Infosec can, at times, be disheartening. You look at Apple's #gotofail and you think - how did they manage to screw up the most fundamental and oldest security protocol on such a wide scale with such an old bug? On days like that it can feel like, if someone like Apple cannot get the basics right, what chance does an average company have?
But on the other hand, I see company after company, where the security teams are just getting started at looking at what matters - appsec, identity, data. New appsec teams with real tools, real budgets, and real mandates. In terms of actual defensive effort - its early days. People love to tell scary stories about threats and how defenders will always lose and how the problems are overwhelming, but I wonder if most of the problems we have are due to the fact we have not really tried to solve them yet.
Problems that are presented as intractable with all powerful opponents sometimes just need new efforts. Around 60 years ago, the air quality in Los Angeles, was awful, it was seen as an unsolveable problem but smog pollution dropped 98% in the last 50 years. Why? Cleaner fuel, cleaner cars, intelligent regulation.
A few inches of snow is enough to close down many US airports and delay travels for days. But over in Scandinavia, home of eleven months of winter and one month of darn poor sledding, you see track records like Stockholm's Arlanda airport where they have not had to close due to snow in 50 years. Oslo and Helsinki have similar records.
Think about that. It cold enough that planes need to be deiced starting in August, yet these Nordic airports have better success battling more hostile elements than Atlanta or Minneapolis. Why? Well one answer is they cared and they tried.
The snow plow drivers basically do not take breaks, colleagues run and hand them coffee so they can keep plowing without getting out of the plow. They take pride in their track record. They practice. Crews run drills against 20 different weather patterns. The airports do not use off the rack technology, they create purpose built tools and design equipment for their specialized requirements, the largest snow blowers in the world, capable of moving one ton of snow a second, and machines that can plow, sweep and blow snow simultaneously.
The Infosec industry has struggled to this point because its been dominated by a "Weather channel" mentality, romanticizing threats, raving about Snownamis. Despite our challenges, I think Infosec at this point is in a good place going forward, where like the smog war in LA we have recognized the problem. Like Nordic airports we are seeing companies revamping tools and processes and digging in for the next phase. Making an effort. As unsettling as it feels when a company like Apple has a bug as bad as #gotofail, its also worth thinking about what infosec may look like once the investments that many companies are making new security teams, tools and processes eventually bear fruit.
"...be aware that the market does not turn when it sees light at the end of the tunnel. It turns when all looks black, but just a subtle shade less black than the day before,"
-Jeremy Grantham, "Reinvesting When Terrified", March 2009
There is a lot to do, can't get started any sooner than right now. No such thing as bad winter weather, only opportunities to improve bad snow removal equipment, dysfunctional teams and processes.
The airport comparison is a bit of a stretch here. The problem of keeping an airport open through snow is simple (move the snow off the runway, keep ice off planes) and uses proven and well understood simple technology. The problem is easy to understand by even the most disinterested observer. There is a clear motivation to solve the problem which a majority of people share. Solutions, even custom ones (build our own snowclearing machines) are quantifiable and the outcome obvious (no snow on runways!). The threat is expected and predictable.
Which of these apply to infosec?
I'd challenge that infosec isn't a solvable issue and the thinking that it is is our biggest problem. It is more like a chronic illness or ache that we need to learn how to live with and manage. Yes, we can take steps to reduce the pain and we should, but we shouldn't expect things to ever "be secure" for whatever definition of secure you use.
Posted by: ds | March 01, 2014 at 07:30 AM
@ds- I do agree on the chronic illness piece, I think its a problem that does not go away.
But you can say the same thing about winter weather. and if as you say "The problem of keeping an airport open through snow is simple" then why have there been over 75,000 cancelled domestic flights in the US due to weather since Dec 1? I would suggest incentives play a role, but also point out that our friends in Scandinavia show this is *not* a problem that cannot be solved, Atlanta in February is about August in Sweden and yet they stay open the whole year through.
To me, infosec as commonly practiced is like winter weather response in an Atlanta airport and if we are going to get better at dealing with this chronic illness we need to get new tools and practices into play
Posted by: gunnar | March 01, 2014 at 10:20 AM
"the largest snow blowers in the world, capable of moving one ton of snow a second"
Does not sound plausible. Are we talking the Overaasen TV-2000? That would be about 10 tons an hour.
http://www.overaasen.no/upload/airport09_E.pdf
Posted by: JohnS | March 10, 2014 at 08:56 AM
@JohnS - I agree it sounds like a lot. The point that resonates with me is - using purpose built not off the shelf equipment. Would love to infosec do this
Posted by: gunnar | March 10, 2014 at 04:14 PM