Cyber Security and Physical Security Are Very Different

If you asked a dentist whether he has a duty to protect his office from a North Korean terrorist attack, you would immediately be hooted out of the office for being insane. After all, a dentist’s job is to protect patients’ teeth, not patients from foreign adversaries. The latter responsibility is for the U.S. military.

Yet with the advent of the Internet, every device connected to the Internet today is vulnerable to a North Korean cyber attack. Just like how it’s completely unreasonable to expect a dentist to protect his office from terrorists, it’s also unreasonable to expect a dentist to protect his computers from foreign hackers. But based on how computers are designed and distributed today, it is difficult for the U.S. military to protect every dentist’s computer from foreign hackers.

Every PC and Mac sold to consumers, including dentists, comes with root privileges to the computer. For a computer scientist, this is necessary — developers need root privileges in order to build applications. But giving the average non-technical user the privilege to execute any system call or access any file is giving them too much power. Most people will never need to have such privileged access to their computer, leaving room for hackers to infiltrate a computer and use the root privileges to execute malicious code.

This means that not only does a dentist have to be an expert at teeth, but he also has to be an expert at computer security. Putting such responsibility on dentists is a terrible threat model. This is exemplified by the fact that two-thirds of all data breaches in California come from SMBs (small-to-medium size businesses). Unlike how the U.S. military can easily protect every dentist office from foreign attackers, now every dentist office is vulnerable to foreign hackers.

What if, instead, every dentist owned devices connected to the Internet but couldn’t execute programs locally with root privileges? Chomebooks, which connect to the cloud to store files and run applications, are examples of such devices. Chromebooks give dentists the same functionality as ordinary PCs and Macs to manage medical records and medical IT systems but without the security risk of being able to execute any system call locally on the computer.

An additional benefit of all dentists using Chromebooks is that it becomes more difficult for an attacker to move laterally across an infiltrated network. If, for example, a dentist loses his Chromebook, then the system admin can immediately revoke all access from that Chromebook to the medical IT system in the cloud and thus isolate the attacker.

One possible critique is that the cloud becomes a honeypot for hackers. If everyone’s files are centralized in one place, then the potential reward for hackers becomes much greater. However, cloud storage and computing companies such as Google, Amazon, and Microsoft have dedicated armies of thousands of security engineers just to protect every dentist’s files from North Korean hackers. [1] In fact, Google has not encountered a major data breach since the 2010 Dalai Lama email hack. Rather than making every dentist responsible for his computer security, every dentist should outsource such responsibility to those who are the experts.

Likewise, the private sector would play a much greater role in national security. Just like how the U.S. military protects citizens from physical attacks by foreign adversaries, major tech companies would protect citizens from cyber attacks by foreign adversaries. Since responsibility for cyber defense is now shifted from the government to the private sector, it becomes more imperative than ever that we develop good policy and public-private partnerships such that best practices in security are shared between the government and the private sector.

Thanks to Dan Boneh, Riana Pfefferkorn, and Andy Grotto for ideas that led to this article.


[1] An even more secure approach is to decentralize file storage using IPFS and applications using Ethereum.