Our digital affluence is making us insecure, writes Dan Geer, the CISO
at In-Q-Tel. Like addled consumers trying to choose from among 20
different types of toothpaste in the supermarket aisle, IT is paralyzed
by an overabundance of security products, unable to decide which
products are worth the investment, which to keep, and which to remove.

Dan Geer

In his book “The Paradox of Choice,” the academic psychologist Barry Schwartz famously argued that having more choice does not necessarily make individuals (or societies) happier.  This is counter-intuitive.
Does not “affluence,” by any definition, boil down to “more choice?”
And does not more choice mean more freedom?  More freedom more welfare?  At the limit, the answer is “No,” and for two main reasons:
For one, there’s paralysis.  As choices increase, the effort required to choose increases and the ability to reach decisions — to choose
– actually declines.  For another, there’s regret.  The more choices we have, the easier it becomes to regret the choices we make when they turn out to be less than perfect, as they almost certainly will.  In other words, the more choices there are, the more any dissatisfaction must be your fault; you could have chosen differently, after all.
How does this all relate to cybersecurity?
The effect of our digital “affluence” contributes directly to digital insecurity.  The general purpose computer offers far too many choices in the sense of far too many interfaces, far too many configuration parameters, far too many libraries, far too many conveniences, far too much extensibility.  When, in the name of security, we “lock down” an operating system, we do so precisely so as to counter that surfeit of choice, by removing functions not in use, by reducing the choice set of what might be running.  The reason that the Web browser is the principal entry point for malware is the number of choices that a browser offers up to whomever is at the other end.
Evolving technologies like HTML5 promise to make this significantly worse.
(http://threatpost.com/security-concern-html5-gains-traction-091610/)
The peculiar physics of digital assets — if I steal your data you still have it, to take an example — mean that data owners (and
auditors) can only seek infallible protection for digital assets, but when you expect perfection it is impossible to have a pleasant surprise.  At the same time, our digital “affluence” provides us with an overabundance of security products (with knobs and dials to adjust) promising to help us achieve the perfect protection that we seek.  Any one of them may indeed be narrow enough to perfectly solve some particular flaw; that’s not the point.
It is said that complexity is the chief enemy of security, and Bruce Schneier deserves credit for beating that drum so well.  Modern operating systems and computer networks are chock-a-block with bloat but they also bristle with invasive security programs vying to pre-empt all comers, including each other.  The resulting complexity of those interactions does not scale with the n^2 of Metcalfe’s Law (the number of potential 2-way interactions), but the 2^n of Reed’s Law (the number of potential multi-way interactions).  This is the heart of complexity’s enmity against security: security’s task list is all multi-way interactions, all the time.  We make it worse by adding too many security products that are mere symptomatic relief for the problem du jour.
Skeptical?  Show me one CISO who can deinstall — and write-off — a fully deployed enterprise security product because the marginal utility it contributes is not worth the complexity cost it engenders.
Show me the full operational cost accounting for your AV + IDS + IPS + HIPS + firewall + DLP + etc., and prove to me that the net effect is even just non-negative.
We can’t prove security products work, but we can prove that complexity matters, and that we are ourselves contributing to complexity by deploying too many security products.  Like addled consumers facing 225 choices of toothpaste, we’re paralyzed.  Every time we buy a new security product, we regret that the others we already have didn’t do the job and the paralyzing choice of whether this new product makes it possible for us to remove one or more of the old ones.  Show me the CIO who will trade up, not add on, and I’ll show you an unsung hero.
Let me be clear, by “limiting choice” I mean minimizing the number of security states our systems can assume; I do not mean limiting sysadmin choice by failing to document the stuff that really matters
– an approach that Apple appears to have mastered.  And I write “limiting choice” with the utmost sadness, well aware that those of us who want and can manage a general purpose computer are not relevant in an Internet of Things, a new world order in which a dwindling number of us are prepared to revert to paper on a bad day but yet have the ability to tinker all the way down to the iron.
Look around.  IP enabled “stuff” — appliances, phones, cars, TVs
– are already muscling out the general purpose computer.  It is a fait accompli.  You had better hope that what is embedded in your home automation system, your refrigerator, or your little piece of the electrical grid offers much less choice than your PC.
It is our duty as security people to make things better.  As of now, we’re making them worse.

In his book “The Paradox of Choice,” the academic psychologist Barry Schwartz famously argued that having more choice does not necessarily make individuals (or societies) happier. This is counter-intuitive. Does not “affluence,” by any definition, boil down to “more choice?” And does not more choice mean more freedom?  More freedom more welfare? At the limit, the answer is “No,” and for two main reasons:

For one, there’s paralysis. As choices increase, the effort required to choose increases and the ability to reach decisions — to choose– actually declines. For another, there’s regret. The more choices we have, the easier it becomes to regret the choices we make when they turn out to be less than perfect, as they almost certainly will. In other words, the more choices there are, the more any dissatisfaction must be your fault; you could have chosen differently, after all.

How does this all relate to cyber security? The effect of our digital “affluence” contributes directly to digital insecurity. The general purpose computer offers far too many choices in the sense of far too many interfaces, far too many configuration parameters, far too many libraries, far too many conveniences, far too much extensibility. When, in the name of security, we “lock down” an operating system, we do so precisely so as to counter that surfeit of choice, by removing functions not in use, by reducing the choice set of what might be running. The reason that the Web browser is the principal entry point for malware is the number of choices that a browser offers up to whomever is at the other end. Evolving technologies like HTML5 promise to make this significantly worse.

