” may do. There are many reasons why we haven’t had a nuclear war, but when you get right down to it the whole “end of the world” thing tends to push people to seek alternatives. So far so good, but since cyber-attacks to date have by and large only led to real-world-inconvenience, disincentives to use digital weapons simply aren’t there.

What might give our adversaries pause before they unleash a new round of attacks against the computer systems of our government, defense contractors, and businesses of all types?

Not talking about what we can do in cyberspace.

Before actual arms control became all the rage, we used to keep our best (and by that I mean worst) capabilities secret. If you were inclined to get into nuclear weapons you got to do it in garden spots like darkest New Mexico. In order for the other side to learn about it they had to send in people like Julius and Ethel, otherwise they wouldn’t know what we were capable of until AFTER we tested an initial capability (surprise!), and AFTER we mounted a full capability to the business-end of a missile or the belly of a long-range bomber (in your face!).

Talking about what we’re trying to do, alluding to what we may have done, that’s a great political game, but those who are playing (US, China, Russia) are in the minority. The vast majority of evil-doers online are like iPakistans and eNorth Koreas: people who will never adhere to “norms.”

So how do you keep both the baddies you know as well as the rogues you don’t in check?

STFU.

Crazy people notwithstanding, if don’t know what someone else is capable of; you’re less inclined to test them. You’re left then with what is publicly known thanks to “independent security researchers” and what you know you can do, and you hope that the other side is somewhere in between those two points.

But you don’t know. Not for sure.

What you can suspect is Stuxnet-after-next; something you know the other side doesn’t want to happen suddenly not happening, and the leadership of the other side rocking on their heels, rolling their eyes towards the ceiling, whistling absentmindedly. To know you’d have to send in a modern day Julius and Ethel, or replicate a more modern situation, which is better for us because we actually have a track record of catching old fashioned spies; we spend billions annually and can’t keep teenagers out of our digital secrets.

Talking about what we might be capable of doing is open to interpretation, and may even be viewed as disinformation, but keeping our mouths shut denies everyone the opportunity to do anything but guess . . . and fear that they may be guessing wrong.

1. At no point will any serious effort be made to draw alternative conclusions from the data provided.
2. At no point will any attempt be made to put the hack-of-the-day/week/month in historical context.
3. At no point will a serious, information-age approach to the problem be proffered.

The latest report about alleged Chinese state-sponsored cyber espionage, and the hype surrounding it, is no different. China is the boogie man, they’ve got a lock on every bit that leaves their country, they’re responsible for the “greatest transfer of wealth in history,” and we must apply the might of our military-industrial-congressional complex to combat this evil.

Except that none of it is true.

Well, to be more clear, everything claimed is refutable, subject to equally legitimate alternative conclusions, and otherwise ill-suited for what is being proposed.

China is the boogie man. I’ve worked on this problem longer than most “experts” with higher public profiles and, I know why the physical manifestation of “Chinese” engineering looks disturbingly like the output of U.S. R&D. Having said that however, let’s keep in mind that the number of nations around the world that could make use of U.S. R&D is measured in double digits. If you could steal something of value, make a copy, and then sell it again and again, wouldn’t you? If you could contract out your industrial espionage campaign to a reliable, low-cost sub-contractor wouldn’t you?

The Great Firewall Support Claims of Attribution. Either the Great Firewall of China is a reality and they have highly granular insight and control over the bits that transit their networks and systems, which means all activity out of China is either state sponsored, sanctioned or condoned; or the Chinese have the same security problems everyone else connected to the ‘Net have, which means the best you can claim is educated speculation. If you believe the former then we’ve been following the entirely wrong approach: we ought to be paying them to teach us how cyber security is done.

The Great Wealth Transfer. Industrial espionage is a practice as old as the earliest machine. American industrial might was lifted from the factories of England; a Frenchman (and a priest no less) Shanghaied Chinese ceramic knowledge back to Europe. America is a font of innovation; China is a massive manufacturing capability. What they’re doing is expected and natural. Now, we don’t need to like it, but it is not like our business community is prepared to do anything about it. CEOs and businesses are evaluated in three-month increments, not their performance over 20, 30 or 40 years.   Those in charge of the companies that have fallen victim to cyber thefts today will have been long retired to their villas in Spain, and Wall Street analysts will have kicked the stock to the curb, by the time a problem as serious as bankruptcy appears.

