An Argument that Cybersecurity Is Basically Okay

Andrew Odlyzko’s new essay is worth reading—”Cybersecurity is not very important“:

Abstract: There is a rising tide of security breaches. There is an even faster rising tide of hysteria over the ostensible reason for these breaches, namely the deficient state of our information infrastructure. Yet the world is doing remarkably well overall, and has not suffered any of the oft-threatened giant digital catastrophes. This continuing general progress of society suggests that cyber security is not very important. Adaptations to cyberspace of techniques that worked to protect the traditional physical world have been the main means of mitigating the problems that occurred. This “chewing gum and baling wire”approach is likely to continue to be the basic method of handling problems that arise, and to provide adequate levels of security.

I am reminded of these two essays. And, as I said in the blog post about those two essays:

This is true, and is something I worry will change in a world of physically capable computers. Automation, autonomy, and physical agency will make computer security a matter of life and death, and not just a matter of data.

Tags: cybersecurity, Internet of Things

Posted on March 20, 2019 at 6:03 AM • 50 Comments

Comments

JohnnyS • March 20, 2019 6:45 AM

On April 14th, 1921, I’m certain that Captain Smith was quite happy that things were going splendidly on the maiden voyage of the Titanic. That seems to be the theme for this essay: “whistling past the graveyard.”

WE DON’T KNOW if there are foreign nation-states that have collected ample access to our industrial systems so they can cause massive disruption at their will: Such access would be hoarded until needed.

WE DON’T KNOW which of your home IOT devices are currently being used for botnets to spread spam and malware.

WE DON’T KNOW if our personal information is on a list that is being used by cyber criminals to commit identity theft and they simply haven’t got to us yet as they work down the list.

The fact of the matter is that the vulnerabilities caused by cyber security problems are real and so are the risks. The impact of such threats can be catastrophic.

Anyone remember the Soviet gas pipeline explosion in 1982? You think they have forgotten? You think they wouldn’t do the same thing to us in revenge if they get the chance?

Anyone know anyone who has suffered identity theft and knows the extreme misery of that awful crime?

Anyone know anybody who had to deal with ransomware? Where jobs and even lives depended on fixing the problem?

“Whistling past the graveyard” is irresponsible and foolish. Instead: “Ask not for whom the bell tolls: It tolls for thee!”

Phaete • March 20, 2019 7:26 AM

There is no reason not to assume that virtual security will grow to meet virtual access requirements in the same way that physical security has grown (and is still growing) to meet physical access requirements.
The principles to apply are the same, the methods just differ.
So just as physical access restriction, the virtual access restrictions will always be vulnerable to a certain degree.

For example:
– chance and knowledge (zeroday – weak links etc).
– humans (social engineering)
– proportional investment time/money/effort. (the more they spend, the less your chances of successfully restricting are)

So we can really learn from physical access restriction principles, what is possible, and what is impossible (aka not economic plausible).

There will always be public outcries when there are large access restriction violations (both physical and virtual), just as there will always be humans who have to decide how much they want to spend to secure their access restrictions.

Roger Stone • March 20, 2019 7:44 AM

This “chewing gum and baling wire” approach is likely to […] provide adequate levels of security.

Author has just proven they don’t know what they’re talking about.

If “chewing gum and baling wire”(aka half-a**ing it all) is what you consider “adequate security” then just do everyone else a favor and stop talking now.

Jarrod Frates • March 20, 2019 8:15 AM

WE DON’T KNOW if there are foreign nation-states that have collected ample access to our industrial systems so they can cause massive disruption at their will: Such access would be hoarded until needed.

This is a reason to be vigilant, not paranoid. That it hasn’t happened much even between enemies in actual conflict suggests that it’s rare. That it hasn’t happened from terrorist groups suggests it’s not easy.

WE DON’T KNOW which of your home IOT devices are currently being used for botnets to spread spam and malware.

There are researchers that do, or who will in short order. It’s why there’s news of botnets taken offline from time to time. The nature of botnets, especially those sending traffic like that, is such that they’re impossible to completely hide. They show up in logs, someone investigates, and someone starts learning how it’s built.

WE DON’T KNOW if our personal information is on a list that is being used by cyber criminals to commit identity theft and they simply haven’t got to us yet as they work down the list.

Most people presume that it’s out there and just shrug and wait. While I don’t want to trivialize anyone’s difficulty in recovering, the industry has gotten better at detecting and handling it, and high-impact identity theft is a relatively uncommon occurrence.

The fact of the matter is that the vulnerabilities caused by cyber security problems are real and so are the risks. The impact of such threats can be catastrophic.

Yes, they are. But they haven’t been. I think Bruce’s point is that we do have to acknowledge such risks and do better at addressing them. But not through panic and incredulity.

Anyone remember the Soviet gas pipeline explosion in 1982? You think they have forgotten? You think they wouldn’t do the same thing to us in revenge if they get the chance?

What’s the upside? Vengeance for something almost 40 years ago that even some who worked in Soviet intelligence or pipeline safety at the time claim was due to other reasons at the risk of starting a nuclear war? An explosion happened, but there’s little hard evidence tying it to the US. If it was the result of a CIA plot, it’s a story of a clever attack, but I think there’s too high a propensity in this industry to believe a fantastical claim without hard evidence because it sounds clever.

