Our digital affluence is making us insecure, writes Dan Geer, the CISO
at In-Q-Tel. Like addled consumers trying to choose from among 20
different types of toothpaste in the supermarket aisle, IT is paralyzed
by an overabundance of security products, unable to decide which
products are worth the investment, which to keep, and which to remove.
In his book “The Paradox of Choice,” the academic psychologist Barry Schwartz famously argued that having more choice does not necessarily make individuals (or societies) happier. This is counter-intuitive. Does not “affluence,” by any definition, boil down to “more choice?” And does not more choice mean more freedom? More freedom more welfare? At the limit, the answer is “No,” and for two main reasons:
For one, there’s paralysis. As choices increase, the effort required to choose increases and the ability to reach decisions — to choose– actually declines. For another, there’s regret. The more choices we have, the easier it becomes to regret the choices we make when they turn out to be less than perfect, as they almost certainly will. In other words, the more choices there are, the more any dissatisfaction must be your fault; you could have chosen differently, after all.
How does this all relate to cyber security? The effect of our digital “affluence” contributes directly to digital insecurity. The general purpose computer offers far too many choices in the sense of far too many interfaces, far too many configuration parameters, far too many libraries, far too many conveniences, far too much extensibility. When, in the name of security, we “lock down” an operating system, we do so precisely so as to counter that surfeit of choice, by removing functions not in use, by reducing the choice set of what might be running. The reason that the Web browser is the principal entry point for malware is the number of choices that a browser offers up to whomever is at the other end. Evolving technologies like HTML5 promise to make this significantly worse.
The peculiar physics of digital assets — if I steal your data you still have it, to take an example — mean that data owners (and auditors) can only seek infallible protection for digital assets. But when you expect perfection, it is impossible to have a pleasant surprise.
At the same time, our digital “affluence” provides us with an overabundance of security products (with knobs and dials to adjust) promising to help us achieve the perfect protection that we seek. Any one of them may indeed be narrow enough to perfectly solve some particular flaw; that’s not the point.
It is said that complexity is the chief enemy of security, and Bruce Schneier deserves credit for beating that drum so well. Modern operating systems and computer networks are chock-a-block with bloat, but they also bristle with invasive security programs vying to pre-empt each other. The resulting complexity of those interactions does not scale with the n^2 of Metcalfe’s Law (the number of potential 2-way interactions), but the 2^n of Reed’s Law (the number of potential multi-way interactions). This is the heart of complexity’s enmity against security: security’s task list is all multi-way interactions, all the time. We make it worse by adding too many security products that are mere symptomatic relief for the problem du jour.
Skeptical? Show me one CISO who can deinstall — and write-off — a fully deployed enterprise security product because the marginal utility it contributes is not worth the complexity cost it engenders. Show me the full operational cost accounting for your AV + IDS + IPS + HIPS + firewall + DLP + etc., and prove to me that the net effect is even just non-negative.
We can’t prove security products work, but we can prove that complexity matters, and that we are ourselves contributing to complexity by deploying too many security products. Like addled consumers facing 225 choices of toothpaste, we’re paralyzed. Every time we buy a new security product, we regret that the others we already have didn’t do the job and the paralyzing choice of whether this new product makes it possible for us to remove one or more of the old ones. Show me the CIO who will trade up, not add on, and I’ll show you an unsung hero.
Let me be clear, by “limiting choice” I mean minimizing the number of security states our systems can assume; I do not mean limiting sysadmin choice by failing to document the stuff that really matters — an approach that Apple appears to have mastered. And I say that we need to limit choice with the utmost sadness, well aware that those of us who want and can manage a general purpose computer are not relevant in an Internet of Things. It’s a new world order in which a dwindling number of us have the ability to tinker all the way down to the iron, but also to revert to paper on a bad day. Look around. IP enabled “stuff” — appliances, phones, cars, TVs — are already muscling out the general purpose computer. It is a fait accompli. You had better hope that what is embedded in your home automation system, your refrigerator, or your little piece of the electrical grid offers much less choice than your PC.
It is our duty as security people to make things better. As of now, we’re making them worse.
Dan Geer is currently the Chief Information Security Officer for In-Q-Tel, a not-for-profit venture capital firm that invests in technology to support the U.S. Central Intelligence Agency.