Changing the fate of information security
Computer World Security reprinted a 2003 CIO.com article entitled: 2010: The Future of Security.
While I don’t like articles/news that engage in fear mongering, this article does lay out some likely outcomes of the growing perception of insecurity in computer system.
I say “growing perception” not to say that things are all fine and dandy in the security arena, but to indicate that the average Joe, and Joe’s elected official, are starting to notice.
Two things I’d like to address.
First, the article cites some work and quotes from perhaps one of my favorite software engineers, Watts Humphrey:
We’re letting creative artists build bridges, he says, then trying to stabilize them with unlicensed laborers while they’re collapsing.
“I want the technical community to become professionals,” Humphrey says, “to say, This is how we do our job.”
TSP and PSP have already been found to reduce coding errors by factors of up to 10 or more. Microsoft tried it and reduced bugs within a 24,000-line program from more than 350 to about 25.
Humphrey also has conceived of even more radical changes, including a software engineering curriculum modeled on medical school, complete with professional internships.
Now, I’m not bashing Microsoft here, I’m trying to make a point. Microsoft engaged in the endeavor to increase their security and reliability because of customer demand. People got sick and friggin tired of the crap they were being fed for huge cost.
A big driver of this frustration was the infamous BSOD. The blue screen of death put a tangible face to the problem.
The insecurity inherent in our digital world is mostly faceless. This fact, in my opinion, will make it harder to get wide-scale changes to happen.
If we want to eradicate the enemy of insecurity, we have to put a face on it…
Second, the article describes how we go from “free and open” to a “police state” very well. Summarizing:
- The first response is litigation.
- After litigation comes regulation.
- “What follows regulation?” asks Jeff Schmidt. “Standards.”
- The final phase of the corrective response to the digital Pearl Harbor will be a reformation, a cultural shift toward better, more proactive security.
But the article fails in taking this picture to it’s logical end.
I don’t believe 3 and 4 will happen. What will happen is “governmental oversight” stemming from regulations.
Lets look at the track record of, say, the TSA. Are we prepared to have an organization like that managing our country’s networks and infrastructure?
Likely, however, we’ll end up there. The sad truth is, that TSA has done little to improve transportation security, and future governmental organizations will do just as ineffectively.
But the general public can SEE the TSA, and though they hate it, are somehow drinking the cool-aid and believing that things Must be more secure.
The result - why do something else? “The TSA is there, we’re safe, aren’t we?”
In my mind, that’s the end fallacy of governmental regulation. It:
- gives a false sense of security
- puts organizations in the position where they’ll do the bare minimum to comply.
I do believe that government can do things to change how this whole security thing shakes out, but their track record is very bad.
The best thing the government can do, in my opinion, is demand security, built-in, from the bottom-up, in everything they do. Every contract they develop, every system they buy, every contractor they hire.
The government’s initiative in this arena would give vendors the financial incentive they need to build security into the process.
The effect is that everyone benefits.
Bill