Something I’ve learned in 25 years in IT, 15 of them in infosec on both sides of the fence, is to be calm, methodical, and careful in measuring risk. There’s a risk that something will happen. That risk declines as the impact is considered. Impacts like what hit Maersk a couple of years ago are exceptionally rare, and even those like what Norsk Hydro is going through are uncommon. For all its catastrophic impact to those affected, a small business going through a disastrous attack does not affect the economy as a whole.

We do need to take the risk seriously and come up with better means of addressing it than “chewing gum and baling wire.” And we are slowly getting better at it. Windows 10 is leaps and bounds more secure out of the box than Windows 7, which was far superior to Windows XP. IOT represents a new challenge, as do autonomous vehicles and robots. The former is already the subject of intense general study, the latter is taken seriously in (most of) the auto industry at least. I’m more concerned about election security, but the chewing gum and baling wire approach there seems to, perversely, increase some aspects of security as actually changing votes would require access to hundreds of different election management systems, something that would almost certainly get caught.

Me • March 20, 2019 8:56 AM

Reminds me of one of my favorites:

https://xkcd.com/470/

GregW • March 20, 2019 8:58 AM

The author has many interesting points. I think one frustrating aspect of insecurity the author neglects to address is that computer security is a public good, whose externalities are born by the public, even when modest investments by parties with a corporate interest could substantially improve security. IOT insecurity is a good example of this. We aren’t asking for perfect security; how about avoiding gross incompetence in cases where the buyer doesnt/can’t know any better? See UL, fire codes, etc. Maybe we’ll only do this when people get killed repeatedly as more IT goes physical, but why not be proactive?

By the way… love this way of describing internet privacy from the essay:

Already today, the old mantra that “on the Internet, nobody knows you are a dog,” has in practice been turned on its head. Many organizations know not only that you are a dog, but also what breed of dog you are, and what kind of fleas you have.

JohnnyS • March 20, 2019 9:04 AM

@Jarrod Frates

I don’t disagree with you on the need to be “vigilant” rather than “paranoid”. If I came across as paranoid, that was certainly not my intent.

The rest of my post you seem to have misunderstood. Please read “The Black Swan” by Nassim Nicholas Taleb and that will help clear up the mystery. Cyber Security is very vulnerable to the “fat tail” problem, where the majority of consequences are made by the least statistically significant events. Assuming that previous performance is probative for future results is extremely dangerous.

GregW • March 20, 2019 9:09 AM

@Jarrod Re: Soviet gas pipeline… to claim it was an accident, not sabotage, does ignore that parties in the USG took credit for it and the pipeline was a major tactical USG focus as described in Peter Schweizer’s book “Victory”. No?

Cassandra • March 20, 2019 9:13 AM

@Jarrod Frates
Most people presume that it’s out there and just shrug and wait. While I don’t want to trivialize anyone’s difficulty in recovering, the industry has gotten better at detecting and handling it, and high-impact identity theft is a relatively uncommon occurrence.

You raise a very interesting, and to my mind, neglected point, which is recovery processes after a security incident.

While a great deal of effort is put into avoiding security incidents in the first place, to greater or lesser extent,I don’t see much effort in producing reliable and trustworthy remediation processes. If, as many people believe, it is a matter of when and not if a security breach will occur, then being able to recover from it as quickly and completely as possible, at the lowest possible cost, would seem to be a fruitful area to look at. The standard response to identity theft is credit-score monitoring. The standard response to ransomware attacks is to restore from the most recent known good backup (if it exists) and so on.

Bruce works in an organisation whose product is managing what to do after an information security incident, and would no doubt point out that ‘an ounce of prevention is worth a pound of cure’, but we also need to work out how to produce better, slicker, cheaper cures, accessible to those affected.

Bob • March 20, 2019 9:14 AM

@JohnnyS

WE DON’T KNOW if our personal information is on a list that is being used by cyber criminals to commit identity theft and they simply haven’t got to us yet as they work down the list.

We can actually be reasonably certain that this is indeed the case.

JohnnyS • March 20, 2019 9:34 AM

@Bob

🙂

That being said, I can prove that (at least for me), my information IS on a list somewhere in the hands of cyber criminals of people to be attacked because I have been approached multiple times by cyber grifters trying to con me.

Fortunately ~20 years in ITSec experience has helped me to understand the risks and keep myself safe. So far…

GregW • March 20, 2019 9:38 AM

Andrew’s analysis, however brilliant, if/when misused to lower expectations will lead to just as much foolishness as the “IT doesn’t matter” essay by Nicholas Carr in early 2003. That was counterintuitive but seemingly brilliant and thought provoking at the time … but was ultimately foolish.

(Summary:Everyone has IT, its not a competitive advantage. Led to tech outsourcing/offshoring/costcutting by mainstream companies who then found themselves lacking bench strength and years if inhouse knowledge and skill for combating/harnessing new tech when combating Amazon, etc. Sample 2006 analysis of the essay: https://www.information-age.com/on-the-death-of-it-strategy-294881/)

Petre Peter • March 20, 2019 10:18 AM

The cost of adopting new technologies will increase if these new systems affect us physically and cause property damage. Even when these systems become smart and easier to use.

