In 1992, Dr. Francis Fukuyama wrote The End of History and The Last Man. If you are like most people you have not actually read the book. If you are like most people you judged the book by its cover and wondered how someone with a Ph.D. could come up with such a ridiculous thesis: ‘Of course this is not the end of history, they are making new history all the time. Come out of your ivory tower!’
In fact, the premise behind The End of History is that in the global battle of political ideologies, liberal democracy had bested the alternatives and we should look forward to a future that is, if not sunshine and lollipops, free of radioactive mushroom clouds. People who have bothered to read The End of History may not agree with all the points made by the author, but they realize that he is not literally saying ‘history ends here.’
I cannot hope to replicate the scholarship of Dr. Fukuyama, but I can take a page – or a title – from him. I believe that in the battle between functionality and security in cyberspace, functionality has triumphed. Computer security is effectively a zombie: something that gives the appearance of being alive. As practitioners, as an industry, as a society, we cannot bring ourselves to accept the gruesome reality that our future is on the fast track to becoming your favorite science fiction cyberspace dystopia: Lots of great technology that enables us to live a life of great convenience and utility but without lot of liberty.
Why such an extreme position? Why “death?” Consider this question: what is the difference between a random computer security story in the news today and one that is decades old? The byline and the date. Would you like proof?
Hacker’s paradise? Another security flaw hits Windows NT, Laura DiDio, Computerworld, June 8, 1998[i]
Microsoft fixes five critical flaws, including two hitting all versions of Windows, Zack Whittaker, ZDNet, September 8, 2015[ii]
I do not mean to offend anyone who is in this particular situation, but when it comes to someone being on life-support, what is the difference between your loved one today and a month ago? I suspect the answer is “nothing of consequence.” Were it not for specific machines going through their motions, the human being said machines are attached to would be called a corpse. Tell me how computer security is any different? If regulations like HIPAA and FISMA became voluntary tomorrow would anyone continue to follow them? If companies no longer had to be PCI compliant would they?[iii] Would any organization spend anywhere near the money they do, or employ the number of security practitioners they do, if they were not forced to?
Like the war on drugs or the war on poverty, computer security is one of those things we feel we are compelled to do, despite the fact that everyone with more than a cursory knowledge of the subject knows we are not really having an impact commensurate with the effort being put forth. The war on drugs was declared in the 1970s yet marijuana is increasingly legal at the state level,[iv] and heroin use is on the rise in, of all places, suburbia.[v] The war on poverty was declared in the 1960s and while poverty would likely be worse than it is today if we had done nothing, there is no indication that the estimated $15 trillion we have spent has made a difference that corresponds to the size of the expenditure.[vi] The market for computer security is estimated to be in the tens of billions of dollars and growing,[vii] yet not a week goes by without news of another data breach and the statement made that this case is a “wake-up call.”
I beg to differ.
A “wake-up call” would be an alert that jarred us from our slumber. Something that violently disturbs our otherwise peaceful repose. A state of ignorance that suddenly has light shone upon it. But by definition a wake-up call happens once. How then to explain:
- In 2015 DHS Secretary Jeh Johnson calls OPM breach a “wake-up call”[viii]
- In 2012 General Alexander, Director of the National Security Agency, calls the hacker attack on Saudi ARAMCO a “wake-up call” [ix]
- In 2010 Michael M. DuBose, chief of the Justice Department’s Computer Crime and Intellectual Property Section, called successful breaches such as Aurora “a wake-up call”[x]
- In 2008 Deputy Secretary of Defense William Lynn called the BUCKSHOT YANKEE incident[xi] “an important wake-up call.”[xii]
- In 2003 Mike Rothery, Director of Critical Infrastructure Policy in the Attorney-General’s Department of the (Australian) Federal Government called a hack into a wastewater treatment plant “a wake-up call.”[xiii]
- In 2000 Attorney General Janet Reno called a series of denial of service attacks against various companies a “wake-up call.”[xiv]
- In 1998 Deputy Secretary of Defense John Hamre called the SOLAR SUNRISE incident[xv] “a wake-up call.”[xvi]
- In 1989 IT executive Thomas Nolle wrote in Computer Week that poor LAN security was a “wake-up call.”[xvii]
History clearly indicates that we have received our wake-up call, and that for the last few decades we have actually been hitting the snooze button. This is what you do when you dread what is waiting for you once you open your eyes.
Despite the rhetoric and hyperbole, there is no wide-spread clamor for change or reform when it comes to computer security. Some people are angry, The People are not angry. Some people demand change, the vast majority of people accept things the way they are. It does not help that even within the computer security community you can gain consensus on only the most middling of issues, everything else is a fight to the death for a particular dogma. Network security people hate end-point people, end-point people hate crypto people, crypto people hate everyone (including other crypto people) and everyone hates the government. Watching all of this are ordinary people who, realizing even the experts cannot get their act together, shrug their shoulders and go back to mindlessly clicking on links in email and throwing birds at pigs on their smart phones.
It is not that ordinary people do not recognize that poor computer security is a thing that could negatively impact their lives, they just do not care enough to demand anything meaningful be done about it. Computer security is a problem, it is just not a big enough problem to enough people. It is that lack of a sufficiently motivated constituency that precludes the formation of a movement with sufficient legitimacy and power to move governments and markets to take the issue seriously. We have “Obamacare” because the healthcare system in this county is not what it could be, and whether you agree with the law or not, you cannot argue that there was not sufficient political and social momentum to bring about something other than the status quo. The same thing cannot be said about computer security, and until that happens, enjoy your stroll with the walking dead.
