Maybe security isn't going to get better after all

Is that light at the end of the tunnel? Or is a train coming?

Maybe security isn't going to get better after all

One billion-plus accounts stolen in one online heist. The U.S. presidential election messed with by another country. Corporate secrets stolen and released on the internet on a regular basis. More and more data held hostage by ransomware. Stock markets routinely manipulated by hackers. Denial-of-service attacks whacking websites all over the place.

Will computer security ever get better? Or is this the way things are and we simply have to live with it?

For a long time I’ve speculated that it would take a tipping-point event for the world to stop treating the horrible current state of security as business as usual. It would take a major shutdown of most of the internet or the major stock exchanges for a day or longer. Nothing else would be shocking enough. Everything else is business as usual.

But maybe a global catastrophic event would not be enough. Maybe what we have now is what we have for the foreseeable future. I’ve long worried that this might be the case, but I haven’t wanted to admit it as realistic possibility.

The past is prologue

People and things change, but not so much. The best indicator of future behavior is past behavior. Most real change is slow and nonlinear, and it happens unexpectedly. I’ve been expecting computer security to get significantly better for three decades now. It’s only gotten worse. Sure, we’ve made progress in a few places, and we’re even arresting more big hackers. But for the most part the overall risk of something malicious happening is the same or higher than before.

Nobody has a plan

The biggest evidence that we aren’t going to have a significantly more secure internet soon is that exactly zero big initiatives are moving forward that could help. It seems the era of doing big things to the internet’s underlying infrastructure is dead. We are still relying on insecure protocols (Border Gateway Protocol, DNS, UDP) for most of the behind-the-scenes plumbing. More secure versions have been tried for decades and still the internet resists. Things that could make the internet significantly safer aren’t going to be a reality anytime soon.

Acceptable risk

As bad as the risk is—essentially, kids and professional hackers can shut down big parts of the internet or steal anything they want at will—the world has responded through its inaction. This risk is acceptable compared to the cost of better securing the internet.

This reminds me of a story Bruce Schneier wrote a while back. He said computer security professionals are mistaken if they think users don’t understand the risk of poor passwords. We professionals confuse the risk incurred by poor passwords (such as exposing a company’s most cherished intellectual property) with the risk to the user who chooses poor passwords (basically, none).

Whose fault is it anyway?

Do any of us know of a single person who was punished, much less fired, for using poor passwords? I don’t. I’m sure it happens. I’m sure someone used a “123456” password that led to malicious hacking and was held accountable for that stupidity. I mean, companies lose hundreds of millions of dollars due to internet theft every year. Occasionally, someone must get punished for it besides the odd CIO.

On the other hand, maybe it’s like the U.S. financial system, where blatant fraud and untenable risk decisions led to more than $1 trillion in capital going up in smoke, without a single person being successfully prosecuted (except for this guy).

Even after the huge financial crisis, from which the world is still recovering, relatively weak regulations were put in place to stop it from happening again. In the United States, those regulations (Dodd-Frank) are likely to be undone by the next Congress. This shouldn’t surprise anyone: No one in government was fired for undermining regulations prior to the meltdown, which made the whole mess almost inevitable.

The point is that the huge theoretical risk of bad internet security is acceptable to almost everyone … until it’s not. Even if the worst happens, it’s unlikely anyone will actually get in trouble, much less fired. If you think of risk management that way—the real way every human being measures it—then what we have is good enough.

I don’t like this idea at all. But I need to stop living in a dream world where everyone suddenly realizes how bad internet security is and actually demands something better. The fact is, we could make the internet significantly more secure today for relatively low cost and most users would support it. But lack of accountability means it’s not going to happen.

Copyright © 2016 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.