1&1~=Umm • March 20, 2019 10:21 AM

The problem with saying ‘OK it’s happening but things are still working’ is that it assumes only short term effects with publicity are of importance.

It’s a typical business managment attitude which cuts maintainence stuff an says ‘look no disastets’ to cut and run or blaim other people a few quaters or years later when the ‘entropy rot’ has got beyond what the further reduced maintainence staff can handle even without a minor emergancy.

Some know Peter Gutmann lives in New Zeland and is a bit of a security expert. He also lived through the privatisation disasters that befell the main supplier of electricity to a major NZ city, and wrote about it. It’s worth the read if he still has it up on his personal Internet presence.

David Rudling • March 20, 2019 10:35 AM

I will take one quote from near the end of the conclusions in the paper:-

“This essay does not claim that a “digital Pearl Harbor” will not take place.”

and one quote from Bruce’s comments above:-

“Automation, autonomy, and physical agency will make computer security a matter of life and death, and not just a matter of data.”

and add one of my own:-

Pearl Harbor led to Hiroshima and Nagasaki in retaliation.

Matt • March 20, 2019 10:43 AM

“Nothing really bad has happened yet, so therefore we don’t need to work any harder than we currently are, even though the landscape is constantly changing and new technologies that are poorly-understood are constantly being introduced.”

If the above sentence sounds reasonable to you, please depart the gene pool as quickly as possible.

Impossibly Stupid • March 20, 2019 10:46 AM

Honestly, the bulk of the author’s paper seems to contradict the trollish title he uses. I don’t know if that’s intentional, or simply a case of him having all the right data, but still reaching the wrong conclusion.

The author is hampered by the same flawed logic that anti-vaxxers use when they convince themselves that things like disease parties “provide adequate levels” of protection against preventable illnesses. Just because we have not yet suffered a catastrophe doesn’t mean we’re doing an OK job.

A proper scientific approach would be to gather data and make predictions. And there’s plenty of data out there that demonstrates that systems are becoming increasingly fragile. Even on my own little corner of the Internet I have a firewall that grows every day because of attacks that come in from insecure networks that are run by organizations that aren’t truly interested in stopping the ongoing abuse. Just in the time it took to write this post I had two new attacks come in from India (IN) and Georgia (GE).

Cybersecurity is basically awful. It’s essentially a festering pile of countless diseases. Don’t make the mistake of thinking things are fine just because you’re not getting hit by the deadliest one of the bunch. Don’t wait until you become a statistic to learn about statistics.

Jordan • March 20, 2019 11:21 AM

@JohnnyS: do you have any references for that 1982 pipeline explosion that don’t lead directly back to Reed’s book “At the Abyss”?

There’s a couple of explicit denials that such an explosion occurred (or was even possible), and I don’t find anything that didn’t get its material directly from Reed.

1&1~=Umm • March 20, 2019 11:54 AM

@Jarrod Frates:

“That it hasn’t happened much even between enemies in actual conflict suggests that it’s rare. That it hasn’t happened from terrorist groups suggests it’s not easy.”

Actually it has happened between enemies or more correctly a Super Power and a Nation that was trying to break free of it. The offending parties who attacked the power infrastructure have been ‘attributed’ to Russia. Oh and you might want to talk to the Venezuelan’s for their current state of affairs, they have their finger firmly pointed to another Super Power.

So yes it’s definitely happening of that we can be sure.

The fact it is not common is that it is new and the antagonists are effectively testing as they go, have a look at tanks in WWI as an example. When those currently testing are happy that not only can they deploy it effectively but also defend their own side effectively then it will become just another weapon in the ‘destroy the civilians’ wars we now appear to want to fight.

The fact that it is apparently only Super Powers playing this stupid game currently should actually serve as a warning. You can be sure that since the problems in Estonia a lot of European nation states have been looking into it in quite some detail. Thus the ‘trickle down effect’ has already started, and it won’t be long before all first world nations and most if not all second world nations with technical ability or the resources to ‘buy it in’ will likewise happen, then quickly work down to social misfit children siting in their patents back bedroom.

But I would not be to quick to judge how easy or hard it is based on Terrorists not having done so (technically they have the US have attributed cyber attacks to terrorists working for Iran over attacks on Saudi).

The main point is Terrorists don’t usually go for high tech attacks, because they lack the TV presence of bombs and bullets and corpse strewn streets billowing black clouds of bomb blasts etc that cause ‘shock horror and awe’ in civilians with less energetic imaginations.

Let’s face it if the power goes to his beer cooler Joe Sixpack is not going to blaim terrorists but those ‘cock-a-mamy’ corporates who steal his money every month with their extortionate bills. And if and when the TV comes back and the Fox News presenter blabs on about terrorists, Joe will almost certainly say that the terrorism is made up by those corporates to avoid paying him compensation for having to drink warm beer.

Terrorists might apear dumb to the average person, but those who fund, supply and control them are not stupid by any means. They know what does and does not get publicity and cutting the power etc so people don’t hear their message would be self defeating for them. Trust me they want all the glamour of a Hollywood block buster not Joe sixpack whinging about warm beer.

Steve • March 20, 2019 12:00 PM

Yet another instance of the normalization of deviance. It will work right up until it doesn’t.