This is a Clear Sign We Need More X. “X” can mean a lot of things, from more security appliances and software to more “information sharing” regimes and myriad other recommendations that have been repeated time and time again for decades . . . none of which have made a significant dent in the problem. A private concern has release more and more valuable information than any “public private partnership” ever has. The cure to what ails us is less technical than it is political or financial or otherwise practical. When we place a greater value on security than we do speed, functionality, revenue or profit, we will have turned the corner on the cyber security issue and employing X to the fullest extent will actually make sense.

What This All Really Means

There are elements in the government that want more insight and control over what goes on online (in the interest of full disclosure, I am a former “Fed” and my day job involves helping the government improve its online security capabilities). The idea is that the more you know, or have ready access to, about people and their activities online, the easier it will be to root out plots and threats and illicit activity that would otherwise go unnoticed.

The problem with that sort of thinking, of course, is that more data on top of what is already available is simply adding more hay to the haystack in which precious few valuable needles are hidden. The amount of new needles that might be added is dwarfed by the amount of new hay. To paraphrase Biggie: Mo Data, Mo Problems.

For at least the last three sessions of Congress at least three dozen bills dealing with cyber security – in whole or in part – were considered. None of them made it into law. This inaction stands in stark contrast to the rhetoric from politicians from both sides of the aisle who claim we must do something because the threat is so dire. Yet another report detailing still more egregious breaches is how the government can “lobby” the citizenry to make proposed new laws like CISPA and SOPA more acceptable (there is a whole separate law dealing with government propagandizing its own people that is far beyond the scope of this piece). Private companies can talk about their findings (we all do it) – even if it just so happens to be in front of a Congressional committee – all they want because that’s not propaganda, that’s testimony.

There are also elements in the government who are desperate to find some way to combat this problem through political means. The problem is that the traditional ways of exercising political power internationally don’t really work for digital problems. This is especially true for countries that don’t view the world through the same color lenses as we do. How are sanctions against North Korea for their nuke program working? Why would any country admit to a cyber espionage capability when it’s so easy to deny? Independent evidence of an illicit, government sponsored cyber espionage program is the next best thing to UN inspectors.

But of course computer code isn’t fissile material. The knowledge required to build a bomb is commonplace; the materials are extremely hard to get. In cyberspace the “material” required to build a weapon is free and any middle-school kid can build one. “Cyber deterrence” and “digital arms control” are among the most un-serious ideas imaginable . . . but that’s what those trying to deal with this problem were taught, so those are the constructs they try to shoe-horn “cyber” into.

The impacts of cyber security failures in this country are frequent and well-known, but they’re also readily absorbed. The pain associated with even massive breaches is spread out over victim and innocent alike, in percentages that are so small, and ways that are almost imperceptible, that businesses and the citizenry alike hardly notice (if they’re even paying attention). This, more than any grass-roots efforts in the privacy and “hacker” communities, or lobbying by industries that would suffer under more restrictive regulation, is why cyber security legislation fails: cyber security has no constituency.

I don’t that this is a Colin Powell 2003 speech-to-the-UN-moment; I do know that what is likely to happen is going to be about as useful – and at least fiscally costly – as our invasion of Iraq.

At least five times.

In order to earn this badge, you need to take months of classroom and hands-on training and then take off and land a perfectly good airplane.

Over and over again.

In order to defense DOD computer networks you can either read something like this, or go to something like this, and as long as you test well, you’re golden.

Actual, demonstrable knowledge and experience is less important that a potentially worthless piece of paper. You’re tired of me bringing up that same old story? Well, read on.

I believe it was 1992 when I first heard about discussions in the Army that the basic “computer programmer” MOS was insufficient for the coming information age. As far as I can tell, in the year 2013, the Army still only has one, specific IT MOS (I wasn’t in the Navy or Air Force so I can’t speak to how much more effective – or not – they’ve been at this task).

This is a problem that has been understood and recognized for at least 20 years, but the bureaucracy says it takes time to promulgate policy, an idea that would be laughable if the issue were not so dead serious. That the military is a bureaucracy is a given; that policy can’t move through a bureaucracy at combat speed is simply false (e.g. General Order Number 1).  Are these apples and oranges? Sure. Can the DOD move as fast as lightning when it wants to? You bet.

For this issue anyway, it doesn’t want to.

Why should it? Who builds weapons? Who connects the far-flung military commands? Where does all the nation’s technical expertise reside?

Contractors.

Not exclusively of course, but once you get above a certain scale – or down to a very discrete level – warfighting and warfighting support is too complex and lucrative to leave to GIs. Deploy recently? Did a 92-golf serve you that Whopper or a local-national (or an imported third-party national) working for KBR? Whose label is on that piece of equipment you’re flying in? Northrup? Harris? Where do you think those 4,000 people CYBERCOM wants are going to come from (in the end)?

