A traditional 'chewing gum and baling twine' (or in Australia the 'stickytape, strong and a dash of prayer') approach will get us through? The provokingly contrarian 'Cybersecurity Is Not Very Important' by railway bubble historian Andrew Odlyzko in (2019)
Ubiquity comments
It is time to acknowledge the wisdom of the “bean counters.” For ages, multitudes of observers,
including this author, have been complaining about those disdained accountants and business
managers. They have been blamed for placing excessive emphasis on short-term budget
constraints, treating cybersecurity as unimportant, and downplaying the risks of disaster.
With the benefit of what are now several decades of experience, we have to admit those bean
counters have been right. The problems have simply not been all that serious. Further, if we
step back and take a sober look, it becomes clear those problems are still not all that serious.
All along, the constant refrain has been that we need to take security seriously, and engineer
our systems from the ground up to be truly secure. The recent program of recommended
moves [1] opens with a quote from the famous 1970 “Ware Report” that called for such steps.
This demand has been growing in stridency, and has been increasingly echoed by higher levels
of management and of political leadership. Yet in practice over the last few decades we have
seen just a gradual increase in resources devoted to cybersecurity. Action has been dominated
by minor patches. No fundamental reengineering has taken place.
This essay argues this “muddle through” approach was not as foolish as is usually claimed, and
will continue to be the way we operate. Cyberinfrastructure is becoming more important.
Hence intensifying efforts to keep it sufficiently secure to let the world function is justified. But
this process can continue to be gradual. There is no need to panic or make drastic changes, as
the threats are manageable, and not much different from those that we cope with in the
physical realm.
This essay reviews, from a very high level, the main factors that have allowed the world to
thrive in spite of the clear lack of solid cybersecurity. The main conclusion is that, through
incremental steps, we have in effect learned to adopt techniques from the physical world to
compensate for the deficiencies of cyberspace. This conclusion is diametrically opposed to the
heated rhetoric we observe in popular media and to the unanimous opinions of the technical
and professional literature. No claim is made that this process was optimal, just that it was
“good enough.” Further, if we consider the threats we face, we are likely to be able to continue operating in this way. But if we look at the situation realistically, and plan accordingly, we
might:
• enjoy greater peace of mind
• produce better resource allocations
The analysis of this essay does lead to numerous contrarian ideas. In particular, many features
of modern technologies such as “spaghetti code” or “security through obscurity,” are almost
universally denigrated, as they are substantial contributors to cyber insecurity. But while this is
true, they are also important contributors to the imperfect but adequate levels of cybersecurity
that we depend on. Although a widely cited mantra is that “complexity is the enemy of
security,” just the opposite is true in the world we live in, where perfect security is impossible.
Complexity is an essential element of the (imperfect) security we enjoy, as will be explained in
more detail later. Hence one way to improve our security is to emphasize “spaghetti code” and
“security through obscurity” explicitly, and implement them in systematic and purposeful ways.
In general, we should adopt the Dr. Strangelove approach, which is to stop worrying and learn
to love the bomb.
In other words, not just accept that our systems will be insecure. Recognize that insecurity
often arises in systematic ways, and some of those ways can be turned into defensive
mechanisms. We do have many incremental ways to compensate, and we have to learn how to
systematically deploy them, so as to live and prosper anyway. The key point is that, in
cyberspace as well as in physical space, security is not the paramount goal by itself. Some
degree of security is needed, but it is just a tool for achieving other social and economic goals.
This essay is a substantial revision and expansion of the author’s earlier piece, which was an
extended abstract of the WiSec’10 keynote, and also builds on the author’s other papers, such
as [3]. However, no originality is claimed. While this piece is likely to strike many readers as very
contrarian, many of the arguments made here can also be found elsewhere, for example in [4],
and are not inconsistent with many of the recommendations of mainstream reports [1].
Historically, for many observers a serious reassessment of the traditional search for absolute
security was provoked by Dan Geer’s 1998 post [5]. However, awareness of general risk issues,
and growing perception that they were key, can be traced much further back, to various
research efforts in the 1980s, and the founding of Peter Neumann’s RISKS Digest in 1985. No
attempt is made here to trace this evolution of attitudes toward security. That is a nice large
subject that is left for future historians to deal with. This essay considers only the current
situation and likely evolution in the near future.