1&1~=Umm • March 20, 2019 12:09 PM

@JohnnyS:

“Ask not for whom the bell tolls: It tolls for thee!”

Is not the actual quote from the last line of the last verse of the John Donne ‘No man is an island’ poem. It’s,

“‘Send not to find, for whom the bell tolls, it tolls for thee.'”

It’s funny but the first line of that verse was quoted on this blog a short while ago,

“‘If a clod be washed away by the sea, Europe is the less'”

1&1~=Umm • March 20, 2019 12:21 PM

@Phaete:

“So we can really learn from physical access restriction principles, what is possible, and what is impossible (aka not economic plausible).”

That argument does not realy hold water accept with “low hanging fruit” Cyber-Criminals.

Have a think about the costs involved with Stuxnet, which at the end of the day was a failure for the US Government because it did not damage their intended primary target North Korea, it just inflicted some limited damage on the secondary Israeli target and gateway to North Korea ‘Iran’.

Worse still for the US the North Koreans not only knew it was them they flipped it on the US by calling in UN inspectors to show them halls of happily spining centrifuges. The resulting publicity was seen as an ‘own goal’ by many in the IC, some of whom eventually went to the media about it.

Thursday • March 20, 2019 12:28 PM

After reading Odlyzko’s essay I am reminded not to judge an essay by the title, however the title is loosely why we are all here. An appropriate response might therefore be called, ‘This Essay is not very important’!

No doubt, many readers will not read the essay in its entirely and are bound to miss important meaning, which does in-fact exist. The paper is not without inaccuracies and seems to lack insight into threats we face in the cyber-physical world we are now growing. I would expect better from a prominent mathematician, but perhaps not from one inexperienced in applied security or more aptly risk management generally.

It is clear to me that this thesis is intended as a contrarian response to the seemingly endless barrage of paranoia, theatre, and useless banter that emanates from certain corners of ‘cybersecurity’ and for that I am grateful. The author’s summation to the masses could easily have been simply… Put down the sharp pointy things! Relax! Everything will be OK! Perhaps shortsighted yet a vital call to balance our lives within the threatening world we face persistently.

The majority of value in Odlyzko’s essay is benefitted by the economics of security and the balance between cost, impact, and likelihood of various events, although these concepts are not particularly well-developed in my opinion.

Further, it is not clear to me who Odlyzko intends to reach with his messaging. Paranoid students? professors in his field? the media? incompetent security professionals? If intended toward the latter, one would be wise to feel perplexed by the method of delivery within a medium intended for highly scrutinizing academics. I await the PC World article I suppose?

Was it necessary or ‘very important’ for Odlyzko to throw security to the dogs and then state the obvious assertions of any human charged with managing risk? My indirect takeways ultimately are:

‘Cybersecurity is not very important’ unless outweighed by the impact and likelihood of some threat. This is obvious!
Cybersecurity becomes less important as cost rises in relation to risk. Surely it does!
Cybersecurity should be a balance of prevention, detection, and response investments to risk levels. Yes!

These ingredients, perhaps part of a balanced security program are what everyone (at least competent ones) attempts to do regardless of the type of threat. E.g. Most of us use seatbelts when we enter an automobile either because we see the fine imposed by law and the likelihood of such law to be enforced to outweigh the inconvenience of putting the belt on -or- we recognize the action as a reasonable preventive to death or serious injury in the unlikely occurrence of a crash. Most of us would agree that if one’s preventive action is instead to never enter an automobile this would be an unreasonable security measure!

Individuals, corporations, militaries all weigh the costs and benefits of security, make tradeoffs, and accept a varying amount of risk. That is an obvious condition of life and it is no different with cybersecurity.

When it comes to threat prevention, detection, and response (I.e. security) it is becoming increasingly unreasonable to separate the cyber and physical worlds as they once were. In my opinion, this paper does not appropriately address such a reality.

C U Anon • March 20, 2019 12:32 PM

@ Me,

Todays XKCD with trends gave me three good laughs,

https://xkcd.com/2126/

One of which was the Bigfoot / Mike Pence one.

1&1~=Umm • March 20, 2019 12:36 PM

@GregW:

“‘Already today, the old mantra that “on the Internet, nobody knows you are a dog,” has in practice been turned on its head. Many organizations know not only that you are a dog, but also what breed of dog you are, and what kind of fleas you have.'”

Something tells me that, what you quote might well have been borrowed from this blog.

Faustus • March 20, 2019 12:56 PM

I have brought up this issue before: If cyber security is so bad why are there so few impacts on most people’s lives?

Social psychology demonstrates that we are very inconsistent evaluators of risk, ignoring the large impact of common things like auto accidents while focusing on rare spectacular events like terrorist attacks.

A few posts back people were largely defending the same sort of practice (overriding certificate security specs because they “know” better) that lead to a lot of vulnerabilities ( “Surely ECB mode is sufficient here. I don’t want to deal with an IV!!”).

Now we are a bunch of security sticklers?

The neatest thing about working with my AI is the otherness of its thought. Humans think of themselves as perfect computers and we lose track of how our genetic presumptions are baked into our thinking. AIs think more clearly without this baggage. I am looking forward to their contributions.

On something like computer security, with Black Swan concerns that defy abstraction and statistics, we are awash in our apex predator risk heuristics.

