tors dominate the variety of risks we
face today. Shortened development cycles and increased competition mean
much of the software and configurations that are deployed have not been
adequately validated. It frequently
feels like many organizations are implicitly relying on hackers for their security testing.
At the same time, obsolete, bug-rid-den vulnerable systems never seem to
get retired. In February 2012 approximately 30% of the computers on the Internet were still running Windows XP
(down from 31% the previous month),
according to W3Schools.
4 Yes, Windows 7 has vulnerabilities, but Windows XP is dramatically less secure: it
should be banned from today’s cyber
infrastructure.
Other factors increasing the cybersecurity risk include our difficulty
attracting and retaining enough software engineers, and the failure of our
schools to promote technology education from an early age.
It is important to realize that cybersecurity, despite its importance, represents only a tiny part of computer
science research as a whole. Security
professionals rightfully point out that
a single flaw in practically any program can result in a devastating security compromise. This is troubling,
because most computer professionals
receive little if any training in security,
most CS professors and software engineers try to ignore it, and there are few
security specialists. This argues for better training and the creation of a licensing or certification process.
Some people blame pay scales.
While science and engineering jobs
pay better than average jobs in the
While we depend
on our computers,
we seem incapable
of making or
operating them in a
trustworthy manner.
U.S., they do not pay better than careers in medicine, law, and business,
says Lindsay Lowell, director of policy
studies at Georgetown University’s
Institute for the Study of International Migration. Testifying in 2011
before the House Subcommittee on
Immigration Policy and Enforcement, Lowell said it is the lower salary
paid to science and technology professionals that is responsible for the
large number of non-U.S. students
enrolled in U.S. graduate science and
engineering programs.
6
For generations educators have recognized that one of the primary purposes of schooling is to teach students
how to write. As a result today’s high
school graduates have had at least 10
year’s worth of writing instruction
(and many say their writing still leaves
much to be desired).
The situation is worse when it
comes to technology education. Think
what you want about so-called “digital
natives,” but experience with Facebook and video games does not translate into algorithmic thinking. Computers are part of early education in
many communities, but the courses
invariably teach how to be users, and
not how to understand the underlying
technology. Most college graduates
have essentially no ability to perform
even simple office automation tasks,
and the typical CS graduate has less
than six years’ experience writing software. A real risk of our current educational system is that most graduates
simply lack the experience to write
security-critical software because they
did not start programming in middle
school.
We may be increasingly an infor-
mation society, but most companies
see information technology, and es-
pecially information security, as a cost
or a product rather than as an enabling
technology. Organizations balance
their security against other compet-
ing requirements. A 2011 Bloomberg
Government Survey of 172 Fortune
500 companies found they were col-
lectively spending $5.3 billion per year
on cybersecurity and stopping just
69% of all attacks. The organizations
told Bloomberg they could increase
the effectiveness of their defenses
over the next 12 to 18 months such
that they could stop 84% of cyber at-
tacks; to do so they would need to in-
crease their annual spending to $10.2
billion. Stopping 95% of cyber attacks,
which Bloomberg claimed would be
the “highest attainable level” of secu-
rity, would increase spending to $46.6
billion per year.
2
Live with Cyberinsecurity
There is no obvious solution to the
problem of cybersecurity. While we
depend on our computers, we seem
incapable of making or operating
them in a trustworthy manner. Much
is known about how to build secure
systems, but few of the people building and deploying systems today are
versed in the literature or the techniques. We should be designing society so that we can survive the failure
of our machines, but it is more cost-effective to create systems without redundancy or resiliency.
Reducing our cyber risk requires
progress on both technical and political fronts. But despite the newfound attention that cybersecurity increasingly
commands, our systems seem to be
growing more vulnerable every year.
References
1. C compilers may silently discard some wraparound
checks. us-Cert Vulnerability note Vu#162289, april
4, 2008.
2. domenici, H. and bari, a. the Price of Cybersecurity:
big Investments, small Improvements. a. Holmes,
ed., bloomberg Government survey (Jan. 31, 2012).
3. landwehr, C. a national goal for cyberspace: Create
an open, accountable Internet. IEEE Security and
Privacy 7, 3 (May 2009).
4. os Platform statistics, w3schools.com; http://www.
w3schools.com/browsers/browsers_os.asp.
5. roemer, r. buchanan, e., shacham, H., and savage, s.
return-oriented programming: systems, languages,
and applications. ACM Trans. Info. Syst. Secur. 5, 1,
article 2 (Mar. 2012).
6. “steM” the tide: should america try to Prevent
and exodus of Foreign Graduates of u.s. universities
with advanced science degrees. Hearing before
the subcommittee on Immigration Policy and
enforcement of the Committee on the Judiciary of
House of representatives (oct. 5, 2011), 112–164.
Simson L. Garfinkel ( slgarfin@nps.edu) is an associate
professor at the u.s. naval Postgraduate school in
Monterey, Ca.
Copyright held by author.