Cybersecurity Is a Social, Policy, and Wicked Problem
Cybersecurity is a social and policy problem, not a scientific or technical problem. Cybersecurity is also a wicked problem. In a landmark 1973 article, Dilemmas in a General Theory of Planning, urban planners Horst W. J. Rittel and Melvin M. Webber described wicked problems in these terms:
“The search for scientific bases for confronting problems of social policy is bound to fail, because of the nature of these problems. They are ‘wicked’ problems, whereas science has developed to deal with ‘tame’ problems. Policy problems cannot be definitively described. Moreover, in a pluralistic society there is nothing like the undisputable public good; there is no objective definition of equity; policies that respond to social problems cannot be meaningfully correct or false; and it makes no sense to talk about ‘optimal solutions’ to social problems unless severe qualifications are imposed first. Even worse, there are no ‘solutions’ in the sense of definitive and objective answers.”
Other wicked problems include climate change, smuggling, and nuclear weaponry.
There is no “perfect new normal” because there is no “solution” for cybersecurity.
To quote Marcus Ranum from the September 2007 issue of Information Security Magazine: “Will the future be more secure? It'll be just as insecure as it possibly can, while still continuing to function. Just like it is today.”
A report by the Australian government titled Tackling Wicked Problems: A Public Policy Perspective suggests that there are three strategies for mitigating wicked problems: authoritative, competitive, and collaborative. Similarly, cybersecurity will likely require some combination of all three.
In summary, my modest new normal is this: anyone commenting on cybersecurity will recognize that it is a wicked problem that cannot be “solved,” but it may be mitigated, over decades, using expertise and approaches from multiple disciplines, least among them technical acumen.
If pressed to provide a technical element of the new normal, I offer “building visibility in” as one tenet. Asset owners need to understand how their digital resources are used and abused, and anyone providing computing resources should include the logging and access needed to do so.
* I found this note dated 1 June 2020 on my hard drive and decided to publish it today.