Our security guild has always been contradicting itself. Are we the messed-up nerds in the world or the real rulers of the earth? Is what we do valuable and highly complex or actually hyped, overpaid, trivial electron pushing? And last, but not least: Is “cyber” just annoying and annoying – or is it the possible downfall of humanity? Our own soul also sways to and fro; While in one moment we still conjure up the digitization of administration, schools, oh what, the whole of life, in the next we think of the demise of modernity through cyber wars and the singularity.
He has a weak point for risks and writing about cyber: In his main job security researcher at HiSolutions AG, David Fuhr rages and rages on in this column about current incidents and general truths of information security. In addition to new articles, articles already printed in the iX appear here – always with a tongue-in-cheek update on the current security situation.
Objectively, based on the facts: Are (especially man-made) IT incidents one of the problems that humanity will ultimately stumble over? If we omit the asteroid and the sun’s glow as unfair benchmarks in six billion years, then, humble as we are, we can think of at least three risks of the past decades as worthy comparisons: nuclear war, corona and climate change.
The ability to destroy large parts of the world population at the push of a button was developed by mankind seventy years ago. Of course, computers have helped to design more modern, more efficient, even more deadly nuclear weapons, and of course computer networks today play a decisive role in the mutual observation of states. But perfect killing was and is possible without a computer. Even in the worst case, cyber cannot keep up with the potential impact.
Perhaps with cyber the other component of the risk is the problem, the probability of occurrence? It is true that cyber attacks have become increasingly dense over the years. Scourges like ransomware have become almost the norm. This is mainly due to the fact that we are relying more and more on IT: Only our own dependency makes us vulnerable to blackmail and thus cybercrime is worthwhile. The whole thing is more like a drug addiction: Digitization is our crystal meth, which makes us more self-confident and persistent – and more dependent on what only surrenders us to organized crime.
Do human lives depend on security? Of course. Are our dependencies and vulnerabilities increasing? But hello. But even if we always like to warn out loud: So far, people are more likely to die with than from cyber. To be fair, there are also the many lives that have been saved, lengthened or (certain aspects) improved in quality thanks to digitization.
If neither the impact nor the chance of cyber looks excessively dark on our rough scale, it can at most be the inner movement that makes the topic critical.
COVID-19 has a survival rate of 98 to 99 percent – Ebola snorts contemptuously – and a reproductive factor of only 2 to 3, which measles can only laugh about. What makes the current pandemic so tragic is precisely the combination of exponential growth, which cannot be “cheaply” limited due to complex detection, and a non-negligible death rate. Ebola and SARS were too deadly and conspicuous to be able to spread widely, Corona hits exactly in a sweet spot of deadly enough for a global massacre, but also harmless enough to let us carry us around and on.
We must avoid that cyber can take a similar path: If we succeeded in increasing the “chance of survival” of a company or a community after a major cyber attack to six nines (99.9999 percent), the problem would be over. We will not succeed in this. All that remains for us is to increase the vulnerability to cyberattacks. We need to be able to see at an early stage where things are going wrong so that we can repair them and make them more robust or even better resilient. And we have to practice how to survive without IT and get back on our feet.
Otherwise – as in the climate crisis – we will eventually reach tipping points from which there is no (cheap) going back. Once the ability to drive substations in transmission networks by hand has been wegrationa …, I mean – digitized, neither personnel resources nor processes can be quickly rebuilt in the event of a disaster (see intensive care units today). And a lot of things that accelerate us can also bring speed to the attacker.
There are procedures within security that make us better here, such as crisis team exercises, red teaming and chaos engineering. It is necessary, however, that the underlying thought pattern is included in every development step. There is no free lunch: Every piece of digitization creates a piece of dependency and must be combined with a piece of suitable (ideally preventive) addiction therapy. Incidentally, also in marketing: “Reading this column is indispensable and boosts your productivity and knowledge by a factor of 10! And the best thing about it: You can get along well without it. ”