How Do We Tell Cyber Security Truths That Might Hurt?

In 1975, Edgser Dijkstra penned an iconic essay entitled “How Do We Tell Truths That Hurt?” In his piece, Dijkstra scolded the computing community for choosing to ignore several obvious facts. While answering endless ridiculous questions about the SolarWinds hack this past week, I decided it was time to re-read the master’s note. As I’d suspected, the parallels lined up – so I decided to serve up my own list of cyber security truths that might hurt. I hope this doesn’t spoil your day:

1 – Enterprise cyber security is one of the most difficult aspects of running a business. Observers who’ve never done this type of work do not understand the magnitude of the challenge.

2 – The easiest cyber security task involves breaking into software systems. This has become child’s play for anyone willing to take the time to plan their attack. Research that highlights attacks no longer impresses anyone.

3 – The best nation-state hackers, including from Russia, can break into anything they choose to target. They can do this at any time of their choosing, regardless of any defense in place.

4 – The tools we buy from commercial vendors are excellent at supporting specific tasks, but poor at developing a comprehensive security architecture that can truly stop a nation-state.

5 – Perimeter security – “the infantile disorder” – by now nearly 25 years old, is hopelessly inadequate to stop attacks, and yet this remains the basis for most protection architectures.

6 – Noticing that Trojans exist in complex software is much harder than it looks – and when planted by nation-states, are virtually impossible to detect, even with the best security tools.

7 – The task of stopping nation-state attacks is much too difficult for the typical under-funded and under-staffed IT Security team. This is an unfair fight, one that the nation-state wins every time.

8 – We can build no security discipline on the repeated mistakes of the Federal Government when it comes to cyber security. Today, they are essentially 100% useless in stopping attacks.

9 – Vendors who say they could have stopped the Russian attack on SolarWinds are just being ridiculous. If you are spreading this nonsense, then please stop.

10 – SolarWinds is no different than any other company selling software. This hack could have happened to Google, Amazon, or you. Worse, many similar (currently invisible) hacks are ongoing now.

11 – Our only hope for a workable enterprise defense is to reduce the size, complexity, scale, and scope of the software we rely on. To build a strong house, you must have simple, solid bricks.

I’m sorry if my list hurts your 1Q21 product marketing plan, or if it contradicts your investigative reporting for tomorrow’s mainstream news cycle. But sadly, these points are in fact true. To that end, I’d like to close my little note with Dijkstra’s slightly snarky close to his own 1975 essay: “If the conjecture “you would rather I had not disturbed you with this” is correct, then you may add it to the list of uncomfortable truths.