by J.M. Porup (@toholdaquill)

95 Theses of Cyber

sign up for the newsletter

security is not binary


flawed computer security is a political and economic problem, not a technical one

what does this mean?

Have you been pwned?

Maybe. Could be. Or maybe not. Who knows?

Security is not binary, not a yes-or-no question, but rather the mind-numbing confusion of Schrödinger’s Cat.

Dealing with this confusion is the hardest problem in information security. It drives many infosec pros to drink.

We can never be sure that the security of any given system hasn’t been broken. Humans are unable to build perfectly-secure systems (theses[0]), and humans create security flaws on purpose in order to gain power over others (theses[1]).

This leads some to the conclusion that playing defense is a waste of time, and an offensive strategy is the only solution.

Just because someone might break a window and burgle your house, does that mean you don’t lock your door?

The current state of information security, across the board, is not just bad, but absurd–clown at the circus ridiculous. It’s five year olds building sand castles and expecting to repulse the Mongol hordes.

Assuming this naturally-occurring phenomenon is an unavoidable bug in the cyber domain would be a mistake. Economic and political incentives have built a world where everything is absurdly broken.

It doesn’t have to be this way.

Free market capitalism rewards short-term profit over long-term security. When a market failure threatens the integrity of the entire cyber domain, where we all now live, the appropriate response is not to despair, but to regulate. To compel defense.

But governments don’t want a secure internet. The apex predators who work for secret three-letter agencies are hungry for power, and any move to play defense weakens their position at the top of the food chain. Why would an owl give a field mouse body armor? Why would the NSA bother to fulfill its defensive mission?

Rampant insecurity disrupts democracy and redistributes power to spies and gangsters. Those who possess that power will exercise it ruthlessly, with contempt for the law, unless checked by some countervailing force.

We must be that force. We must place renewed focus on playing defense, if we are to restore democracy to the cyber domain. Only by fixing these broken economic and political incentives can we solve the technical problem of ridiculously-bad information security.

It won’t be easy. The correct answer to incompetence and malevolence is not more incompetence and malevolence, but to get in the trenches and do the work. We must battle incompetence with competence, expose malevolence, and hold the powerful accountable to the people.

This answer frustrates policymakers, who know that sprawling government bureaucracy consists of nothing more than incompetence and malevolence. Worse, political leaders who lack technical chops–most of them–find this permanent state of uncertainty unacceptable, maddening, even. Yet this is the world we now live in.

Humanity has lurched onto the cyber domain, and the abrupt change of scenery is thrilling, but also awesome and terrifying. People are scared. They want surety, they want to be safe and protected.

There is no safety, here or anywhere. Never has been, never will be.

Dealing with the non-binary nature of information security is essential if we are to mitigate the threats we face today.

We can no longer go back. We all now live on the cyber domain, whether we want to or not. How we address the flawed economic and political incentives that delivered us into this insecure new world will define the course of civilization for generations to come.

<< theses[1]   theses[3] >>