Unsecure at any speed?
From a safety and security perspective, the technology industry today is where the automotive industry was 60 years ago, when manufacturers were reluctant to prioritize safety features. It was not until 1965, when Ralph Nader published “Unsafe at Any Speed,” that public pressure mounted and the government intervened, ushering in the modern era of seatbelts, airbags, and antilock brakes.
The damage from insecure networked systems is incalculable. Foreign state actors are flooding our social media with misinformation, disinformation, and inflammatory rhetoric designed to distract our attention and fracture our society. They have successfully weaponized First Amendment rights, anonymously slurring reputations at scale and sowing the seeds of unfounded fear about the corona vaccines. The former costs careers; the later costs lives. Finding the correct balance between factual authenticity, sender anonymity, and consumer privacy is one of the 21st Century’s most important technology policy challenges. It requires fundamental reconsideration of the marketplace rules designed to keep us safe.
It is instructive to study how public awareness led to uniform standards in the automotive industry. We take the annoying warning beeps for granted today, but it took years to permanently entrain them into the design flow. Manufacturers contended that driving is an inherently dangerous activity and that the best way to survive an accident is to avoid one. The idea of surviving a wreck was left to providence instead of design. A decades-long process of shifting cultural expectations and seatbelts changed all that.
Nader’s exposé helped people understand that while crashes are inevitable, fatalities are not. Changing expectations led to political pressure and rules that imposed audits, safety ratings, and compliance procedures that keep producers honest and consumers informed. Companies compete on safety as a differentiator, and improve reliability through testing, analytics, and research.
Sixty years ago, teams of highly trained and well-resourced industrial designers created elegantly styled two-ton death traps one after another. We are making the same mistakes today. The difference between then and now is scale. An unsafe automobile does not put national security at risk — nor does it undermine the foundations of social trust that facilitate democracy. An unsafe or insecure digital network does.
The IT industry today approaches cybersecurity with a defeatist attitude about the inevitability of breach. Consequently, the intrusions, exfiltrations, and ransoms continue to pile up. Security professionals busy themselves managing patches, setting configurations, and addressing basic cyber-hygiene issues, but their posture is entirely reactive and largely ineffective.
Organizations believe standards compliance will absolve them of the fundamental sins of their business strategies. They think they can buy their way out of cybersecurity risk with better tools, but the problem is not the technology. We know how to make secure systems. The root causes of cybersecurity breaches are at the data and system governance levels. Leaders do not ask the right questions or pretend to understand the complex answers, and security teams do not, or are unable to, explain the difference between blind compliance and actual security.
Modern cars have dashboards that a driver from 1960 would recognize, but what’s behind and in front of them has changed dramatically. Until we insist that all applications and services demonstrate performance-measurable security, the field will be tilted to chrome-plated solutions that look great in the showroom but can turn deadly on the road, or on the internet. So, with information technology as with transportation, companies will not repent without threat of litigation, or enforceable laws that incentivize good behaviors and punish bad ones.
The takeaway lessons from automobile (and airline, and workplace) safety are simple: a certifying authority like NHTSA, affordable features like safety belts, and uniform market rules that ensure government, businesses, and consumers know that an unbiased third party has carefully checked for concealed problems and lethal vulnerabilities that only reveal themselves in high speed (or large scale) wrecks. We need to change the mindset from profit-eating costs to product-differentiating security, like the jarring crash-test commercials did and still do. As Michèle Flournoy recently said, “I think in the wake of all these cyberattacks … the thing that worries me is that at some point one … is going to inadvertently kill some Americans; [if] you had an attack that took down an electricity grid and suddenly the hospitals lose electricity, you’re actually going to have Americans die. Then what does a president do?”
Indeed. Let’s prepare ourselves now with uniform certification requirements, based on thorough examination and breach-detecting instrumentation, and procurement rules that re-level the playing field towards corporate responsibility, liability, and care.
Peter L. Levin is CEO of Amida Technology Solutions, an information technology firm that focuses on data and data security, and an adjunct senior fellow at the Center for a New American Security (CNAS). During the first Obama term, he served as senior advisor and Chief Technology Officer to the U.S. Department of Veterans Affairs.
Pavan Jagalur is project manager and cybersecurity team lead at Amida Technology Solutions. He has implemented information security and data privacy projects at agencies across the federal government.