Foresight is difficult in this space, but undoubtedly hindsight will be 20-20.

Alejandro • March 20, 2019 1:13 PM

We may long for the day when the only injury one could receive from a computer was carpal tunnel syndrome. Also, we might long back at the days when some security could be had simply by hitting the shutdown button.

I know it seems reactionary, but for security and privacy reasons I lean towards smallish distributed networks and bi-directional geo-fencing (OK call it tribalization of the internet if you want).

From time to time there has been talk of re-inventing the WWW from scratch, with security and privacy measures baked in. For some reason nothing seems to happen from it, though.

Only the most naive Pollyannas would think cyber-security is “basically Okay”. 24-7 cyber surveillance alone is a travesty. Don’t get me started on the rest.

I personally would pay a significant fee for a truly more secure and private internet experience. Unfortunately, most people want something for nothing. Or worse yet, don’t care about what’s happening because it’s not in their face every day.

parabarbarian • March 20, 2019 1:25 PM

Most problems we have with computer systems are from programming bugs and operator behavior (PEBCAK).

Jesse Thompson • March 20, 2019 2:27 PM

sighs For anyone who thinks that “everything is OK”, one only needs to recognize the discrepancy between everyone’s motivations and the reality one perceives as an opportunity to arbitrage. Put your money where your mouth is.

How? Sell cyber-insurance.

If you think that nobody understands how to transform money into digital piece of mind, then simply take their money in exchange for the promise to recoup them of their losses if/when shit breaks as a direct result of lapse in security, such as an attack or a virus.

Then use their money to buy all the gum and bailing wire you think you’ll need to never have to pay out.

Walk away with the profits and thumb your nose at everyone who thinks that security is a Hard Problem.

Or if anyone is claiming that “everything is ok” and they are NOT already profiting directly from it, then they’re just too chicken to follow their own advice and thus should be summarily ignored.

Faustus • March 20, 2019 2:40 PM

As citizens of our time and place we are confronted by a lot of apocalyptic possibilities.

Global warming
Nuclear war
Pandemic
Extreme wealth inequality leading to mass starvation
AI driven unemployment leading to mass starvation
Massive cyber attack against infrastructure
GMO disaster
Disaster from Vaccines / Lack of Vaccination
Mad Cow disease and variants
Overpopulation
Global/national debt/insolvency
Asteroid strike
AI rebellion
Block hole created by particle accelerator
Authoritarianism
…

Why do we credit some and deny others? Is it really a matter of judicious thought?
Looking at my own reactions, I think they are largely based on a gut assessment of each possibility, rather than something that is accessible to argument.

Can anybody in the forum think of an example of when reasoned argument reversed their strongly held political opinion?

For me, my opinions may sometimes change, but it seems more like a slow drift rather being convinced by an explicit argument.

Rationality seems to be a thin facade over the actual process that drives our opinions.

Faustus • March 20, 2019 2:57 PM

@ Jesse

Don’t you realize that people are already doing a version of what you suggest? A bunch of cyber security experts are screaming that the sky is falling and many companies and individuals, aware of the results for other companies and individuals, still choose to make a fairly limited response. They ARE exactly putting their money where their mouth is.

Nobody is claiming the chance of cyber attacks is 0, therefore nobody has to expose themselves to an unlimited risk, as you suggest, to be consistent. Nor do they have to forgo all security. What they are saying is they don’t find the security argument compelling enough to make absolute security the overriding concern above all other issues, and they are, in fact, self insuring their risk along the lines you suggest.

Your version of the schoolyard “You have a different opinion than me. How dare you! If you insist on thinking differently than me than you have to allow me to kill (enter something sacred to the person who dares to have a different opinion than you) if you are wrong or you don’t get to have an opinion!” makes me sigh as well.

Sed Contra • March 20, 2019 6:32 PM

I can’t escape the feeling the article is a species of sour grapes, arising from the apparent absence of an elegent mathematical solution. Is there hope, can the heartbreak, in which I too am immersed, be ended, via SAT and SMT methods?

1&1~=Umm • March 20, 2019 6:53 PM

@Alejandro:

“From time to time there has been talk of re-inventing the WWW from scratch, with security and privacy measures baked in. For some reason nothing seems to happen from it, though.”

They tried with IPv6 but to many fingers in the pie including the security services made the ‘Sec’ standards effectively unworkable then for two reasons. (1) to much like a labyrinth for the ordinary people to get working (2) it needed higher end resources than most ordinary people had.

Whilst the resource issue is not as bad as it was, those ‘how do I go from here to there’ questions still have answers that two joke punch lines cover,

A) If I was you I’d not start from here.
B) Only if it’s a wet Sunday afternoon in Merthyr Tydfil*.

