Bulletin 23 March 2019. Cybersecurity vs complexity

You can’t manage the universe molecule by molecule

It’s an old adage, that it’s easier to break something than to build it. Or maybe I just made that up, but it rings true (and I have many years of experience with lego to back it up). Case in point: a cybersecurity breach.

I could cite Facebook’s recent admission (following a leak) about passwords being stored ‘in clear’, but that’s just one in a long series which serve to demonstrate that, however hard you try to get everything right, all it takes is to get one thing wrong and the house of cards comes tumbling down.

Cybersecurity has changed, over the years, but this fundamental principle has not. Once upon a time, we relied upon ‘fortress’-style approaches such as defence in depth — protect the perimeter and the insides will look after themselves — but these were plagued with insider threats and admin errors, challenges caused by configuration issues and flaky software. And, indeed, complexity: it was repeatedly proven impossible to close all the doors, lock all the windows and seal all the plumbing.

I know we relied upon such approaches, as I was repeatedly asked to give presentations about why the model no longer worked. Pictures of Jericho, of walls coming (a-)tumbling down were my go-to content asset, together with some boxes joined together with lines of course, and a curve which tails off toward the top. You had to have one of those.

Then, we arrived at the place where there are no walls, where you might as well be wandering naked in the desert for all the protection traditional system security might give you. It’s about at this point where I was asked to write a book about security architecture, which somehow needed to straddle the perimeter-based old world, and the unbounded new. It kind of succeeded, though whether it struck the right balance or just sat on the fence, I am not sure

In this wall-less world, complexity is king: it has moved from an “entropy of the universe will get you in the end” status to becoming the norm. Back in the day, a starting point for securing everything was to know everything you had (or at least be able to wrap something around it). This is now impossible, not only because you can’t manage everything, but because everything goes all the way down.

I’m reminded of Intel’s Spectre and Meltdown issues, during which it was revealed that today’s processors have a processor within, running a customised Linux operating system: get to that and you have the keys to the kingdom. Technology really has become like Stephen Hawking’s Turtles All The Way Down anecdote, with each level of turtles being subject to the same level of vulnerability.

Which leads to a bit of a challenge as, after all, you can’t just give up. Even if it only takes a small thing to mess up everything you have done, and it is impossible to keep on top of everything you have, and even if you could, you couldn’t hold all the detail on it anyway. Some are advocating for the cybersecurity equivalent of early warning systems, which may catch when something is about to happen; this goes back to back with recovery processes (i.e. the least you can do is have a plan in place for when all goes wrong).

Others talk about security by design, which is about putting security features into stuff from the outset, rather than trying to bolt them on later. This sounds great, but (and it’s a big but) doesn’t take into account the interactions between stuff. Back in my programming days, the hardest bugs to solve were the ones that feel between two stools — an uninitiated or mistyped variable over here would cause a problem when passed over there. In today’s world, where anything could talk to anything, the potential for such weaknesses is obviously (not wanting to overstate) “quite big”.

Is there an answer? I think there is, in that one can look after one’s own sheep before worrying about the rest. I can create (well, I can’t, but one can) create a loosely scoped, anything goes technology-based innovation, or I (bear with me) can create something similar, but within which I have been very careful about all the pieces that make it up. That’s a kind of architectural approach, at least in terms of level, though ultimately it doesn’t matter about what the architecture is; what matters more is whether I (quiet at the back) am in control.

In other words, even in this astonishingly complex world, keeping it simple could be key to keeping it secure.

Smart Shift: The return of the platform

If you want a poorly thought through and trite literary reference, look no further than this chapter’s nod to (author) Thomas Hardy’s Return Of The Native. But I digress. The platform economy is as much a story of corporate power, as any altruistic tale of innovation. It was ever thus.

Thanks for reading, Jon

Originally published at Nothing To Declare.