Do Your Job, or the World Will End in Flames
Ironically, just a week after posting my last blog (The Sky is Falling: Maintaining Optimism in the Face of Doomsayers) there was a long form article positing the opposite standpoint on Ars Technica. The article in question is called “Cybergeddon: Why the Internet could be the next ‘failed state,’” and it discusses at length the report released by Jason Healey, director of the Cyber Statecraft Initiative at the Atlantic Council of the United States. Healey’s report details the possible future of the internet. While Healey is careful to indicate a few bright spots in the future prospects for the evolution of the internet, the overall tone is gloomy.
Healey has performed detailed analyses of trends in internet security which have led him to conclude that the internet as we know it may not survive much longer. While his assumptions and analyses are have merit, I have to at least hope that the future is less bleak than Healey paints it. People have been prophesizing the end of the internet in one form or another almost since its inception. While this report has more solid research on which to base its claims than do some other theories on internet apocalypse, it may not be the final word on the subject.
The current status quo of the internet is reasonably relaxed. We use it almost constantly and feel safe shopping online in relative security, reading our emails without undue worry over who else can see them, and checking Facebook to see what antics our high school friends have gotten up to in the last forty-five minutes. We spend our days watching YouTube and arguing on Twitter about what color a dress is (Team Blue, all the way). The World Wide Web that we rely on is fairly safe, just like the neighborhood your parents grew up in. Sure there are criminals and every week we hear about some major security breach, but generally we are safe if we are smart. But is all that about to change? Just as our children have lost the freedom to roam the streets in packs on bicycles that our parents enjoyed, may we be about to lose the freedom to proclaim our allegiance to Team Blue or order our cat food from Amazon without threat of identity theft?
Healey has laid out five possible scenarios which he believes represent the possible future of the internet. They range from “paradise” where security has gotten so good the only crime online is from the elite hackers of the NSA or nation-state sponsored teams. Otherwise crime in this projected future is so difficult to achieve on the web that it simply goes away. The likelihood of this, according to Healey’s report, is very low and I would tend to agree. The other end of the spectrum is what he called “Cybergeddon,” wherein the state of the web is compared to a failed state in which control of criminal elements is impossible and the internet descends into madness and anarchy, perhaps with flames and hardcore punk in the background.
The Ars Technica article linked above is worth a read, particularly to understand the three remaining projected futures. Time does not permit me a detailed discussion of all of these, but suffice it to say they cover eventualities that fall somewhere between the aforementioned extremes (continuation of current conditions, segregation of the internet, and a slightly toned down version of Cybergeddon). You can and should take a look at it for more thorough information. However, I would like to reiterate my call to optimism. As a security professional, especially working on the offensive side like the bad guys, I am fully aware that the criminals have more and better ways to breach networks than we have to protect them. Instead of burying our heads in the sand and bracing for the end of the web as we know it we need to find new ways to fight. There are endless ways to attack a network, endless ways for bad guys to “think outside the box” and gain access to the money or data that they want. That means there are at least as many possibilities for protecting the web and the computer systems we have all come to love and rely on. Instead of accepting that they have the leg up we need to start to break down the rules and walls that are holding the “good guys” back.
We need to fight for our ability to change the face of the war that is taking place right now. All through history the generals that were willing to break the mold, think outside the box, and even use tactics that were questionable at the time, are the ones that have succeeded over and over again. We need to fight to convince our clients and employers. We need to be the ones that have the leg up. It will require us to work harder, to do things that stodgy businesses will balk at, but it is what will win. The Fortune 500 Company that refuses to allow a pentesting team to do whatever it takes is going to be the first one to fall to a criminal attack. Stop putting leashes on the security professionals, stop bowing to pressure and wasting your time duct-taping broken security models. It is time for us to break the old security models and build new ones with new ideas, then break those with even newer ideas so we can constantly improve. Constant improvement of security is regularly taught but rarely actually practiced. It is time to fight, time to break things. Prevent Cybergeddon. Do your job.