Have we reached peak internet? No, you cry, more things can still go online for more people more of the time. Yup. But how much of that time will those people spend defending themselves against digital threats, or recovering from the consequences, or wading through unsolicited messages, or drowning in advertising? The slightly duller version of the question is: “have we passed peak digital productivity?”
I work in information security, so you’d probably expect my viewpoint to be jaundiced. And you’d be right. But my actual day job is running an outsourcing business – we deliver IT-as-a-service to medium-sized firms. Our objective is to improve their productivity, and once upon a time we spent most of our energy trying to add features to the service. Now we spend most of it – and a lot of money – trying to protect what’s already there from the ever-expanding threat universe.
The world is full of good people trying to build a better tomorrow; they, too, are focused on adding features. Sadly the world also has no shortage of less-desirable people who, out of laziness, greed or malevolence, spend their time looking for ways to damage and exploit the work of the innovators. The bad hats have it easy – all they have to do is look for flaws. The good guys have to try to protect themselves and their eventual users while also having time to do the actual innovation. It’s a terrific waste of human capital.
The messy, evolved nature of computing in the 21st century means that almost every device is potentially vulnerable to an almost endless list of different types of attack. Your carefully-crafted piece of software might be secure as secure as you can make it, but it depends on the security of every other part of its environment. Every day we find new holes in operating systems, device drivers, underlying software libraries, hardware, networking protocols and on and on and on. Some of these holes are discovered by researchers – meaning we have a tiny window to patch them before that research is leveraged by the bad guys – and some of it is found by the criminals first, leaving us having to clean up and restore before we can even get to closing the vulnerability.
Last week there were breaches, attacks or reported vulnerabilities in WordPress (twice), iOS, OS X, Cisco (twice), Java, Kaspersky, McAfee (twice), AVG, internet-connected barbecues (yes, that’s a thing, apparently), Coin (a payment system), XBoxlive, Windows DNS, Flash, Dailymotion, Linksys routers, Janet (the UK academic network), Windows-based point-of-sale terminals, UAE bank, USB sticks, OpenSSL, Lenovo, Dell, Toshiba, Smart TVs, VTech, Barbie, Wetherspoons, The Guardian (newspaper) and ThinkRace (vehicle monitoring and child-tracking watches). That’s not by any means a complete list, it’s just what I summarised from one website.
We – the IT profession – are supposed to keep on top of all of this, and at the same time try to move services forward. You – the users – expect us to keep you safe (rightly) but as part of that we have to keep teaching you paranoia. The more you have to second-guess every link, email, attachment, advert or app, the less time you have to work efficiently.
I read in the papers last week that cyber-security experts can make up to £10,000 per day because there are so many threats and so few experts. I’m not sure how true that is – although I’m motivated to find out! What seems to me more important is that this signals a structural problem. When you’re paying more for security than you are for innovation and improvement – and no-one’s paying coders or six-sigma practitioners that kind of money – you’re going to go backwards. I’m glad that security is finally seen as important; I just wish it didn’t have to be.
A bigger picture 
“The world is full of good people trying to build a better tomorrow” really? I think if the world were full of such people it would be a better place already. The overwhelming motivation of mainstream IT workers is greed – software is sold with designed obsolescence on mass and that creates the necessity for endless updates and chaotic incompatibilities between systems. This is because the chaos makes more money for IT business focused only on short term profit and the expense of long term well being of society. Everyone knows this. Customers know this. The promises of the internet has fallen far short of its potential. I have spoken to many techies and have found a lack of moral responsibility when faced with how much money they can make. Within this climate of greed it is not surprising that the industry is such a target for criminals. It is time the IT community took responsibility for its own short sightedness and begin designing products with long term goals in mind.
Actually, these days, most of the tech industry is not predicated on charging for planned obsolescence; in fact, it’s a story of constant free updates to “free” services as companies compete for market- and mind-share. The industry is a target for criminal behaviour because it’s evolving faster than the law, and faster than the enforcement of existing law; also because the constant race to be first to market with a new feature – useful or not – makes the necessarily slower pace of secure development an apparent handicap.
I don’t think the industry is markedly more cynical than any other, and I think many of its innovators genuinely believe they’re trying to improve the world. The Unicorn/start-up/social-everything mania feels to me like the boundless scientific optimism of the fifties or the similar excitement at the liberation of capital in the late 19th century. Both had their villains and their adverse consequences, but both also had their heroes and did change the world. It’s not really for me to argue here whether those periods changed it for the better – although it’s hard to argue against increased lifespans, decreased poverty, the invention of social mobility and the emancipation of women, for instance; for the purposes of this blog I’m concerned that we’re beginning to see a preponderance of adverse consequences to our own period of change.