My reaction to a piece by George Hulme at Information Week’s security blog titled: National Cyber Security: Are we focused on the right stuff?
Clips from George’s post:
“Sensitive information is stolen daily from both government and private sector networks, undermining confidence in our information systems, and in the very information these systems were intended to convey,” said Blair in prepared remarks outlining the U.S. intelligence community’s annual assessment of threats.
“It’s a systemic problem throughout the software industry. Pick a major software maker – any one – and you are going to find security flaws a Navy armada could pass through.”
“As it stands now, it’s the software companies customers that pay the tax in the form of unending patch updates and attacks on their systems.”
“And it’s time to put more ideas on the table. And we should be open to consider anything, as the status quo of software quality can’t stand as it is.”
My response and comment:
I’d like to offer a very important point that most are missing in this and other similar issues.
You correctly describe the problem as systemic, which is a term we’ve been using for well over a decade to describe a myriad of problems, including security in computer networks.
If the problem is truly systemic, and I think it is, then it can only be addressed successfully with a systemic cure. Central to the core of this challenge is the anonymity of the Internet, which identifies computers, networks, and web sites, but not the humans that abuse them.
Despite populism, comfort zones, and conflicting business models, human identity is a corner stone of the Internet that was never built into the system design, and so ever since all manner of temporary brace has been employed to shore up the fragile architecture.
Unfortunately I think part of the cause was the culture the technology emerged from, which then created a large industry of maintenance/security firms, but what we really need is a stronger architectural design from the ground up.