“We could have done more, and most of what we did was in response to issues as opposed to in anticipation of issues.”
– Steve Crocker, Chairman of ICANN
Thus ends the first of a multi-part series by Washington Post that will explore the historical factors that have left us with an insecure internet. The message seems clear: we have built a house upon the sand, and may never recover any semblance of solid footing.
In essence, the author explains that data encryption in early days was a heavy load for computers to carry, and so the architects of the internet opted to add it in later if (or when) it became necessary. As Steve Crocker laments in the quote above, many now wish that they would have made a different decision. And others argue that it was the only decision possible at the time.
We hear the position that such explosive adoption of the internet could never have occurred had it been throttled at each point by (then slow) encryption technologies. We also hear the argument that researchers 30 or 40 years ago could never have predicted the security maladies we face today – particularly when those maladies afflict a population that is – still – woefully unprepared to think about security.
I’d like to introduce a metaphor of a train on a crowded platform, packing as many passengers aboard as it begins to chug away. This train represents every new technology, every startup that forms around that tech, and every product those startups push out. Competition will always demand that the technology become a “minimum viable product” or nothing at all, and that the startup who can create that product most quickly will be successful. Time is of the essence and the first passengers on board are those who can make the train “go”! And so the train is continuously and forever racing away from the platform with only the “most critical” people on board.
Economics are no different today than they were 30 (or 300) years ago – save for the speed at which things operate and the depth of our understanding. When the cornerstones and foundation of the internet were laid, they were placed in a hurry. The tech was new, people needed the things it could do, and competitors were lurking. Things are no different today – except that the pace at which tech must be developed and adopted continues to accelerate. The implication is subtle, but frustrating: security always seems to be the last guy on the train as it speeds away from the platform.
So today, as our train races away, we have the opportunity to make a different decision. As we rapidly build new things that are destined to leave our sphere of influence almost instantly, we can put security on the train first. We can build things so they are fundamentally secure; so that future generations can build on top of them with confidence, as we would have if our forebears had built with encryption.
This is far more than just a technology issue, although technology is critical. As technology seeps deeper into the fabric of our daily lives, security is relevant to all things and all people. Public awareness has come a long way since the Target breach of December 2013 (and all those that followed), but knowledge is lacking and urgency has suffered as a result. The sentiment seems to be, if we don’t know what to do about it, then why should we spend a lot of time worrying?
Our collective challenge is to convince our employees, friends, neighbors and fellow citizens that we do know what to do, and that we need their help. We need broad, high-level awareness of security practices in order to ensure that our weak links continue to become stronger. We need to build these practices into our startups, our education programs, our infrastructure, and the insurance policies that protect it all.
When the security officer is the first person on the proverbial train, then the train will be more secure as the rest of the passengers board, and those passengers will be more aware of security. When this becomes a standard practice, we might begin shipping products and institutions to the future that can stand the test of time. If this happens we will have learned from the lessons of Steve Crocker, and denied the certain doom that awaits digital technology if we don’t.