If you have been working in the computer security field for a substantial length of time (names like Parker[xviii] or Neumann[xix] are familiar to you), nothing I have said or are about to say will be a revelation, though being in proximity to so much imperial nudity may make you uncomfortable. You have no doubt reached the “acceptance” stage of the Kubler-Ross model of computer security grief. You may want to skim most of this and skip to the end, where I hope to inspire you to keep up the fight a little longer.
Slightly less wizened but highly specialized professionals: if at any point it sounds like I’m calling you a racketeer, or your life’s work meaningless, or your discipline a side-show, I am not. I am merely pointing out that we are being out-maneuvered and out-paced and while advances in the granular important, they not necessarily helpful at the meta-level where momentum can be generated. I hope to encourage you to widen your focus, set aside your differences, and join together for the greater good.
Newcomers to the field: The itinerary for the journey you think you are about to take career-wise, and where you actually end up, are likely to be two entirely different things. If you are here because this is the hot field to be in, your labors are welcome but be advised that we are fighting a retrograde action.[xx] That is a perfectly legitimate course of action, but it is rarely a good sign of future prospects. You are joining the Grande Armée on the way back from Russia, not marching towards it.[xxi] I hope to illustrate for you what is and is not working so that you can plan accordingly and throw yourselves into the right jobs wholeheartedly.
Executives, policy-wonks, politicians and the like who are trying to make sense of what is going on so you can make decisions, I realize that most of what I say is going to be difficult to accept. I know you are bound by certain rules and procedures. I appreciate that very friendly people with lots of money and a vested interest in the status quo are hard to turn away. I also know that much can be accomplished if you are prepared to cast aside tradition and custom in the name of getting shit done. Please read with an open mind. I want you to view these problems in a very practical sense because “how things are done” is not working. Things threaten to fail in catastrophic ways unless you help us change course by creating an effective political, social and economic environment for success.
Investors, I get it. You want that 10x return. I submit to you however that the $20 million dollars you put in “next generation” anything, or service companies who’s only distinguishing feature are its famous founders, is not going to get you there. It is important that you understand something of the field’s history, and how we have been addressing its problems, so that you can determine what is truly novel and game-changing, rather than what is merely iterative or derivative. The latter will be a zombie, the former is where there be unicorns.
For the ordinary person who has read the news stories and is curious to learn more, or maybe has been a victim of a cybercrime and is trying to make sense of what is going on, I wish I had a better story to tell you. As practitioners, most of our days are spent putting out different types and sizes of fires. This has led not to the development of a lobby, but an industry, and all that that implies with regards to priorities. It is not that we were not warned, or that we do not know what we are doing, we were just overwhelmed at the start, and it all went downhill from there.
This is not a technical book. It is not an academic work. It is not “for dummies” per se, though depending on what you choose to do when you’re done, it might be considered a choose-your-own-ending story. I have no illusions about the impact it will have on the industry, but in a field devoid of meaningful advancements, where everything we do seems to come up short, I feel compelled to call the Emperor naked because the consequences cannot possibly be worse than maintaining the pretense. My goal was to make these issues as accessible as possible because the more people who understand the issues with clarity, with an eye towards practicality, the better chance we have of bringing about meaningful change. In the immortal words of the Once-ler:
“UNLESS someone like you cares a whole awful lot, nothing is going to get better. It is not.”
–Seuss, The Lorax
[i] Computerworld, June 8th, 1998. Retrieved from Google Books Search 9/9/2015.
[iii] One could argue that the example laws are not particularly useful from a security perspective, and that PCI compliance is not security. Fair enough, but let’s stick to the meta at this point.
[iv] As fingers were being put to keyboard, 4 states had legalized recreational marijuana use and 19 states had legalized medical marijuana.
[v] New Face of Heroin Is Young, White and Suburban, Study Finds. NBC News May 28, 2014 http://www.nbcnews.com/health/health-news/new-face-heroin-young-white-suburban-study-finds-n115671
[vi] Robert Rector: How the War on Poverty Was Lost, Wall Street Journal, January 7th, 2014 (http://www.wsj.com/articles/SB10001424052702303345104579282760272285556)
[vii] Gartner Says Worldwide Information Security Spending Will Grow Almost 8 Percent in 2014 as Organizations Become More Threat-Aware (http://www.gartner.com/newsroom/id/2828722)
[xiv] Computerworld, Web Attacks Spur Security Tactic Checks, Ann Harrison, February 21, 2000
[xvii] The Wake-up Call Comes. Data Stream Column, Thomas Nolle, Computerworld October 2, 1989
[xviii] Arguably one of the fathers of computer security, https://en.wikipedia.org/wiki/Donn_B._Parker
[xix] Arguably another father of computer security, https://en.wikipedia.org/wiki/Peter_G._Neumann
[xx] You may know it by its more common term: “retreat.”
[xxi] Security people love martial metaphors; employed incorrectly. Napoleon’s “Grand Army” was nearly 700,000 strong when its campaign to Moscow began in the spring of 1812. About 4 months later 380,000 were dead and 100,000 prisoners of war, with a mere 27,000 were fit for duty (https://en.wikipedia.org/wiki/French_invasion_of_Russia). A powerful graphic representation of this military debacle can be found at: https://en.wikipedia.org/wiki/File:Minard.png