"And I've seen it beforeIt's almost time, I think, to start the eulogizing for the outmoded mindsets of people who are standing in the way of progress. Almost. If only they'd get onboard or get out of the way. I think it really has reached the binary point of "either you're with us or against us." It simply sickens me to see some of the same widely-known people languishing on in blind stupor with the same tired arguments they've held since before the internet went mainstream. Hey, guess what? It's 2010 - get with the program!
And I'll see it again
Yes I've seen it before
Just little bits of history repeating"
(Shirley Bassey, "History Repeating")
Old Technologies...
If there is one area that I find most depressing about the security industry, it's the continued strength of presence of technologies that, while serving a legitimate purpose in a narrow sense, are still deployed in a broad manner and seen as some sort of grand solution. You know what I'm talking about: firewalls, anti-virus, and maybe even IDS/IPS and SSL. These technologies will not solve all problems. In fact, they decreasingly solve many problems at all. All of these point solutions serve a limited purpose, but in the grand scheme of things there are limits to their effectiveness.
Perhaps more than over-reliance on these old technologies, I also find that there are some fundamental challenges that we haven't solved yet. For example, authentication vexes me. How can we possibly still be living in the age of the username and password? Where is the promise of secure, ubiquitous, advanced authentication? There have to be solutions to this problem, but nothing seems to be percolating to the top. How is this possible? Is it a limit to our thinking, our technology, our brains, or something else altogether?
Of course, on the flip side we still continue to see failures in implementing basic, common-sense solutions. Patching, for example, is a major issue. There is simply too much outdated software in the world, and there's really no straightforward way to fix it all as-is. We need to find a way to jump the curve to get out of our current rut. The software industry is largely culpable in creating this mind-numbing cycle. It doesn't mesh well with the expectations of the average person. Case-in-point, I upgraded my Dad to a new PC running Vista about 20 months ago (he's XP-based system was falling over)... then 9 months later came Windows 7... he knows it's a better OS and that he'd be better off running it, but he's tired of all the upgrades... as he should be (and don't even get me started on the migration path)!
Now consider that almost every popular application that we run on a daily basis has likely been updated several times this year alone. I can't even count how many patches I've applied to my Mac this year when I consider OS X, Safari, Firefox, Tweetdeck, Flash, AIR, Acrobat Reader (for forms!), VMWare Fusion, Microsoft Office for Mac, etc, etc, etc, etc.
We need a reset point, and soon. We lament security, yet our technologies betray our efforts.
Old Mindsets...
Of course, it's not all about technology. We have some dangerous mindsets in circulation that work against us. Whether it's the military-industrial complex that Eisenhower warned about, or the Parker-like attacks on "risk management," or the blind greed and arrogance of corporate executives, or outright insanity by leaders of the next evil empire (who say things like "true anonymity is too dangerous" - yeah, so is freedom, but only if you don't trust people - though this isn't our first taste of his skewed thinking). And don't even get me started on the insurance industry...
At issue is this: rather than engaging in earnest discourse to address and improve the challenges of the day, some vocal, self-ascribed "leaders" are fighting against everything. The Parker-esque take on risk management is an excellent example where we have someone well-known and highly active in the security community spouting the same diatribe for several years without any real acknowledgement of the progress that has occurred in the intervening period. This mindset is replicated in key quarters throughout the industry, limiting itself in no way to sector. SCADA networks - known to be some of the most poorly secured around - now find themselves internet-connected with very little reasonable protection in place. Our country, which invented the internet, finds itself decreasingly able to protect against external incursions to a degree that - FUD aside - should terrify experts.
And then enter the breakers v. builders debate. Some pointed out last week that they could never justify to management their desire to attend Black Hat and DEFCON. Why? Apparently there are still some in this world who (shockingly, I'm sure) don't understand that it is vitally - if not soberingly - important that the community get together and relate over just how broken things are. Without people like Barnaby Jack and Chris Padget reminding us just how easy it is to break the most common parts of our lives (ATMs and mobile phones in this case), we could quite easily forget the momentous challenges we face. If RSA provides a shiny corporate face for our industry, then Black Hat and (more so) DEFCON provide us with a reminder of stark realities (or maybe give us just cause for our malaise).
The Heart of the Problem...
We need a changing of the guard at all levels, not just within the security community. Executives are living longer and applying their grossly outdated understanding of technology, security, and privacy to a threat environment they simply cannot understand. We need new ideas and new faces. Too many people are digging in their heels these days, holding to ideals that were developed pre-internet, which is highly detrimental to growth and improvement. At the same time, we have old guard DoD/intel types who are over-hyping "cyberwar" in a manner that simple doesn't get the right message across, and typically with an offensive mindset geared toward grabbing political turf. Despite all the FUD, there is a very legitimate concern for public systems and safety that needs to be addressed asap.
Lastly, we need to strive toward re-entering a golden age of scientific research. Some of our greatest achievements have been in the face of adversity, such as the rapid development of nuclear weapons and power, as well as the space race and the Cold War. These periods were all marked by intense competition, often laced with a perhaps-unhealthy degree of FUD, but in a manner that great accelerated scientific advancement. It would seem that a similar situation is afoot around the "cyberwar" rhetoric, and this, I think, could be the one positive outcome for what is otherwise a rather mindless negative.
It is time to start learning some lessons and investing in the future in a meaningful way. It's time to embrace programs like Awareness that Works (TM), enhance and extend risk analysis and management tools and techniques (like FAIR), and to start clearing defining and understanding the degree of challenges facing our environments (beyond botnets, including the threat of espionage and the inappropriate exposure of SCADA systems). We need to accept that there are organized malicious forces in the world (both criminals and nation-states) that may wish to do us harm (*cough*NK*cough*), and we must mobilize. It's time for the golden age in information assurance (or security, or whatever you want to call it). We must break from the past, learning lessons from history, burying the outmoded mindsets and arguments that have been holding us back for the better part of 2 decades.
Ben,
I agree that it's time for lots of new approaches. Institutional inertia is something remarkable to behold, don't you think?
However, inflexibility of thinking is not always correlated with aging.
I would propose that it's really a failure of curiostiy, among other things.
I am 60 - my thinking is still quite flexible, and, from my very biased point of view, well ahead of many people in infosec and IT in general.
Regards,
Patrick Florer
@Patrick -
You're definitely right that age really isn't reflective of the issue. However, I would submit a couple things:
1) You're perhaps more the exception to the rule.
2) You're perhaps not as old, relatively, as meets the threshold.
That being said, yes, it's inflexible thinking, to a large degree. However, it's inflexible thinking grounded in experience pre-mainstream-internet that I think is all that much more dangerous. This does create a certain age requirement (of which the low end could be 30-35).
fwiw & thanks for commenting!
-ben