The possibility of
an active, malicious
adversary is what
distinguishes security
from other computer
science problems.
authorized users from acting improperly. Such technology would simultaneously prevent attacks from nonmalicious (but improperly trained)
insiders, disgruntled employees, and
malware that had compromised the
accounts of the loyalists. The problem
with this approach is that we fundamentally do not know how to address
the insider threat.
˲ Given that operating systems have
become too complicated to make any
assurances about their correct or intended operation, many cybersecurity
practitioners focus on the promise of
network security as a kind of silver-bullet solution. But as Iran’s experience with the Stuxnet computer worm
demonstrated, even systems that are
thought to be isolated can be compromised by outside adversaries. Even if
network security were perfect—and it
is not—we would still need to secure
the hosts.
˲ Recently, there has been an effort
to frame cybersecurity as an economic
problem—convincing companies to
spend resources on defense and training consistent with the risk they face.
This formulation assumes spending
more money actually increases security, but there is no evidence to support
the assumption. Indeed, one of the persistent problems with framing security
as an economic problem is that there
are no reliable techniques that can be
used to examine a system and measure
the size of its vulnerabilities and the
likelihood of compromise. Such attempts to measure security inherently
risk focusing attention on what can be
measured, instead of what matters.
˲ Others see security as a holistic
process that encompasses all elements
of an organization’s IT and HR opera-
tions. Such a broad formulation seems
to have some benefits—Microsoft’s
Security Initiative, started in 2002, dra-
matically improved the security of the
company’s products. But most orga-
nizations lack both the technical and
financial ability to make information
assurance a primary goal, and even an
effort the size of Microsoft’s did not
create unhackable software.