I’m reading Paul Vixie’s Magical Thinking in Internet Security. I 100% agree with everything Paul is pointing out. We’ve had many conversations about these challenges in the past. But I’m now at a point where I’m looking in the mirror and realizing what we’re doing might be the wrong approach. I’m exasperated at the persistent outages around the Internet, the genuine fragility of our Digitally Interconnected Society, and what is really “under the hood” of what we build. I wonder, “Did we now figure out how to solve that resiliency architecture 20 years ago?” and why the same mistakes are repeatedly happening.
Perhaps it is time to admit that the ladder is on the wrong wall. We cannot solve a cybersecurity problem when the root cause is International Justice, and we will not have an effective International Justice system in our lifetimes.
At the same time, we need to understand that what we’re doing is NOT WORKING. I used the attached illustration at the NZ Tech National Cyber Security Summit last week. The charge combined two data points from Statista. One was the cybersecurity market growth. The cybersecurity market is healthy. There are good business opportunities. The problem emerges when we consider the cost of cybercrime to society. If what we’re doing is working, all the money we spend to protect our organizations should decrease the cost of cybercrime.
Let us face reality! We’re heading down a “cybersecurity” path that has no way to win.
Yet, this is not a new problem for human society “IF” we rethink the problem. Shift the “ladder” from “protecting things” to the wall where we are PROTECTING PEOPLE. Solve the Digital Safety Problem.
Digital Safety models the practices of civil engineering and other industries with risk, focusing on people’s safety. If we used today’s cybersecurity and “resilient systems” approach used around the Internet to build a high rise, we would end up with a totally secure door. The door would be outstanding. Inside the high rise, we would have signs on all the walls that say, “Please remember to hold up the wall” (not holding up the wall is a user error). We would have crapy material throughout the building, with no idea if the steel beams can hold the weight or stress of the building. When a fault in the building or the building collapses, everyone points fingers at each other.
Yet, considering the history of civil engineering safety, we can find the path for our increasingly interconnected Digital Society. We do not need to wait for a “digital” St. Francis Dam, Bhopal, Challenger, Quebec Bridge, Surfside condominium, Hillsborough, Puebla-Morelos, Morandi Bridge, Grenfell Tower, or many of the other life-impacting disasters that shape civil engineering safety today.
Sifting our work to “Digital Safety” includes everything we’re doing in cybersecurity, but with a focus on safety – people’s safety. We expect failures, crime, and risk. We develop engineering practices with accountability, learn from our experiences, and constantly update what we do to increase our Digital Safety actions.
What would happen if Australia changed its goal from “to make Australia the most cyber secure nation in the world by 2030.” to “to make Australia the most digitally safe nation for our citizens in the world by 2030.” Perhaps the Australian citizens would be happier knowing the government is trying to protect them vs protecting “assets.”
The EU’s Cybersecurity Strategy “aims to strengthen our collective cybersecurity and our response to cyberattacks.” What if the EU put the ladder on the EU Citizen’s Safety Wall? We would then have “The EU’s Cybersecurity Strategy aims to strengthen our collective Digital Safety enabling our citizens to trust and our response to cyberattacks to protect our citizens.”
This works in the United States. The goal is to make malicious actors incapable of mounting sustained cyber-enabled campaigns that would threaten the national security or public safety of the United States. Yes, there is a “public safety” expression, but when you look at the overall strategy, it is still about protecting things – not people. What if the US had a “goal to make malicious actors incapable of mounting sustained cyber-enabled campaigns against our citizens that would threaten the national security or public safety of the United States.”
What do you think?
Is our Cybersecurity Ladder on the wrong wall? What if we move our ladder to focus on Digital Safety that mirrors industries like Civil Engineering? What if we can learn from our architectural and engineering mistakes and then apply practices that insure the risk of a repeat incident is statistically reduced?
Are you looking for low-cost & effective cyber security & resiliency?
Do your homework before spending $$$ on vendor solutions that try to match many of the public benefit cybersecurity tools. Reach out to a community with decades of experience who seek to help organizations minimize their cybersecurity risk through essentials that leverage public benefit services (i.e. Shadowserver).
- Subscribe to the Senki Community Mailing List. Stay connected to Surfing Cybersecurity practical advice and critical “do this now” operation security recommendations by email.
- Subscribe to Senki’s YOUTUBE Channel for videos on this and other security topics.
- Ask questions to Barry Greene – bgreene@senki.org
The materials and guides posted on www.senki.org here are designed to help organizations leverage the talent around them to get started with their security activities. Start with the Operator’s Security Toolkit and Meaningful Security Conversations with your Vendors. Each is no-nonsense security for all Operators. It provides details to help them build more security-resilient networks. In the meantime, stay connected to the Senki Community to get updates on new empowerment and security insights.