Have we reached peak internet? No, you cry, more things can still go online for more people more of the time. Yup. But how much of that time will those people spend defending themselves against digital threats, or recovering from the consequences, or wading through unsolicited messages, or drowning in advertising? The slightly duller version of the question is: “have we passed peak digital productivity?”
I work in information security, so you’d probably expect my viewpoint to be jaundiced. And you’d be right. But my actual day job is running an outsourcing business – we deliver IT-as-a-service to medium-sized firms. Our objective is to improve their productivity, and once upon a time we spent most of our energy trying to add features to the service. Now we spend most of it – and a lot of money – trying to protect what’s already there from the ever-expanding threat universe.
The world is full of good people trying to build a better tomorrow; they, too, are focused on adding features. Sadly the world also has no shortage of less-desirable people who, out of laziness, greed or malevolence, spend their time looking for ways to damage and exploit the work of the innovators. The bad hats have it easy – all they have to do is look for flaws. The good guys have to try to protect themselves and their eventual users while also having time to do the actual innovation. It’s a terrific waste of human capital.
The messy, evolved nature of computing in the 21st century means that almost every device is potentially vulnerable to an almost endless list of different types of attack. Your carefully-crafted piece of software might be secure as secure as you can make it, but it depends on the security of every other part of its environment. Every day we find new holes in operating systems, device drivers, underlying software libraries, hardware, networking protocols and on and on and on. Some of these holes are discovered by researchers – meaning we have a tiny window to patch them before that research is leveraged by the bad guys – and some of it is found by the criminals first, leaving us having to clean up and restore before we can even get to closing the vulnerability.
Last week there were breaches, attacks or reported vulnerabilities in WordPress (twice), iOS, OS X, Cisco (twice), Java, Kaspersky, McAfee (twice), AVG, internet-connected barbecues (yes, that’s a thing, apparently), Coin (a payment system), XBoxlive, Windows DNS, Flash, Dailymotion, Linksys routers, Janet (the UK academic network), Windows-based point-of-sale terminals, UAE bank, USB sticks, OpenSSL, Lenovo, Dell, Toshiba, Smart TVs, VTech, Barbie, Wetherspoons, The Guardian (newspaper) and ThinkRace (vehicle monitoring and child-tracking watches). That’s not by any means a complete list, it’s just what I summarised from one website.
We – the IT profession – are supposed to keep on top of all of this, and at the same time try to move services forward. You – the users – expect us to keep you safe (rightly) but as part of that we have to keep teaching you paranoia. The more you have to second-guess every link, email, attachment, advert or app, the less time you have to work efficiently.
I read in the papers last week that cyber-security experts can make up to £10,000 per day because there are so many threats and so few experts. I’m not sure how true that is – although I’m motivated to find out! What seems to me more important is that this signals a structural problem. When you’re paying more for security than you are for innovation and improvement – and no-one’s paying coders or six-sigma practitioners that kind of money – you’re going to go backwards. I’m glad that security is finally seen as important; I just wish it didn’t have to be.