I just blogged about a new podcast by the first of my Three Wise Men, namely Marcus Ranum. My second of the Three Wise Men for today is Dan Geer. I just noticed his testimony to the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology last month has been published. This is another must-heed collection of smart ideas. Brian Krebs summarized the hearing in his story Nation's Cyber Plan Outdated, Lawmakers Told. Dr. Geer's testimony included this gem:
I urge the Congress to put explaining the past, particularly for the purpose of assigning blame, behind itself. Demanding report cards, legislating under the inﬂuence of adrenaline, imagining that cybersecurity is an end rather than merely a means — all these and more inevitably prolong a world in which we are procedurally correct but factually stupid.
Information security is perhaps the hardest technical ﬁeld on the planet. Nothing is stable, surprise is constant, and all defenders work at a permanent, structural disadvantage compared to the attackers. Because the demands for expertise so outstrip the supply, the fraction of all practitioners who are charlatans is rising. Because the demands of expertise are so difﬁcult, the training deﬁcit is critical. We do not have the time to create, as if from scratch, all the skills required. We must steal
them from other ﬁelds where parallel challenges exist.
I wonder if the fraction of all practitioners with CISSP certifications is rising too?
The opposition is professional. It is no longer joyriders or braggarts. Because of the sheer complexity of modern, distributed, interdigitated, networked computer systems, the number of hiding places for unwanted software and unwanted visitors is very large.
The complexity, for the most part, comes from competitive pressure to add feature-richness to products; there is no market-leading product where one or a small group of people knows it in its entirety, and components from any pervasive system tend to be used and re-used in ways that even their designers did not anticipate.
Were there no attackers, this would be a miracle of efﬁciency and goodness. But unlike any other industrial product, information systems are at risk not from accident, not from cosmic radiation, and not from clumsy operation but from sentient opponents. The risk is not, as some would blithely say, “evolving” if by evolving the speaker means to invoke the course of Nature. The risk is due to intelligent design, and there is nothing random about it.
This is why one cannot legislate "security" for computers as one could try to legislate "safety" for automobiles. If people were crushing cars with boulders off bridges, shooting out car windows with AK-47s, or running over cars with tanks, no one would be blaming car manufacturers. They would (rightly!) be blaming the threats, as we should be doing with software and digital intruders.
I could easily cite the entire published testimony. Please read it.