Cyber
security is difficult. It’s actually so difficult that a few years ago the US
National Academy of Engineering named securing the cyberspace as one of Grand
Challenges of Engineering. Other challenges were e.g. providing access to clean
water for everyone and making solar energy economical.
What makes
cyber security so hard? There are several reasons. One is the complexity of
networks and services. It is plain impossible for anyone to fully understand
all the technologies, players, connections and code behind any important or
popular service. Second is irrationality of users’ behavior. We tend to think
that people are rational, risk-calculating machines. Although we know that’s
not the case, services are still designed based on assumption that users will
make rational decisions and behave. Third reason is that economics doesn't work
for better security. Security level of software-based services is very
difficult to explain and prove to users. The implication is that users won’t
pay for better security, because they don’t see what they will get. That creates
a well-known “market for lemons” problem, where it makes sense for vendors and
service providers to implement just the minimum acceptable level of security.
It seems
that there are endless list of reasons for cyber security problems, but I’ll add
just one more. Fourth reason is that software engineering is very young
science. We don’t well understand how to create quality software, not to
mention secure software. Sometimes it seems to me that we are like kids playing
with all new and fancy technology wanting it all right now without
thinking of dangers.
So, how to
tackle these problems? I afraid that cyber security will go south for a while
before it’s going to get better. The most important thing needed is an attitude
change of consumers and vendors. Consumers shouldn't accept insecure products
and services – and we should understand that there’s a price tag coming with
security. Vendors should make security of their products and services
user-friendly, visible and understandable. Security should be sold as an
enabler and protector of privacy. We’ll probably need regulation in order to get rid of
the externalities and to speed up the process.
All our
complex Internet services are based on code. It’s not just that Facebook page
or cloud service, but the whole Internet runs on code. All the devices
connected to it run some code. Then we stack all these separately coded
devices, components and products together to create some new service, what the
original developer never thought of. Hence our inability to create secure,
quality software is a real problem. From my experience most developers would
like to create good, secure code and many even know how to do it, but they have
no time or incentives to do so. Universities need to start teaching how create
good, secure software for modern, complex environments. Organizations need to
understand that coding security in to the services require resources - it’s
not just the user visible features that matters.
We certainly
need better security products and automation to protect complex software-based services
from ever increasing threats. I’m worried that there seems to be lack of
security innovations. Technology innovations happen very fast horizontally and
often also vertically, but security innovations happen much slower pace and
most (if not all) of them seem to be horizontal innovations. We should have
more non-security people involved in designing security of products and
services. We need views regarding human behavior, economics, user interfaces,
etc. Cyber security is too important to be left just to cyber security experts. We
also should aim higher that “just security” or even resilience. We should think about anti-fragile
systems – systems that become more secure if someone tries to breach them.
Cyber security will stay as a grand challenge for a long time. We need to understand that security can’t be isolated from technology, people, processes and organizations. We need to raise above technology and look at the bigger picture to build secure services. Cyber security will get worse before it’ll get better. We have taken the first step to right direction, though, by understanding that it’s the challenge worth solving.
