The Problem with Moonshots

When someone wants to talk about making a big impact in computer security they almost always want to use the Manhattan Project as an analog. The problem of course is that the Manhattan Project wasn’t about improving defense, it was about improving offense. Indeed the Manhattan Project produced a weapon of such power that it’s only been used twice, and the civilized world works extraordinarily hard in making sure it does not proliferate (much).

A more appropriate analog is the Apollo program, the goal of which was putting a man on the moon. Mercury proved we could put men (well, primates) into space, and Apollo was the next “hard thing” we choose to do as a nation. But while a cyber security moonshot is an admirable goal, when it comes to cyber security – like space flight – the devil is in the details.

For starters, there is the democratizing impact of technology and the corresponding shift in power. In the 1960s the ability to put a man in space, much less on the moon, was the sole domain of the nation state. Today anyone can create the information technology equivalent of the Apollo or Mercury programs. Linux is a great example of such an effort, so is ransomware.

Then we need to consider the investment that has already been made in legacy technology. TCP/IP is what it is, and it is not going to change. We are not re-engineering the Internet and everything that rides through and on top of it. Not because it can’t be done, but because there is no ‘Sputnik was there first’ reason to do so (more on this in a second).

Everyone agrees there are problems, but no one can produce the kind of hard data needed to advance the cause. To be sure, there is no shortage of surveys that will provide numbers about the scope and scale of the problem, but none of those surveys are comprehensive and there is no way to independently verify their accuracy. The problem is bad, but is it prostate cancer bad (annoying) or pancreatic cancer bad (fatal)?

Even if you could back up your assertions with comprehensive, verifiable data, there is a fundamental unwillingness in both the security and broader enterprise decision-making apparatus to rock the boat.  “No one ever got fired for buying IBM” was the mantra in the early days of enterprise IT. That same mantra – replacing IBM with whatever the market-leading appliance or security suite is for a given class – is recited in Mahogany Rows all over the world. The courage to ‘slip the surly bonds of Earth’ in the context of cyber security is extremely hard to find.

Finally, in the early 1960s the Cold War was actually quite hot. The only reason we put men in space or on the moon at the pace we did was because Yuri Gagarin scared the **** out of us. By “us” I mean “the nation” or “the people” not merely NASA or the government. There is no such movement or sentiment today. When it comes to cyberspace, functionality trumps security.

Long term success in this field is indeed about reaching the stars, but you don’t get there from here in one giant leap. In order to get to the moon we had to master a host of component technologies first (and, let’s be honest, rely on the help of some Germans of questionable background). You’re never going to get a critical mass of people – security experts, executives, or ordinary people – to back a cyber security moonshot, but you can get everyone to agree that <pick your small improvement here> is a good idea and grab market share. Compile enough small victories and we might be amazed at what we can accomplish.