Why we suck at innovating for security

Why we suck at innovating for security

Summary: Modern day security is meant to be state of the art, so why is it that after all these years, we're still getting it so terribly wrong?


commentary We've been told that in order to innovate, we've got to move fast and break things, be more agile, experiment and fail, and generally just throw things out there and see what sticks. To a lesser extent, that is what we see companies do.

But how often do we actually see a final, static technology product? Most of the time, we don't. Everything is in a constant state of change, with patches, new features, new models. The vast majority of us don't even keep mobile phones for more than a few years before moving on.

But when it comes to security and, to a greater extent, privacy, none of that works. Whenever we hear about improved security, it's because someone forgot to implement best practice. Rather than introducing something new, everyone seems to be travelling towards some sort of static gold standard of security.

And the reason we rarely see emerging security features is that it's too dangerous. Facebook would face immense backlash if it took your personal information, experimented with a feature, and failed. Facebook might say it learned a rather large and important lesson, but after the fact, it can't undo the damage that has been done. As much as Zuckerberg says that he it moves fast and breaks things, I'm sure when it comes to security, he moves very slowly and surely, as failing or throwing things out there to potentially fail isn't an option.

Due to this fear of failure, we go back to what has worked, what has been tested, or more specifically, what is safe. And safety is what security is built on. The idea that if X is done, risk will be limited to a certain degree. To put it another way, to play it safe, security is all about not taking risks.

Yet, the most dramatic innovations and innovators of our time were built on some element of risk, whether that's throwing out there an outlandish proposition of indexing the entire web, recreating a social network that others had already done, or suddenly deciding to create a smartphone, rather than a PC-competitor.

Innovation is what makes things better, which challenges the competition to do things in a different way, which provides more options — but we rarely hear about it in security. Instead, we use old solutions to current problems, like using passwords for authentication, because most of the time, we're too scared to think of another way of doing it.

How old is old? Robert Morris and Ken Thomas, two researchers from Bell Laboratories, once wrote a paper on password security, noting many of the issues that we hear about. The importance of salting passwords and enforcing password complexity are covered in the short paper, and they even touch on the idea of a second factor of authentication. This was in 1979.

In fact, few modern security measures are anything but a rehash of old technology. Facial recognition? Built and tested in the 60s. Two factor authentication? Morris and Thomas mentioned it, and RSA may have brought about greater awareness when it introduced cryptographic tokens in 1995, but we're still seeing Google struggle to convince people to use it. Contextual authentication? It's newer, but introduced around 10 to 15 years ago (PDF), though we still have little to show for it.

Compare that to processor speeds, the weight and size of computers, the huge effect of social media and the way we communicate, and suddenly, our so-called advances in security seems pathetic.

I don't have a magic solution to the problem — if I did, I'd probably be a millionaire — but I think part of the issue stems from a collective attitude that the challenging thing to do is to break systems, find flaws, or point out how dumb others are.

What makes us pay attention are the giant breaches, Anonymous and LulzSec pointing out how lame our security is, or the biggest, baddest zero-day to hit a system. Throw in "nuclear facility" and "state-sponsored" in there, and watch out; we've got a badass here.

If you don't believe that the focus is on breaking things, take a look at the events and competitions that are held in the information security space. The majority fall into two broad categories of pointing out or breaking systems — the DefCon- and Black Hat-style events; or otherwise, they highlight how much we need protection — practically any analyst- or vendor-held event.

There are very few events that have securing a system as the sole focus, but try pitching that to hackers: "Here's your chance to apply the latest patches, looking through logs, or audit payment systems for compliance!" They'd much rather go back to the fun of breaking something, which is much more challenging.

Or is it?

What most have yet to realise is that breaking things isn't the challenge any more — just grab a fuzzer, use Metasploit, or any number of automated tools, and you're bound to find something — it's keeping everything from being hacked that's the real deal.

Those selling protection say it's simple, even Australia's Department of Defence thinks that 85 percent of all attacks could be mitigated through four measures. But make no mistake, implementing it all is a challenge. After all, if it were so simple, everyone would be tightly secured.

The question is, when will we realise that the real challenge that is worthy of undertaking and, in the end, will provide us with greater innovation isn't breaking an insecure system, it's building a secure one?

Topics: Security, Emerging Tech

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Securing a moving target is a challenge . . .

    Securing a moving target is a challenge - part of the problem is that we are in fact coming up with new stuff constantly, and need to find new ways to secure it. Security works best when stuff is static, unchanging. Change is the enemy of security.

    As long as technology is continually changing, security remains a constant process, rather than an end goal.
  • be more proactive

    Thanks for the article. We all need to be more proactive about our personal account security. One thing you failed to mention is taking advantage of the 2FA (2-Factor Authentication). Although it’s been around for a while, more and more sites are starting to offer and promote this option. 2-Factor Authentication to complete a transaction while shopping online wins every day. I feel suspicious when I am not asked to telesign into my account by way of 2FA, it just feels as if they are not offering me enough protection. I know some will claim this make things more complicated, but the slight inconvenience each time you log in is worth the confidence of knowing your info is secure. This should be a prerequisite to any system that wants to promote itself as being secure.
  • The fundamental problem is

    that computers are highly complex systems. No one has figured out how to write perfect code and then verify it is perfect and that it can protect against every possible attack vector.

    All this talk about passwords and the like is really a distraction. None of that matters if the underlying software is full of holes. And so far, we simply don't know how to write secure software. It's a problem of scale and complexity.