A while back, I was on a panel where speaker-after-speaker stood up and pitched their virtual doodad, without mentioning the ways that it could be exploited. But still, why would anybody want to talk about something as dreary as security with all of the “benefits!?” Well, according to Juniper Research, in 2015 cybercrime cost the world five-hundred-billion dollars, which increased to two-trillion in 2018. If you’re keeping score, that’s roughly the GDP of France. So yes indeed, maybe security is something you should think about when you deploy your next technological “innovation.”
I was the only security nerd on the panel. So, when the moderator got around to me, he said , “Now tell us Dan, what are the steps we should take to keep ourselves secure?” Given what I’d just heard, that was the equivalent of asking me, “Other than that Mr. Lincoln, how was the play??” So, I told them the honest-to-God truth, “The only way you’re EVER going to be secure is if you stop adding new technology until you get your arms around the stuff that you already have.”
Crickets – Then they began to laugh. I’m a well-known comedian. As the moderator was drying his eyes he said, “I think that the business world would have a problem with that. How would they make any money if they didn’t develop new things?” And there it was… the real reason… Profit.
The fact is that every new technology invokes consequences that are simply unknown, or not properly understood at the time of deployment. So, the cybersecurity people end-up playing whack-a-mole with the emerging problems. That’s called incident response. And it’s the generic cybersecurity strategy for most businesses.
Still, incident response is just firefighting, not fire prevention. Even worse, the potential for show-stopping incidents increases as the attack surface expands. So, we might nail down the risks in a wireless network. But then, BYOD, the cloud, and the Internet-of-Things comes along, and we haven’t even begun to shake out the implications of those technologies. But past experience suggests that you can count on a few nasty surprises.
So, here’s the point of this little rant. It will probably take a couple hundred years to get a proper fix on this particular era. But right now, the tectonic shift that virtual space represents is being compared to the invention of movable type. And that little technology ushered in such minor societal change as mass literacy, the Reformation and who can possibly forget the Renaissance.
However, it also took two, mostly bloody centuries for the old concepts to morph into our modern understanding. Now, in the year 2020 we are on the back side of what might be a more impactful technology, and this has all taken place over a period of twenty-five years.
In that short period, Amazon has wiped out whole shopping malls. and everybody under the age of thirty processes reality through their I-Phones. Even more disturbing, is the fact that a country like Luxembourg, or worse, some weird genius in a one room cabin in Wyoming, can bring the United States to its knees by attacking one of the many holes in our critical infrastructure. So, no wonder our concept of the implications of virtual technology has been left in the dust.
Remember, there are millions of very smart people out there looking for any means to exploit you. So, the rush to commoditize virtuality is more than a race to dig up ever more creative ways to sell stuff. It is a potentially disastrous habit, like alcoholism, or drug abuse, that we had better get under control before we turn our modern world into the digital equivalent of the wild west.
I probably sound like Chicken Little here. So, let me close with a little question. Consider what your life would be like if we lost our national electric grid. Could that happen? Well, you can watch the exploit that underlies that catastrophe any time you want to on YouTube. So, let’s just say that I’m starting to make friends with the Amish. They knew how to survive in the eighteenth century.
Bio:
In addition to my own teaching, research and publication program, I am accountable for developing innovative research programs in cybersecurity. I am also responsible for leadership in all aspects of curriculum design and development for a National Center of Excellence in Information Assurance Education (CAE/IAE). Courses taught include:
Graduate Secure Software Management
Graduate Software Assurance
Graduate Information Assurance Principles