The peculiar physics of digital assets — if I steal your data you still have it, to take an example — mean that data owners (and auditors) can only seek infallible protection for digital assets. But when you expect perfection, it is impossible to have a pleasant surprise.

At the same time, our digital “affluence” provides us with an overabundance of security products (with knobs and dials to adjust) promising to help us achieve the perfect protection that we seek. Any one of them may indeed be narrow enough to perfectly solve some particular flaw; that’s not the point.

It is said that complexity is the chief enemy of security, and Bruce Schneier deserves credit for beating that drum so well. Modern operating systems and computer networks are chock-a-block with bloat, but they also bristle with invasive security programs vying to pre-empt each other. The resulting complexity of those interactions does not scale with the n^2 of Metcalfe’s Law (the number of potential 2-way interactions), but the 2^n of Reed’s Law (the number of potential multi-way interactions). This is the heart of complexity’s enmity against security: security’s task list is all multi-way interactions, all the time.  We make it worse by adding too many security products that are mere symptomatic relief for the problem du jour.

Skeptical? Show me one CISO who can deinstall — and write-off — a fully deployed enterprise security product because the marginal utility it contributes is not worth the complexity cost it engenders. Show me the full operational cost accounting for your AV + IDS + IPS + HIPS + firewall + DLP + etc., and prove to me that the net effect is even just non-negative.

We can’t prove security products work, but we can prove that complexity matters, and that we are ourselves contributing to complexity by deploying too many security products. Like addled consumers facing 225 choices of toothpaste, we’re paralyzed. Every time we buy a new security product, we regret that the others we already have didn’t do the job and the paralyzing choice of whether this new product makes it possible for us to remove one or more of the old ones. Show me the CIO who will trade up, not add on, and I’ll show you an unsung hero.

Let me be clear, by “limiting choice” I mean minimizing the number of security states our systems can assume; I do not mean limiting sysadmin choice by failing to document the stuff that really matters — an approach that Apple appears to have mastered. And I say that we need to limit choice with the utmost sadness, well aware that those of us who want and can manage a general purpose computer are not relevant in an Internet of Things. It’s a new world order in which a dwindling number of us have the ability to tinker all the way down to the iron, but also to revert to paper on a bad day. Look around. IP enabled “stuff” — appliances, phones, cars, TVs — are already muscling out the general purpose computer. It is a fait accompli. You had better hope that what is embedded in your home automation system, your refrigerator, or your little piece of the electrical grid offers much less choice than your PC.

It is our duty as security people to make things better. As of now, we’re making them worse.

Dan Geer is currently the Chief Information Security Officer for In-Q-Tel, a not-for-profit venture capital firm that invests in technology to support the U.S. Central Intelligence Agency. 

Categories: Compliance, Data Breaches, Government, Vulnerabilities

Comments (3)

  1. Forest Mars
    1

    p.p1 {margin: 0.0px 0.0px 12.0px 0.0px; font: 16.0px Arial}

    This is roughly one of the points Zittrain makes so well in The Future of the Internet (and How to Stop it). To oversimplify a bit, generativeness and security are inversely related in a number of important ways. 

    While I can’t say I agree with *all* the rhetoric expressed in this article, nor its subjective pronouncements (when exactly is an abundance of choice “too much choice”?) I think the author is on the right track here, minus some premature generalisations, and his main point remains: the overabundance of alternatives in IT security can be daunting. 

    If he were to take a deeper look at the cyclical nature of generative and specialised systems as part of the larger progression of innovation and reaction I am confident he will be able to make more cogent recommendations to security professionals as to how to deal with the increasingly maddening surfeit of options which, while being an effect of the generative systems that engender innovation, is really just the same information overload that Toffler descibed 30 years ago as Future Shock. 

    Alas, I don’t really have a problem with my refrigerator offering me too many selections, just as long as the kids don’t stand there holding the door open. 

  2. 3 yr warranty
    2

    As the new wireless cruft takes over, the less and less low level hardware will exist to maintain the roots of where this all comes from in the first place.  Every time I image a CF disk, I remind myself this replaces, the floppy, the CD, the DVD, the harddrive. Does anyone rember feeding 30~40 + floppies into a drive to load novel netware.

     

    What if the internet went down?  Could you still roll out your pre 2000 bbs?  Are all those old discs still readable?  Do you still remember how to compile a nodelist? Can you protect a dos network?  Still got DSZ?  dsz port 1 speed 57600 d t

     

    What if a solar flare hit us, and destroyed the remaining low level devices, cars wouldn’t work, computers won’t boot, stores couldn’t sell anything.

     

    Not to mention every time you go to replace that workstation which burned up, while there may be something new, it doesn’t have the same capability, for example no serial ports.  Are you kidding me no serial port?  Sure you can put a card in and add it, that is, if your super green motherboard even has a slot available!

     

    I think a lot of this started when we started going with surface mount.  It was the beginning of throw-away electronics, no longer can kids whip out the soldering gun and fix a cb radio, there’s nothing to FIX inside anymore!  Which is a dual edged sword, since now the kids have less to learn at the low level.

     

    I think digital affluence is making products which are unreliable, and un-usable at the expense of making a profit.  However I don’t think such products should be outlawed or anything, I think we need to step back and look at the big picture.  Sadly when all you care about is profit, this is what you end up with, crap products, and uneducated users.

  3. Anonymous
    3

    Forest Mars is a pompous self-appointed intellectual craving approval, who misses the main points of Dan’s article.  And wow, is that second to last paragraph a new world-record for longest run-on sentence?  Clearly a second-grader attempting to sound important at college lecture, without being invited to attend no less.

     

    3 Yr Warranty… what can be said really?  Prozac perhaps?

Comments are closed.