There is a core of folks who assert that infosec problems cannot be solved by technical means, and that geeks won't be able to put things right; instead we have to go begging for help to laywers, politicians, spooks, and law enforcement. Just today, the incoming Cybersecurity Czar boasted about not having technical chops. Plenty of jobs in DC don;t require technical expertise, but I do not see how Cybersecurity Czar is one of them. Does the Treasury Secretary brag about not knowing how banks work? I get that execs (Czar counts as an exec right?) cannot spend all their time down in the weeds, but even if you are are at a high level you have to tell a weed from a flower or a vegetable.
I am not naive enough to think that tech can solve all security problems, but it raises my hackles when people casually say that "we'll never solve security problems with technical means." For sure, we have not solved much yet, but why can't we do better? For the people like to assert that we cannot solve these issues technically, have a look at car theft:
- "Auto theft isn’t much of a problem anymore in New York City. In 1990, the city had 147,000 reported auto thefts, one for every 50 residents; last year, there were just 7,400, or one per 1,100. That’s a 96 percent drop in the rate of car theft.
- So, why did this happen? All crime has fallen, nationally and especially in New York. But there has also been a big shift in the economics of auto theft: Stealing cars is harder than it used to be, less lucrative and more likely to land you in jail. As such, people have found other things to do.
- The most important factor is a technological advance: engine immobilizer systems, adopted by manufacturers in the late 1990s and early 2000s. These make it essentially impossible to start a car without the ignition key, which contains a microchip uniquely programmed by the dealer to match the car.
- Criminals generally have not been able to circumvent the technology or make counterfeit keys. “It’s very difficult; not just your average perpetrator on the street is going to be able to steal those cars,” said Capt. Don Boller, who leads the New York Police Department’s auto crime division. Instead, criminals have stuck to stealing older cars.
Pretty amazing stats. Its not the identical issue that we face in infosec, but I will point out that many of the reasons that people cite why infosec technology will "never" be able make a difference are shared by the automotive industry. Users place higher value on utility than security, intelligent adversary, sitting duck attack surface, operate in hostile/unmanaged environments, complexity, have to work with "developers" meet ship dates and cost control issues. Its not so different from our world, and that's serious progress.
I really wonder why the computer "ignition key" has not caught on. It should be simple to use car key technology, to provide a proximity unlock of a computer (replacing screen lock passwords) with an explicit button press to authorize access to high-value services.
Posted by: Andrew Yeomans | August 22, 2014 at 03:40 AM
@Andrew - I agree, seems like you could get traction on the usability pieces here. Improving the desktop would be very helpful but still the server is home to so much of what we have to protect and those tend to be "always on", but totally agree the desktop is candidate for an ignition key, and would zero out a lot of threats.
Posted by: gunnar | August 22, 2014 at 08:08 AM