If you want people capable of doing X then solicit for X and take the time and effort to validate their claims of skill and expertise. Certifications are not evil, but they are not an effective shortcut to the capabilities you want. They can in fact be very dangerous. You would not trust your life to the surgeon who got his degree after testing well after a two week ‘slice-n-dice’ boot camp; if INFOSEC and COMPUSEC are issues you really care about then don’t do effectively the same thing for your defenders.

I find this amusing.

Corporations spend a lot of money and dedicate a lot of time to avoid government tendrils (funneling profits to off-shore subsidiaries in tax-free havens) or to influence those in political power to pass laws that reduce governmental intrusions and burdens. That stiff-arm approach goes away suddenly when assets are at risk. I guess this is a natural reaction – who doesn’t want the best of both worlds and for everything to go in their favor – but let me leave something unpleasant in the punch bowl for the “save me Uncle Sam” crowd.

The government is never going to share secrets with you. The people who you are dealing with when it comes to “cyber” issues are the most secretive of the nation’s secret-keepers. Nothing they would share with you would contain any value once it went through a declassification process.

The government does not have anything online that you don’t. That is to say, the government buys PCs and operating systems from many of the same vendors you do. They use TCP/IP just like everyone else. They connect to the same Internet as everyone else. A tactic that is effective against your under-patched Windows 7 box is going to be just as effective against the same box at the Department of Such-and-Such.

The “adversary” who wants information from a government agency does not want information from your widget company. To be more precise: whoever is breaking into your company is interested in widgets; whoever is breaking into the Department of Defense is interested in not-widgets. Certain technical aspects of both attacks may be the same, but once they land the goals are different. Even if you had unfettered access to secret government intrusion data it may be of absolutely no use to you.

If you are looking for other people to compare notes with, look to your peers. Everyone else in the American widget-making business is a target for the foreign adversary who is interested making better, cheaper widgets. Peer companies in your respective industries are your most valuable source of “cyber intelligence.” The logs your peers have collected are not secret. They are the most valuable technical information available because if they’re a victim, you will be soon (and vice versa).

You lose nothing by cooperating on cyber security with those who would otherwise be your competitors in the marketplace. You all have a vested interest in not enabling a foreign competitor to gain such an advantage over any of you so as to drive you all out of business. The government, on the other hand, doesn’t care if you (specifically) stay in business or not (or have you not looked at unemployment numbers in the past few years?). If its something of true national import the government will find a way to get you involved in the fight, but until then, stop waiting for a handout.

From what I can tell it’s the new hotness in cybersecurity.

From what I can tell it’s also not being done very well. The end result of course being that “intelligence” is treated as a fad or gimmick, which would be a terrible mistake for the cybersecurity community to make.

Let’s lay down a few givens before we go any further. For starters, “intelligence” is like “APT:” If you’re not using the proper definition, you’re just playing marketing tricks. Boiled down to its essence it works like this:

•  No matter how good the source, a discrete piece of “data” or data “feed” is not intelligence
• Intelligence is not a mashup of disparate data points; that’s “information”
• Intelligence is information that is put into context and enhanced with expert (human) input that provides the intelligence consumer with insight.

No application, device or appliance is capable of providing you with intelligence. Such mechanisms may provide you with enhanced information, but without the human element it’s still just information. If machines could produce intelligence, a whole lot of people in this business would be unemployed.

Your organizational decision-maker(s) are your intelligence “consumers.” Every consumer wants something different from their intelligence product, which is where the human element comes into play. The intelligence requirements of the C-level is of little utility to the responder on scene, and vice versa. Devices and feeds in and of themselves cannot support either requirement. Any purveyor of “intelligence” that does not have a human between data and consumer is not offering intelligence. If you are not paying for someone to apply their little gray cells to your or their data, you’re paying a premium for something you could probably get for free.

Intelligence is not fool-proof. Intelligence tells you something you don’t already know, but because you cannot know everything, there are no guarantees. Intelligence providers who claim to be flawless, or nearly so, are not producing content of value because only the most generic and heavily cavetated output can be made to seem right 100% of the time. You don’t need to pay extra for people to tell you “maybe” and “possibly.”

I’m just touching the surface here, and if anyone wants me to riff longer I will, but I just wanted to make sure something was out there standing athwart the “cyber intelligence” hype train shouting “stop!”

Don’t bet on it.