Merthyr Tydfil is a town of around 2^16 people in Wales for many years it was considered the dullest and wettest place in the UK. With the only thing to do was sit in one of the very many pubs and ‘drink to forget’. For one reason or another for a very long time the pubs were not open on sunday afternoons, thus rendering any pleasure, one you had to enjoy in the privacy of your own home otherwise net curtains would twitch. Of course if wet the children would not be making a nuisance of themselve in the street playing, nope, they’d have to ‘come in’ to their home which was often a very cramped half terrace with no space or privacy. Thus destroying any peace and quiet the adults might have enjoyed sitting there listening to the tic-toc of the clock over the fire place and having the occasional quick poke with the fire irons to keep the coal burning. Oddly perhaps it had one of the highest birth rates… I’m told that many countries have places like Merthyr Tydfil in their old coal or iron belts, where mercifully some now have tumble weed blowing through that you can watch as entertainment. They say ‘The devil makes work for idle hands’ but even he’s got real problems in Merthyr Tydfil. Rumour has it that “Male Voice Choirs” are popular, from a very early age there are mothers pushing their sons and even their husbands in… It must still be popular because the number of ads on a quick google show quite a few booking agencies. But there may also be a glut, as quite a few like ‘ACE Musical’ are not taking fees or booking charges (or so they claim)…

Sharkie • March 20, 2019 7:08 PM

Right. Ask SF Muni, Target, Maersk, FedEx, City of Atlanta, OPM, Equifax, SingHealth about their sentiment on this statement.

gordo • March 20, 2019 10:45 PM

Had The Shadow Brokers not tipped off the authorities, we’d no doubt have experienced much worse, that is, something of the magnitude of “the oft-threatened giant digital catastrophes.”

Winter • March 21, 2019 5:15 AM

@anura
”
…..

Basically, how much humans see things as a threat is relative to how much it deviates from the status quo, the innate scariness, and whether it is in the interest of current elites to do something.”

It is very rare that I come across a long comment on an internet forum that talks sense. Yours was one of those.

Any of the threats in the list can be handled by reasonable people in a straightforward way. Unreasonable people do not need a threat to destroy themselves and everybody around them. They can do that all by themselves (examples abound).

Indeed, humanity has sit through many disasters. With few exceptions, it was our own unwillingness and ineptness to change our ways and to adapt that made the disasters so bad.

Winter • March 21, 2019 10:22 AM

@Faustus
“My assessment of all these problems is that we know too little about any of them to make confident predictions. ”

We know how to solve each of them. That these solutions are not discussed in (some) media is not the problem. That there are people who do not like the solutions is a political problem that lies outside of the problem space you defined.

Anyone who has even a passing interest can fill a library on each of these problems. See, e.g., inequality. This has been discussed and researched since at least Karl Marx. Read Pickety for a recent account.

It helps when you search scholarly sources.

Anura • March 21, 2019 11:56 AM

@Faustus

Pretty much all of my areas of study are either programming, futurism, economics, or political systems, and I’ve spent the last eight years or so trying to understand why capitalism has failed to eliminate poverty, reduce working hours, or be proactive in any area of looming disaster. So if I seem especially confident, it’s just because all of these problems are related to my studies.

We know for a fact that we have the ability to take care of everyone’s basic needs in the world, but we don’t even come close, and we should be able to be much more productive if everyone was healty, given a good education and good opportunities, but we fail to do so. So the question is why? The answer must necessarily be that the people who have the power to change things have no interest in changing things. Why is it that they don’t want a healthy, well-educated world where everyone has the opportunity for any career? Because that would change the markets, and the profits depend on everything staying the same.

What I’ve learned is that our economic system is a house or cards, marked by dependencies of cash flows; workers depend on their job, jobs depend on consumption, consumption depends on income, income depends on jobs, jobs depend on the ability of the company to maintain profitability, and the profitability depends on the status quo; if cash stops flowing to a major dependency within the economy, then everything that depends on it collapses, and the entire economy collapses (this is called a recession). Either you have to make gradual changes that generally maintain the economy, or you have to make major changes that mean entire businesses start collapsing. The more centralized the economy, the more each part of the economy is interdependent and the more difficult it is to solve problems while keeping the rich rich.

The main thing to understand about overconsumption is that our consumption is irrational. Americans have poor physical and mental health, and that is because we focus on maximizing consumption instead of health. Happiness is basically a matter of health + positive experience, the latter costs virtually nothing. We fail to provide either, because the rich can only be rich if we continue to increase consumption, and people won’t do extra work to increase consumption if they are happy and healthy. We have the capacity, today, to live in a post-scarcity society – where no one can gain happiness from less work or greater consumption – but we must continue to manufacture more and more needs or the entire economy will collapse (e.g. women literally need to maintain feminine beauty standards or they get shamed by society for their appearance, so consumption personal time and beauty products becomes a need and we can always make more expensive standards).

JohnnyS • March 21, 2019 3:10 PM

@Jordan

Almost all such reports link back to the book. There are a few cute “hints” from people who clearly don’t want to really confirm the story, but that’s about all I can find.

So should this pipeline explosion claim be taken as factual truth? Probably not.

On the other hand, truth is often stranger than fiction and it makes more sense to “honor the threat” than to assume it doesn’t exist. Besides, we know Stuxnet is real, so we have other examples of vicious nation-state cyber attacks.

Chris • March 21, 2019 5:02 PM

This is a very valid and important contribution to the cybersecurity debate. It is always good to balance one’s views with an opposing one. It just helps putting things in perspective.

However, one question that needs to be asked is what the nature of cybersecurity really is in the long run. Is it similar to what we have experienced in the realm of physical security in the past or does it maybe have more in common with the situation we find ourselves in in relation to climate change?

