Three People You Cannot Take Seriously in Computer Security

Computer security is a serious and complicated business. It stands to reason that in order to communicate effectively to non-technical, non-expert audiences one would have to draw analogies to more common or widely understood concepts. But an effective analogy compares oranges, if not to other oranges, at least to other citrus fruits, not grapes. 1. Anyone who equates digital attacks to nuclear ones. For the umpteenth time: there is no meaningful comparison between a computer-based attack and an atomic one. Anyone who says otherwise is either woefully ignorant of what a nuclear weapon can do (and how long the impact lasts), or trying to sell you something. There is nothing wrong with making a buck, but if the only reason someone is paying you is because of you are pimping fear, uncertainty and doubt, is it an honest buck?

2. Anyone who talks about the latest digital attack as a “wake up call.” This is a term that has been reused and recycled just about annually since the 90s. That’s not a “wake up call” that’s called “hitting the snooze button.” We don’t make progress in computer security because too many people don’t realize they’re characters in Groundhog Day.

3. Anyone who mangles martial analogies while trying to address digital problems. You can’t have a “digital Pearl Harbor” if the fight has already been engaged. A Maginot Line-type network defense might actually be useful, but since you don’t know why the French actually built the real Line you think its stupid;  “laws and norms” of war are only followed because it’s relatively easy to catch, prove and punish violators in meat-space; that's not true in any meaningful time-frame in cyberspace.

There is nothing wrong with adding a layer of abstraction or simplification to complex topics, but if you don't bother to get your analog right you run the risk of leading people down a path that could be more detrimental to their security than the situation they're already in. Your average, ordinary business or system owner - when faced with the prospect of combating the supposed equivalent of nuclear weapons and other over-the-top characterizations - is going to punt, and rightfully so, because they're not in the war fighting business, they're in the widget business.

If we're not prepared to do a proper and realistic job explaining the scope and scale of risks and threats, we shouldn't be surprised if people are disinclined to listen to our cries of "wolf!"