The
Problem with Our Security Models
“You can haz better security, you can haz worse security. But
you cannot haz “security”. There is no security, Deal [with it].” — Richard
Steven Hack
I thought I would start with this quote from Rich Hack, it does
describe the issue in a nutshell. The reason for this article is a post from
Bruce Schneier where he states: “Our security models will never work — no
matter what we do”.
I’m quoting his first few paragraphs here: “A core, not side,
effect of technology is its ability to magnify power and multiply force — for
both attackers and defenders. One side creates ceramic handguns, laser-guided
missiles, and new-identity theft techniques, while the other side creates
anti-missile defense systems, fingerprint databases, and automatic facial
recognition systems."
“The problem is that it’s not balanced: Attackers generally
benefit from new security technologies before defenders do. They have a
first-mover advantage. They’re more nimble and adaptable than defensive
institutions like police forces. They’re not limited by bureaucracy, laws, or
ethics. They can evolve faster. And entropy is on their side — it’s easier to
destroy something than it is to prevent, defend against, or recover from that
destruction."
“For the most part, though, society still wins. The bad guys
simply can’t do enough damage to destroy the underlying social system. The
question for us is: can society still maintain security as technology becomes
more advanced? I don’t think it can.”
Of course he refers to the ultimate example of a terrorist with
a nuclear bomb that everyone is terrified of, but even that is something
survivable for a society. Japan resurfaced from two detonations in a relatively
short time. Of course he is right in the sense that an attacker only needs to
succeed once, and the defender needs to succeed 100% of the time. That is why
we need to design with failure in mind, and fail with the least amount of
(collateral) damage.
Schneier notes that traditional security largely works “after
the fact”, and that is where some of the problems lie. On planet earth, we tend
to invent weapons but neglect to invent the protection against that weapon at
the same time. The Manhattan project developed the atom bomb and completely
neglected to also develop at the same time a force field that would stop an
atomic blast. Wouldn’t having both technologies been a much more powerful
solution?
He continues: “Because sooner or later, the technology will
exist for a hobbyist to explode a nuclear weapon, print a lethal virus from a
bio-printer, or turn our electronic infrastructure into a vehicle for
large-scale murder. We’ll have the technology eventually to annihilate
ourselves in great numbers, and sometime after, that technology will become
cheap enough to be easy.” He then states: “If security won’t work in the end,
what is the solution? Resilience — building systems able to survive unexpected
and devastating attacks — is the best answer we have right now.”
At this point I’d have to say his answer is incomplete. Schneier
takes for granted that human nature cannot be changed, and that someone will
inevitably get the tools in hand to create major damage. That event could be
prevented by a change in mankind’s worldwide respect for the United Nations’
Human Rights, a change in all world government’s priorities regarding
education, and the realization that planet earth is on a downward spiral until
we wake up and -do- something about it.
Security
Defined
Did you know that the root of the word 'security' comes from the
Latin 'securus'; SE + cura meaning "to care" so feeling no care;
safe, certain. The thought also comes to mind that there might be a
diametrically opposed way to look at this, as in; "security is something
that results when you -do- care."
Sun
Tzu Quotes Of The Month
"Agents are a
ruler's treasure. They are called the hidden network of mastery over the
enemy." - Sun Tzu"Victory is achieved by means of predicting and then handling that which is predicted" - Sun Tzu