Let’s set aside the substantial legal issues surrounding private institutions “hacking back” against those who hack them. Let’s instead look at what we know about private organizations and cyber defense, which is what they’ve been doing for the past few decades. Let me know if any of this sounds familiar:

• “Security is a cost center.”
• “My security budget is a fraction of a fraction of the IT budget, which is a token amount of what every revenue-producing business unit gets.”
• “No matter how much we spend on security, we still get breached and still have to pay for incident response, credit monitoring, etc.”

Security products and services are expensive and they don’t always work. Security is not a core element of any commercial enterprise, so it is not respected or invested in as much as just about anything else the business does. Good security – sound policies and practices that do not impede business functions – is exceedingly difficult. All of these things are true, understood and accepted by both the business and those they hire to defend them online, but somehow we are to believe that private enterprise is going to readily accept the additional cost and labor (and liability) associated with building and maintaining an OFFENSIVE cyber capability?

Companies do cyber defense because they have to. There are laws and regulations that mandate certain types of enterprises meet minimum compliance standards (reminder: compliance != security). If there were no such requirements how many businesses would do cyber defense? How many would spend as much as they do now? There is no “castle doctrine” for businesses online, but despite decades of evidence to the contrary, we’re to believe they’ll willingly and voluntarily accept the costs – and liabilities – of taking the fight to the enemy.

We have seen this before. Not on this scale, and not so public, but this “I’m not going to take it anymore/going to do what’s right” sentiment has been heard in board rooms across the country for years. It lasts about as long as it takes for the Corporate Counsel to discretely cough, raise his hand, and point out the legal nightmare associated with such activities. There is a reason why “wipe and rebuild” is the default setting to any breach of any scale: business exists to make profit, not find and prosecute bad guys.

To recap: Compliance is done begrudgingly; there is no business case for fighting back.

Now, I am an advocate for a different way forward as far as offensive activity in support of national interests are concerned, but I harbor no illusions that BigCo, Inc. is suddenly going to start kicking digital *** and taking names. Such an approach is in fact a terrible idea, if for no other reason that it simply makes BigCo a target for retribution. And as a reminder: there are lot more bad guys out there than there are good guys, and your cyber defenses can’t handle the onslaught you have to face before you started antagonizing them.

However . . .

For the last few years I’ve been harboring this sneaking suspicion – manifesting itself in an increasingly cynical disposition – that all was not well with our world. I, and everyone I knew, was working as hard as ever but we didn’t seem to be making any kind of difference. You can’t be in this business for a decade or more and not wonder why you keep hearing the same phrases over and over again; hearing about massive breaches caused by the same mistakes over and over again; reading about yet-another epic security fail on the part of some official or executive and wonder: “if this computer security thing is so important, how come we’re no better off today than we were 10, 20, 30 years ago?”

I’m not saying computer security isn’t important; I’m saying we do a disproportionate amount of naval gazing in this business and do not have a big enough impact on our fellow citizens. If we were doing our jobs then computer security would fall into that class of “things people perpetually care about” and addressed accordingly, not something that is addressed rarely and in an ad hoc fashion, like poison ivy or head lice or ear hair.

Some of my colleagues and fellow travelers are reading this and mumbling about the CNCI and record spending on security products and services, massive investments by government, corporations and investors alike and wondering if I’m drunk or high (or both). Well, how about we try to dig up some data to see if I might be on to something?

This is the information age, so it should be fairly easy to search through all that information to find out how popular – or more accurately “how often” – people are exposed to the issue of computer security. Now I don’t have a Nexis account, but I can use some poor-man’s alternatives, like Google Trends search (news headlines from 2004 to the present) and Google Ngram Viewer (books scanned by Google that cover the period of 1800-2008).[1]

If we search Ngrams for the term “computer security” we get the following result (click to enlarge):

Not bad. But let’s see what happens when we add a term that falls into the bin of “things people perpetually care about.” Let’s choose “health care” to start:

Um, OK, how about “Iraq” and “Afghanistan” because, you know, those have been popular topics last decade+:

OK, so life – and its quality and duration – are big subjects; places where life is cheap not quite as much. Computer security, however, is barely on the radar. But is war a fair comparison issue? I mean, when there is a war on its all anyone talks about. What about looking at an issue of perpetual interest, like taxes?