The problem with climate change is that while a bunch of climate scientists have warned us for decades, the general public largely ignored it for most of the time since. Its effects were still theoretical and it was easy to close our eyes to the problem.

Even now, willingness to accept the gravity of the situation is developing quite slowly putting us in the tricky situation that once we change the forcings that our climate is exposed to, it will take about a generation for these measures to show any effect.

Of course, we may find that climate change does not make our planet uninhabitable. We might find that we can live with whatever situation we will get ourselves in. But, we might also find that we cannot live with the situation we have created for ourselves when we can no longer change it.

I would argue that the same applies to the future of cybersecurity. It might not be as big a deal as the technologists make it seem. But, then again, it may be…

Firefighter • March 22, 2019 8:26 AM

Claiming “we don’t need security because nothing happened” is like “let’s get rid of fire brigades because our cities did not burn to the ground in recent 20 years”.

Faustus • March 22, 2019 10:21 AM

@ Anura

I agree with much of what you say, especially that we have to be careful not to break the status quo while people are dependent on it to eat.

Looking world wide people are living longer, earning more, being better educated and being better employed. So I will assume your focus is on the U.S.

I will grant that improvement or not, some people do better than others. Hasn’t that always been the case? Why be shocked that we do as we always have done? This isn’t a scam invented by anyone alive. This is how humans have always structured themselves, maybe with rare premodern exceptions.

I think Americans are more affluent than ever, rich in technology, consumer goods and information (whatever little good the last does!). I agree with your observation that consumerism is not very satisfying, so what’s the problem if a few people have extra toys? Big billionaires tend to start companies and make donations and other socially useful things. Nobody is making us consume beyond our innate social competition and jealousy, which will follow us in any economic system.

I agree that humans are irrational, but blaming this on the rich is no more rational. We make dumb decisions and bear the costs of our decisions. I’d rather choose better than find a scapegoat

I have noticed a surplus of employment for decades: companies have much more management than they need. Automation is making employing humans even less necessary. Luckily, as you point out, they are still needed as consumers in our current model.

Can we think of a new model for our post employment future that doesn’t rely on scapegoating or other measures ultimately aiming at pushing a portion of us into the ever rising sea?

bob12 • March 22, 2019 11:23 AM

Reminds me of an article I saw published around Jan, 2001 entitled “Airport Security: Basically OK.”

quanticle • March 22, 2019 1:56 PM

I find it interesting that this paper is posted immediately after the story on the Triton malware which targets industrial safety systems. As the author of the Triton article points out, this time we got away without causing significant damage or loss of life, but every time we see one of these threats, there is a probability of a catastrophe occurring, either by malicious attack or by the negligence or incompetence of the hackers launching an attack for other reasons.

From reading the paper, it appears as if Odlyzko is fundamentally okay with a world in which there’s a “background level” of industrial and financial disasters caused by cyberattack. I’m not! Moreover, like others in this thread have stated, it’s far too early for us to say that cybersecurity is a manageable problem. We haven’t yet seen the worst-case scenario.

Faustus • March 22, 2019 5:40 PM

@ quanticle

I think looking at cyber risk as a “background level” is a great metaphor for risk in our world. People live with a background level of risk: risk of natural disaster, occupational risk, risk of eating barbecued meat, risk of smoking, risk of drinking, whatever. We generally accept a certain background level of risk, maybe even seek it out.

I think that the reason we haven’t had large scale attacks is that nobody wants to receive the large scale response that that would generate. Deterrence, just like with nukes.

How bad would the worst case cyber scenario be? As bad as an atomic bomb?

Anon • March 25, 2019 10:27 AM

Sorry but the author doesn’t seem to really understand the threat landscape today. Targeted identity theft IS prevalent, and it hits small to midsize businesses all of the time. I personally have investigated cases involving upwards of 4 million dollars being stolen, which would easily end most businesses outright.

The impact is real. The threat is there. If you are one of the very few people working in consulting that actually investigates or mitigates the threats, you know it’s happening constantly. Most businesses don’t publish that they’ve been breached, and don’t disclose how much it impacted them, because that would hurt them as well.

Guest • March 26, 2019 9:08 PM

My initial reaction to the article is “This author doesn’t really understand the limits of metaphor.”

There’s a self-help book entitled “Everything I Know I Learned From Baseball”, and you can find other sources of timeless wisdom for just about anything else (e.g. Star Wars) – people who may have substituted common sense for baseball knowledge, but it came to them in the form of what they knew best, so they assumed that no knowledge except baseball knowledge was truly necessary. Andrew Odlyzko seems to have put such knowledge on a pedastal: people who came up with solutions for cybersecurity problems have drawn parallels to physical security solutions, and attributed their success to this metaphor, therefore every problem that ever arises in cybersecurity will have a corresponding problem in physical security, and a solution can be determined likewise. He denies the existence or the relevance of domain expertise. Think of all the professors who never studied climate science but fancy themselves more insightful than trained experts; think of all the federal agents trained in physical security who don’t need to know cryptography to see that the “going dark” problem can be solved by just making the geeks “geek harder”. It’s one thing to forgo “common sense” based on overconfidence in your own field. It’s quite another to accept others’ metaphors as “good enough” that ignorance (of reality not fitting those metaphors) will suffice as an indefinite solution.

