TL;DNT: Academia and industry are both failing

(Too long, did not tweet) I think this is more applicable to my personal blog on industry and academia anyway.

On the cusp of 2010, the state of information security in our society can only be described as a mess. I've come to the conclusion that my career path will now and forever be an effort to bring more science of computing to security in practice (severely lacking now), and reality of security to academia (also severely lacking now). This is at the heart of our mess, and will also be the solution to it. Few-to-no tenure-track professors at accredited universities have real-world experience.

Academic papers are written around decade-old problems, using decade-old data sets, demonstrating a decade-old mindset and ignorance to the volatility of security in practice. There are few models - even fewer that are relevant - and little agreement on terminology as fundamental as risk, threat, and vulnerability.

Industry makes risk decisions with scant or no objective data, builds models on subjective criteria, suffers from physics envy, and is often totally incapable of performing analysis that adheres to the scientific method. In some cases, industry still fails to recognize that security is risk management, evident by the all-too-common requests for ROI to justify security spending. I've seen nearly every word in the English language prefixed by "cyber-" in the last 24 months, simply because it's a buzzword. It's so overused I cringe the few times I have to say it, and the hype risks an overcorrection in the coming years that will back-burner the issues at hand, or water them down with gimmicks and sales pitches to the point where serious concerns in need of resolution are met with the eye-rolling more appropriately reserved for notions such as "cyber Katrina" or "cyber 9/11."

The US now has a "cyber security czar," virtually ensuring failure of public policy just as we've seen with most other "czars" (how's that war on drugs going?). Policymakers don't realize that electronic espionage is just as serious if not moreso than traditional methods of espionage. No agreement has been made on how conflicts (espionage and outright aggression) escalate beyond the internet into the real world, despite having very serious real-world implications in and of themselves. We are not holding to account other countries who tacitly or explicitly permit attacks against our country's critical infrastructure, ensuring their continuity for lack of any sort of risk associated with their actions. Open dialogue is taking place, but only on the most greatly exaggerated, dated, or unlikely risks, reducing national information security strategy to the same level of effectiveness as airline security.

I normally don't like rants without solutions, so for that I apologize. Maybe I'm just in a bad mood. At the risk of reducing all these problems to one oversimplified solution, I strongly feel that bringing academia and industry closer together in how to approach information security issues is the only way to begin to fix most of these problems.


markjx said...

I was watching CSI / Bones / $GenericUSCrimeFightingShow the other day. In it, the FBI was investigating a death. The victim happened to be a CIA analyst. They made a big deal out of him being an analyst (desk jockey) and not an agent (working in the field).

It turned out that a CIA agent pulled some strings to get the murder suspect into the country. The plan was for the CIA to buy diamonds from this guy to finance his military efforts in his home country. The problem was that anyone who came close to this briefcase of diamonds ended up dead.

The dramatic scene at the end of the show (I now remember it was Bones) has the case unlocked to reveal that it contains... a USB flash drive. The comment is, "Now, information is more valuable than diamonds"

Pretty profound for Fox.

To me, this shows that we've reached an inflection point in pop culture. Fox (producer of fine shows like "Ow, My Balls!") expects its viewers to understand that information is valuable enough to kill over. Now, how do we get our Washington-based policy makers, CEO's, and military to be as smart as the people that watch "Americans Idle" and "More to Love" ("Fat Bachelor")?

Michael Cloppert said...

Good observation, Mark. I think some level of acknowledgment in pop culture (no matter how cheesy) is just the latest projection from the inflection point you mention. One of the earliest I can recall is in the mid 90's when organizations began to value the loss of a hard drive not by the cost to replace it, but the value of the data on the drive.

Sadly, our political system tends to fall far behind on technology - this includes all 3 branches. It has no shareholders, and the public is slow to realize how their representation in government reflects back on their lives and influences decisions of this type. Many are cynics and believe it doesn't matter. I think we've still got a way to go here...