Computer security problems keep piling up like dead bodies during trench warfare. Is the problem evil Russian (or Chinese or whatever) hackers? Of course! But there have always been bad guys and always will be. The real issue is, why do our corporations and government agencies steadfastly refuse to apply the known, proven methods that would prevent most of the problems?
The problem
When a jewelry store has been cleaned out, whose fault is it? Of course it’s the bad guy’s fault. But what if the people who run the store went out for lunch, left no one in the store, and left the doors and safes wide open?
If a high-end clothing store is robbed blind, whose fault is it? Of course, it’s the bad guy’s fault. But what if store management failed to install the widely used tags attached to articles of clothing that are removed when you pay for them –and ring alarms if they leave still attached to the clothes?
If a big store with lots of cash registers has a huge loss of cash stretching over many months, whose fault is it? Of course, it’s the bad guy’s fault. But what if the store failed to count the cash at the end of each shift, and paid no attention when a check-out person when from register to register during his shift, spending some time on each one?
Computers are different
Yes, computers are different than jewelry stores, clothing stores and big box stores. You may think that the computer security problem is way harder. Here’s what you might think:
Data is invisible! When someone walks out the front door with a pair of expensive sneakers, you can see the goods if you’re watching. But if someone “steals” some files, no one can see the bits pouring down the tiny wires, or flying invisibly through the air. So you can’t see the stuff going out through your doors. Surveillance cameras don’t work for data.
The thief can be remote! When a cyber-criminal does the bad deed, he could be right next door – or on the other side of the planet. He could be anywhere!
This is what most people think. So they write piles and piles of regulations that mostly call for the computer equivalent of putting big walls around your computers and call it good.
Use Computers for Computer Security
Computers are complicated. Very few people understand even a modest portion of what goes on in modern computers. So most people are clueless, and the ones who have a clue tend to learn a specialty and stick with it. The incredible complexity makes change surprisingly hard – most of the change we see is due to the unprecedented growth in the speed of the underlying hardware, not advances in software.
The vast majority of modern computer security is a rough translation of methods that have evolved in human warfare. The trouble is the bad guys have evolved and the defense remains stuck in decades-old, long-obsolete concepts.
Here's a wild thought: let's use computers for computer security! Let's have them do the computer equivalent of how security is implemented in places where we really care about it, places like jewelry stores, clothing stores and stores with cash registers. Even libraries! And, please, people, how about attending to the simple stuff, like keeping your software up to date. If software had been up to date, the recent Ransomware attack would have been nearly a non-event. And worst part of it (the worm) wouldn't have happened if the agencies in charge hadn't let it walk out the door via the Manning method (see next section).
A Big Fat Example
Chelsea (f.k.a. Bradley) Manning was convicted in 2013 of releasing nearly three quarters of a million military and diplomatic documents and was sentenced to many years in prison. How it was it possible for a low-level Army private stuck in a remote outpost in Iraq to access all these documents and make them available?
Here is a book:
... that tells you most of what you'd want to know about Ms. Manning, who was Mr. Manning at the time of her/his noteworthy actions. And how he (at the time) got away with it.
The giant security hole that Manning waltzed through to do his damage was still open years later for Edward Snowden to do what he did. The security hole is wide open today at most government and commercial computer systems. It's the same hole that doesn't exist in places where people actually care about security, places like retail stores...
By their actions, we can only conclude that the security "experts" in charge are criminally ignorant or just don't want to fix the hole.
I'm sorry to report that I've seen no evidence that the situation will change any time soon. I've had occasion to talk with some leading security experts about the subject. I can definitely report that they exist on some planet -- unfortunately it's some planet that is not planet reality.