Cybersecurity: Are We Doomed In This Game?
Cybersecurity can be regarded by the subject scholars and practitioners alike as a more or less fixed body of knowledge, once mastered they think they are the respectful professors and experts in the field. This assumption can safely be applied in other fields like accounting and law. Yet this can lead to very serious consequences of self-complacency. In cybersecurity we always lament that the bad guys always win over the good guys. But is this the end game or is there a turn-around?
No Silver Bullet
"No Silver Bullet — Essence and Accidents of Software Engineering" is once a widely discussed paper on software engineering written by Turing Award winner Fred Brooks (1987). Brooks argues that "there is no single development, in either technology or management technique, which by itself promises even one order of magnitude [tenfold] improvement within a decade in productivity, in reliability, in simplicity." He also states that "we cannot expect ever to see two-fold gains every two years" in software development, like there is in hardware development (Moore's law). Similarly in cybersecurity we do not have silver bullet.
Unstable Equilibrium
We have newly proclaimed silver bullets of international, national and industry security models. Likewise we have new anti malware solutions, intrusion detection or prevention systems, web application firewalls, next generation firewalls; the shopping list goes on.
The new cybersecurity models and products, once they are known and shared, will be overshadowed by competing models and products. Alternatively the new models and products are defeated by cyber actors who design, code and test for beating them. We see very advanced malware. Why are they so advanced and such a menace? They are designed, coded and tested against the known cybersecurity models and products.
Silver Lining
We do not have silver bullet but we have silver lining. There should be better sharing on known malware, cyber attack and data breach patterns on a larger, systematic scale with the aim of defeating them. This includes what happens, why happens and how to prevent the same thing from happening again. This requires more than the mundane vulnerability alerts and patch information. We see dark cloud of cyber insecurity (Wallace 2014). Rather than resorting to blind-folding ourselves at one extreme or to eye-for-eye at the other end, it is up to us to paint the silver lining out of the dark cloud.
References
Brooks, F. P. , J. (1987). "No Silver Bullet — Essence and Accidents of Software Engineering". Computer 20 (4): 10.
Wallace, I. (2014). “The Risks of Cyber Insecurity”, retrieved from http://www.fletcherforum.org/2014/08/17/wallace/