DOI: 10.1145/1516046.1516056
Asking the wrong questions when building and deploying systems results in systems that cannot be sufficiently protected against the threats they face.
For ovEr 50 trying to build computing systems that are trustworthy. The efforts are most notable by the lack of enduring suc-
years we have been
cess—and by the oftentimes spectacular security and privacy failures along the way. With each passing year (and each new threat and breach) we seem to be further away from our goals.
Consider what is present in too many organizations. Operating systems with weak controls and flaws have been widely adopted because of cost and convenience. Thus, firewalls have been deployed to put up another layer of defense against the most obvious problems. Firewalls are often configured laxly, so complex intrusion and anomaly detection tools are deployed to discover when the firewalls are penetrated. These are also imperfect, especially when insider threats are considered, so we deploy data loss detection and prevention tools. We also employ virtual machine environments intended to erect barriers against buggy implementations. These are all combined with malware detection and patch
management, yet still attacks succeed. Each time we apply a new layer, new attacks appear to defeat it.
I conjecture that one reason for these repeated failures is that we may be trying to answer the wrong questions. Asking how to make system “XYZ” secure against all threats is, at its core, a nonsensical question. Almost every environment and its threats are different. A system controlling a communications satellite is different from one in a bank, which in turn is different from one in an el-
ementary school computer lab, which is different from one used to control military weapons. There are some issues in common, certainly, but the overall design and deployment should reflect the differences.
The availability and familiarity of a few common artifacts has led us to deploy them (or variants) everywhere, even to unsuitable environments. By analogy, what if everything in society was constructed of bricks because they are cheap, common, and easy to use? Imagine not only homes built of bricks, but everything else from the space shuttle to submarines to medical equipment. Thankfully, other fields have better sense and choose appropriate tools for important tasks.
A time-honored way of reinforcing a point is by means of a story told as a parable, a fairy tale, or as a joke. One classic example I tell my students:
Two buddies leaving a tavern find a distressed and somewhat inebriated man on his hands and knees in the parking lot, apparently searching for something. They ask him what he has lost, and he replies that he has dropped his
References:
Archives