<facepalm>[2]

OK, so, forget about books. There are a lot less computer security books than there are books on the military or taxes or health care. Computer security is a current issue, so what about media coverage? That’s a better indicator of how important this issue is today, not what people wrote about twenty years ago when almost no one had a computer and there was no such thing as the Internet, right? OK, sure, let’s look at “computer security” in the headlines:

Wait, what?! Headlines mentioning computer security have been declining over the last eight years? OK, forget “computer” security, how about “cyber” security, because, you know, “cyber” is the hawtness now:

Oh my. Not what I thought it would be . . . wait, what about “cybersecurity” as all one word?

OK, OK, that’s more like it, but still . . . if conventional wisdom is to be listened to; shouldn’t headlines be steadily trending upwards to the right, not these wild pendulum swings?

Yes. Yes it should.

What about those words you used before? What about comparing “cybersecurity” to taxes?

Hmm, looks like headlines spike during tax season, and then drop off (which makes sense), though the issue writ large is pretty consistently covered in the media over time. What about compared to health care?

OK, not helpful. What if we compare some frivolous, niche topics that couldn’t possibly receive more media coverage than “a clear, present and growing danger to national security.” Let’s pick “Lindsay Lohan (red), Led Zeppelin (gold) and boobs (green):

Now, obviously this is not a “scientific” study. I’m not a survey-data (big or otherwise) statistic-mathy guy, so I’m sure there are flaws that professionals who do this sort of thing for a living would love to pick at, but some reasonable conclusions I think we are able to draw from this little experiment:

• No matter how much we spend (CNCI, etc.), no matter how massive the breach, no matter how widespread the damage: cyber security it not one of the country’s most pressing issues if media and literature coverage are any indicators.
• If literature or media coverage over time is any indication, nothing we have done to date in the security industry is doing anything to increase public concern about computer security.
• Until computer security impacts as many lives as deeply as issues like taxes, life or death – or ladies jiggly bits – it will always be the fringiest of the fringe issues in the minds of the public. It is, in fact, less than trivial.

Arguing about the folly of manufacturer back doors in SCADA systems, stupid coder mistakes, the efficacy of anti-virus, what APT is or any of the myriad topics security people love to discuss is nothing but a cyber security circle jerk. We’re talking to ourselves, not the people we purport to want to help.

“But Mike, we’re very successful at computer security!”

Really? Then why have you been selling the same thing for ten years? Are there a finite number of computer security problems? No? Then how come you haven’t made your millions solving ONE OF THEM and used some of that money to start up something new to solve problem number 9,999,999,999,999? I’m not saying we’re greedy or stupid, I’m saying no one has solved anything, but we blame others for “not getting it.”

I understand: you took someone else’s money, and they had expectations. You met those expectations and now you have shareholders, and they have expectations. Being so successful you put yourself out of business isn’t a popular exit strategy. At which point you ought to be honest with everyone and admit that you’re simply in business, not the security business, and point out that you’re not going to stop doing what you’re doing no matter how ineffective it is.

However, if anything herein resonates with you, then do your peers, your industry, and your fellow citizens a favor:

Write something. I’m no English major, nor am I Shakespeare, but I’ve been known to reach national and international audiences on occasion. Insight and passion about an issue are all you need: they have editors (or your Barista, who was an English major) for everything else. Make it as relevant and accessible to as many people as possible: you’re writing for mom, not your boys in the hacker space.

Speaking of your mom . . . don’t make fun of her or roll your eyes when she asks you to fix her computer. While you’re upgrading her from XP and IE 5, talk to her in terms she’ll understand why computer security is important. Do this and two things will happen A) she will make you a pie[3], and B) at her next coffee klatch with the neighborhood haüs fraüs she’ll tell THEM why computer security is important. They will tell their friends, and so on, and so on . . . Look at that dude; you just lit a spark that helped changed the world view of about 15 million people. You know what 15 million people are called: A constituency.[4]

Advance your cause by viewing the world though other people’s glasses. Security is only a be-all, end-all in the land of unicorns and pixie dust; in the real world people are motivated to get things done. Engage with people who do other things for a living and appreciate why they resist your genius plan to eliminate the problems caused by ‘1337 h@x0r$. The people in Finance, Sales, or Manufacturing are not your enemy, they are just incentivized differently. No one is going to willingly surrender their reward to improve security: you need to come up with an approach that they will want to follow (or at least won’t resist so much) so that helping you is just another part of doing their job.

Computer security is hard. Forget the existential factor – or lack thereof – its technically complex; its political; its economic; its social. It is a nut that has yet to be cracked despite all the work that has been put in to date.[5] What we’ve been doing as an industry has been great for the industry, but it has had no substantial effect on those who need our support and protection. If you’re OK with that, then drive on; if you’re not: it’s time to do something different.