Security, especially that pertains to technology, has been a foremost issue in the media and in politics, and it was no surprise that it was major theme at this year’s USENIX ‘04 Annual Technical Conference in Boston.
The general consensus on security was clear: the issue is sensitive, difficult, and political. There cannot be 100% security, which is too extreme. An example presented was the airline industry: the only way to make the airline industry 100% safe is to not to fly planes. Of course, that would not be feasible by any means, nor would it be worth it. We need to understand and accept risks. Security involves trade-offs.
Unfortunately, there is a poor perception of security risks which downplays the issues significantly. For one, the media is to blame for exaggerating many of the issues. Many times, computer security in the news is “boring” and does not cover the bigger picture of the problems. Technology also has a share of the blame –for hiding how things really work. Many times, the risks for using technology are hardly realized or understood. Finally, the IT industry has a share of the blame for spending little time, energy, money, and leadership on explaining security issues to the public.
So what are the direct consequences that we see now? The conclusion from both sides of the debate on “Is an Operating System Monoculture a Threat to Security?” explains our current state the best: we have dug ourselves into a deep hole, and we need to find a way to dig ourselves out of the hole. We have little or no control over day-to-day security mechanisms. In many cases, individual rights are trumped in the name of security (e.g. Digital Millennium Copyright Act (DMCA) and Patriot Act). There are a handful of groups that have a major influence on our government and are successful in creating agendas favorable for themselves. Our situation reflects back on history: we are caught up in the circus of politics and the media.
So what can we, the technical community, do? Two words: be involved. It is important to continue to tell the truth about how technologies work. Most importantly, educating the public is critical so that the majority have a common understanding to understand the benefits and risks of technology. Attacking systems is a necessary part of security, and it is an integral part of educating the public. The public should not perceive the notion of breaking into systems as “bad” (or that “we” are crazy): breaking systems does not mean suggesting people to break things or to commit malicious acts. Finally, it is crucial to be partisan and to work with those who are curious.
Security affects our lives. However, we are not powerless. We can start digging ourselves out of a complex and sensitive hole by “stepping up to the plate” and make a difference to those who needs it the most.
Have we dug ourselves into a deep hole in computer security matters? Can there be better communication between IT experts and the general public?