Why Aren't We Secure?

In business, there is an old saying: “You get what you measure.” The corollary is that if you are not getting what you want, you are not measuring the right things.

Through all of this pressure and fear, the same process continues. For example, the in-chip vulnerabilities in our current CPU’s (general purpose processors) and GPU’s (graphics and acceleration focused processors) are beginning to be understood, but one of the leading TPU (AI & neural network-focused processors) architects speaking at a private workshop was totally unprepared for a question on in-chip vulnerabilities in his new TPU. As AI technologies, generations and products are layered on top of our current ecosystem, it appears we can expect a repeat of Deploy/Oops, Management/Oops, Security/Oops that stretches into perpetuity.

A New Way Is Needed

No doubt you’ve heard the old adage: The definition of insanity is doing the same thing over and over again and expecting different results.

Back to those thousands of companies competing to capture a small piece of the security market via San Francisco’s RSA Conference: What they are doing is important.  Without their efforts, things would be a lot worse, but they alone are not going to change the fundamental problem.

Government agencies are trying but they have fundamental limitations. Key among them is the emergence of government hacking and government-sanctioned pirate organizations engaging in cybercrime. The reality is that governments have divided loyalties. Another problem is the reluctance of corporations to report cybersecurity breaches for fear that releasing the information will hurt their businesses and their stock prices.

Rebecca (Becky) Bace, a leader in the security industry, argued that it will take a change in public perception, and she suggested we need a new book similar to Unsafe at Any Speed to energize public sentiment.

One of the key results of the publication of Unsafe at Any Speed was the creation of the United States NHTSA (National Highway Traffic Safety Administration). The NHTSA merely published statistics on deaths and injuries in US highway traffic accidents. The publication of this data provided both an incentive and a way to measure results that energized government, industry, and society at large to tackle the problem. Ultimately, the initiative resulted in a 95 percent decrease in the rate of accidental highway deaths.

You Get What You Measure

At the Spring 2019 RSA conference, the USA NIST (United States of America National Institute of Standards) reported on a study of cybersecurity metrics that it had recently completed. The study had tabulated 1,500 different cybersecurity metrics. But the team felt that this was not enough. They recommended that each corporation create a task force to develop its own cybersecurity metrics.

In business, there is an old saying: “You get what you measure.” The corollary is that if you are not getting what you want, you are not measuring the right things. We are not getting what we want in cybersecurity, so we must not be measuring the right things. If we follow the NHTSA suggestion, one of the key questions is: what exactly should we measure?

A Path to a Solution

A group of highly experienced cybersecurity practitioners came together to discuss these problems in an annual, private, by-invitation-only workshop organized by Becky Bace. After Becky’s untimely death, the group started the Bace Cybersecurity Institute in her memory. BCI is a merger of some of the best public and private cybersecurity experts and focuses on realizing Becky’s vision of an information ecosystem that is safe and secure—safe and secure even in this emerging era of cyber blitzkrieg. It seeks to do this through research, technology transfer, education, and public policy. BCI doesn’t claim to have all the answers. But it is committed to asking the key questions. 

BCI is seeking to be the catalyst that brings the industry together to create the safe world that we all want to live in. If it is successful, it will generate the kind of cooperation between government, industry, academia, and society in general that is needed to develop and implement the effective cybersecurity solutions we so desperately need.


Latest Updates

Click to Discover>

Subscribe to our YouTube Channel