Why Aren't We Secure?

By: Mark Cummings, Ph.D., Bill Yeack CSE

Cybersecurity is a hot market. Ten thousand companies worldwide are selling cybersecurity products and services. Governments have agencies, special committees, and organizations dedicated to cybersecurity. And, each year, cybersecurity companies spend millions of dollars each at San Francisco’s RSA Conference to capture a small piece of this market.

Despite this, barely a week goes by without another widely publicized cyber breach. Why? One thing seems clear: What we are doing isn’t working—and doing more of it will not make things better. 

Recently, a new nonprofit has been created to address this situation. Bace Cybersecurity Institute (BCI) seeks to be the catalyst that brings the industry together to create the safe world that we all want to live in. This article explains how we got here and how, with the help of organizations like BCI, we can make things better.

How We Got Here

For the last 75 years, we have been following the same pattern in development and deployment of information systems. When a new innovation emerges, it is quickly rushed to market. The rush is driven by financial pressures and a need to prove that people will buy the new product. New innovations face doubts because many that were technically successful died in the market. The language we use reflect these doubts, as common expressions reflect a perceived inability to predict adoption. One of the most telling is “Will the dogs eat the dog food?” Another is “Fail quickly.” And finally, we have, “Move quick and break things.”

In short, what happens is that we field a new system. It goes through a period of rapid adoption, reaches critical mass, and then we realize, “Oops, we have to find a way to manage this stuff.” Then, we begin to apply management Band-Aids. About the time we can see the light at the end of the management tunnel, we realize, “Oops, we have to find a way to secure this stuff.” As we start working on security, the next wave of innovation starts. 

This process results in layers of technologies and generations of systems and products that are approximately three-quarters of the way through the management cycle and halfway through the security cycle. This already-difficult landscape is compounded by competitive pressures, including attempts to create vendor proprietary lock-in, attempts to control the market by standards manipulation, geopolitical forces, and so on. As a result, our information ecosystem is built of collections of these technology layers, generations and products. These interact with each other, creating compounding security vulnerabilities.

An example of this kind of interaction was the recent breach of a cellular network OSS (Operations Support System) and BSS (Business Support System) through a previously unexploited vulnerability in SS7 (Signaling System 7), an electronic switching protocol.  SS7 was developed in 1975—before the Internet, the PC, the smartphone, the web, the Internet-connected baby monitor, the smart home, and so on. Yet there it is in the bowels of today’s cellular infrastructure. Remember the story of the little Dutch boy who stuck his finger in the hole in the dike? The only difference here is that there are too many holes and not enough fingers.

What Needs to Change?

Clearly, the present approach has problems. Will the forces driving this two-thirds manageable, halfway secure ecosystem change?

Unfortunately, no. Deploy/Oops, Management/Oops, Security/Oops is baked in. First and maybe foremost, it is a result of basic human nature. And changing human nature is not an uphill climb, it is akin to climbing a sheer wall. Then, there is our financial system with its fundamental need to limit upfront investment until market adoption is proven.  Add to this mix competitive and geopolitical forces. Finally, the frosting on this cake is the accelerating rate of change. 

And there is no sign that things will slow down. When the early work on 3G prototypes was underway, it was surprising to run into someone who said that they were working on “beyond 3G.” Now, it is not surprising to hear people working on 6G long before 5G even starts deployment. Technological change is coming at us so fast that we almost don’t see it anymore. It takes something special to catch our attention, like the threat of social media being weaponized, the fear of autonomous vehicles being weaponized, or in-chip security vulnerabilities.


Latest Updates

Subscribe to our YouTube Channel