journeyThe story of IT is rapidly morphing into the story of IT security. One could describe it as a farce made up of many little tragedies. No people have been dying recently due to getting hacked (at least none that we the public know about) but the employees of Sony Entertainment or the many victims of ransomware could attest to the costs of an attack to its victim. The Snowden revelations, as well as several high-profile vulnerabilities and instances of blatant disregard for customer privacy by household names (Samsung? Lenovo?) have highlighted a curious trend: The more we rely on technology, the less trustworthy we find it.
What might look like a paradox is actually the result of a very simple dynamic. Rising IT usage means higher stakes: more attack opportunities and juicier targets. The software infrastructure is undergoing its first real stress test, yielding lots of interesting (if unsettling) data points. Testing is mostly done by people who have the most to gain from weaknesses: spies, criminals and hacktivists. It is still not clear how much there is to lose for the rest of the ecosystem, which is why its response has been somewhat lethargic so far.
The problem has complex economic and social facets. In particular, there are many instances of mis-aligned incentives: those with the means to prevent an attack don't bear the brunt of it when it comes. A coder who leaves a buffer overflow somewhere in Web-facing logic is not liable for the damage incurred by users once they get hacked. Or, from a completely different perspective, employees at signals intelligence agencies don't get fired when constitutional freedoms they are ostensibly protecting get eroded by their very actions. For yet another example, a skilled hacker faces a relatively low risk of being caught and punished.
Optimizing incentives has been the perpetual challenge of every society since the dawn of time, of course. It would be great if the problem could be solved technologically but it's becoming obvious the new tools are no different from those before: empowering attackers and defenders, thieves and detectives, opressors and the oppressed alike.
Having said that, the attacking side clearly has the upper hand at this point in the game, and not just due to its intrinsic asymmetric advantage. It is simply too easy to build systems without security considerations and too difficult to build with them. That is to say, even the industry's culture and tools work against the defenders.
It is, fortunately, within the remit of IT to make difficult tasks easier and expensive propositions cheaper. It should be possible to use IT to make robust IT more affordable. There are, in fact, many exciting developments in this area and I hope to write about some of them in more detail in the future. As for making the disregard of security more expensive, that's a completely different can of worms...