Subscribe to this blog's feed

Amazon

Recent Posts

Bio

  • David Rice is a globally recognized cybersecurity leader, Executive Director of The Monterey Group, a strategic consulting firm, and Consulting Director for Policy Reform at the U.S. Cyber Consequences Unit. Called upon by high-performance organizations for his ability to achieve, integrate, and drive deep corporate objectives in the face of globalized competition, rapid technological advances, and increased sophistication of cyber adversaries, David is a key figure shaping the discussion and practice of cybersecurity.

    Prior to his current roles, David served as an Global Network Vulnerability Analyst for the National Security Agency and Special Duty Cryptologic Officer for the United State Navy. The U.S. government recognized and awarded David for “significant contributions” to the Department of Defense and the National Security Agency for developing security configuration and design guidance for critical national infrastructure and global networks.

Archives

More...

Links

Blog powered by TypePad

The views and opinions expressed are those of the author and do not reflect the official policy, position, or recommendations of the author's affiliations, partners, employers, or clients.

« Hold Them to a Higher Standard | Main | Insanity Indeed »

April 02, 2009

2008: The Year of Crash Test Dummies

2006 was dubbed the "Year of Cyber Crime".

2007 was dubbed the "Year of Cyber Espionage" by the Wall Street Journal.

And what of 2008?

Forgive the imposition, but I am deeming 2008 "The Year of Crash Test Dummies."

I know it doesn't quite roll of the tongue as other titles, but it is more than suitable.

2008 was the year when, despite all our efforts in cyber security, our pigeons came home to roost.

The 2008 ScanSafe 2008 Annual Global Threat Report has all the gory details. But one observation sticks out:

“Indeed, as a result of the continuing mass compromise of legitimate Web sites observed throughout 2008, the standard 'safe surfing' advice of avoiding unknown or non-trusted Web sites no longer applies. Today, it is the known trusted site that should be viewed as posing the greatest risk to Web surfers.”

This observation is backed by Alex Stamos, a partner at ISEC Partners who stated at the Web 2.0 conference:

The Internet cannot be safely used by normal people," [Alex] said. "Most people are not prepared to make the technical decisions necessary to safely use the Internet." ...

After decades of computer security work...things are worse than they were. Finding bugs and publicizing them is not making people safer. At the same time, security researchers who try to help the community by developing a free static code analyzer for open source code are not rewarded. And every solution gets turned into an overpriced, marketing-driven $500,000 product.

Our approach to cyber security has failed because it is fundamentally based on a mistaken etiology:

Software was assumed to be inherently safe. As such, software buyers and computer system owners - "the nuts behind the keyboard" - were considered to be the source of many of cyber security's tribulations. Software buyers then, were compelled to buy firewalls, anti-virus, patch and configure their systems, and dammit, stop habitually clicking on hyperlinks! In fact, software is not inherently safe, and no amount of user education or corrective action can counteract its effect.

When "normal people" cannot use something safely, they are not the problem. Consumers do not make things safe. Manufacturers do. Epidemiologists know this. Cyber security apparently does not.

We have focused on "the nut behind the keyboard" but failed to supply consumers with software products that can withstand foreseeable malicious activities without a ridiculous amount of add-on defenses. We have blamed and castigated consumers for increasing insecurity, when the only products they can buy are insecure. At base, software companies have failed to design, and failed to implement, crashworthy software.

As a consequence, consumers are simply crash test dummies...and 2008 is their year.

Posted on April 02, 2009 |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00e54f9408a3883401156fc26395970b

Listed below are links to weblogs that reference 2008: The Year of Crash Test Dummies:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.