@ Faustus

Don’t you realize that people are already doing a version of what you suggest? A bunch of cyber security experts are screaming that the sky is falling and many companies and individuals, aware of the results for other companies and individuals, still choose to make a fairly limited response. They ARE exactly putting their money where their mouth is.

More accurately, they are putting my life where their mouth is.

When you describe this as them “self insuring their risk”, you deflect from the people whose lives they are endangering to the monetary loss they stand to suffer if punished for taking risks with their customers’ lives. It’s easy for them to take that risk, when they aren’t the ones who stand to lose the most from it.

1&1~=Umm • March 27, 2019 7:40 AM

@Guest @ALL:

“… therefore every problem that ever arises in cybersecurity will have a corresponding problem in physical security, and a solution can be determined likewise.”

Yes a lot of people believe that and that’s why many things can and do go wrong.

As has been mentioned on this blog a couple or three times in the past, ‘physical security’ is a proper subset of cyber or more correctly ‘information security’.

The implication of this is that ‘All physical security problems have a corresponding information security problem’, but and it’s an important but ‘Not all information security problems have a corresponding physical security problem’.

Which is why some of the slightly more adept criminals have found the move to cyber space quite rewarding and less risky. Because the can commit 1, multiple crimes they know work 2, at the same time 3, at multiple locations from 4, across jurisdictional boundries 5, without leaving unique physical trace evidence.

So the first three points make what are ‘little crimes’ profitable whilst the last two make the risk comparatively small for the over all reward.

For the Law Enforcment Authorities, ‘little crimes’ are too expensive to investigate individually, especially when you don’t have expertise in house, which even now some thirty years later investigators are by and large not receiving training on. In effect when such crimes do become not so little and they can not be ignored, they might be passed over to a small group of specialist very over worked in house investigators or very expensively out sourced. In either case with much of the evidence inadvertantly lost or damaged by those investigating before them getting an actuall prosecution is quite unlikely.

One trick investigators did try was to ‘push crimes over the bar’ that is to artificialy inflate the value of the crime over some internal value limit so it did get investigated, and one of the reasons you see crazy crazy costs involved not just with the investigation but also ‘making good’ after the event.

However this got out of hand in quite a few places and did not hide the fact such crimes are very difficult to investigate and prosecute and there are insufficient people with the required skills. Which with the resulting large numbers of information crimes part of the politicaly driven reasons why they don’t make many cyber crimes ‘reportable’ so they don’t appear in their ‘crime statistics’.

Further when you look at the very small number of cases that do make it to the prospect of prosecution, it’s because of the old traditional ‘being in possession’ or ‘failing to launder the proceeds’ or getting ‘put in the picture’ by informants or other interested parties.

That is the asspects of information crime that do map back into physical crime, and those investigative techniques that work in everyday physical crimes.

Thus the investigatory and prosecution methods used incorrectly reinforce the view that information and physical crimes are equivalent.

They are not which is why information crimes that do not produce physical world results just don’t get investigated, in part because nearly all criminal legislation requires a loss in physical world terms be it actual damage or financial.

The important point is ‘loss’ the implication is a physical object has been taken away or damaged, thus had actual value to replace or repair. Over time this got expanded to harm to individuals again by ‘loss’ that is what the harm to the individual did and what it would cost to rectify.

The problem is if you don’t take something but copy it how do you demonstrate loss. Well Queen Elisabeth the First of England has been credited with solving that issue. By starting the idea of a formal process of protecting what we now call ‘Intellectual Property’ or IP. Henry the IV issued what may have been the first ‘letter of monopoly’ to a person. But such letters were later granted more by whim than by credit. Elizabeth made the process more formal and carried out by examiners on her behalf such that she in effect only gave consent. But importantly ir introduced a more reliable way by which an inventor could protect their ideas that effected the physical world and thus possibly profit by them.

Most who read here are aware that the process was adopted over time in many other places, but that whilst the original pattent systems only covered inventions that covered the physical world others made them more encompassing thus the issues over ‘software patents’.

Other legislation thus has not caught up to the idea of the loss that can be incurred by ‘copying’.

But we need to consider carefully any such legislation patents were designed to grant a monopoly on methods of production to protect an individual. They were not ment to be used as methods of war and deterant, and producing illegal constraint on commerce which they have become in more recent times.

It would be easily possible to ‘invent crime’ where no real crime actually exists. We have actually seen this start to happen with very definite pushes for ‘prosecutorial overreach’ to try and make case law, which benifit the prosecutor and rent seekers but irreparably damage the common good.

What will happen with crimes that involve only information objects or effects on such is yet to be seen and I suspect will take a century or more to get sorted out.

Piotr • March 29, 2019 10:26 AM

Hi,
I think the Boeing case has a breakthrough potential for elevating to the mass public the meaning and what “physically capable computers” can do….

GregW • April 4, 2020 6:51 AM

For the record, a correction to my earlier remarks prompted when doublechecking sources on a more recent thread… Schweizer’s 1996 book that I referenced above includes tales of sabotage, even “problems with pipelines and turbines breaking down, fires in control facilities”, but not an explosion per se.

Schneier on Security

An Argument that Cybersecurity Is Basically Okay

Comments

Leave a comment Cancel reply