Information security is the central political question of our times.
Security pros know well that grappling with these issues requires us to develop a tough mental attitude, both individually and collectively. No amount of security mitigation matters if your despair or optimism clouds your judgement about the effectiveness of that mitigation.
The resulting hysteria plays out large, for example, in the current frenzy surrounding voting machine security. The Russians are hacking our elections!!! Them Russkies are changing vote totals!!! Putin's ghost hangs over your shoulder in the voting booth!!!
Let's calm down a bit, shall we?
Humans are really bad at assessing risk. We tend to fixate on catastrophic but unlikely occurrences—like terrorism, for example—while ignoring mundane risks that cause cumulative harm such as eating poorly, or not maintaining bridges, or failing to save for retirement.
This difficulty in assessing and responding to risk is especially pronounced in information security, where non-technical people, in particular, find themselves forced to choose between extreme paranoia (and thus, a defeatist attitude) and unrealistic optimism (we live in the best of all possible worlds!).
Neither is a productive attitude. Both are damaging in their own way.
Nerds, nerd harder!
The extreme of unreasonable optimism afflicts those blissfully ignorant of information security issues. Let me punch this straw man: "Nerds, nerd harder!" Yet for all the caricature that represents, there is a grain of truth. “We put a man on the moon, for crying out loud,” people say. “Fix your fiddly computer thingumabobbers already. Sheesh!”
This is a toxic attitude, especially for policy makers in government. Perfect security is impossible, and good security is very hard. Making policy and governing based on the stern admonishment to nerds to "nerd harder" is a disaster waiting to happen. Not to mention a sure-fire way to insult the nerds who not only know better, but who you want to do your bidding.
Unreasonable optimism eventually gives way to panic and hysteria, and leads to defeatism. We see this with the abrupt jolt to our republic's spine during the 2016 presidential election. Suddenly, a large number of people became aware of security issues and freaked out. In their continued ignorance, the panic has subsided to despairing numbness, followed by weary resignation, followed by hopelessness and despair.
Security people know this condition well. We call it security nihilism.
Security nihilism: Nietzsche would be proud
Yes, share this article with your less-technical colleagues. We feel the tug of these two extremes, too, do we not? "Everything is broken, we're doomed, we're hacked, hacked I tell ya!" With bulging eyes as the camera pans down a rain-swept street with goons smoking cigarettes in dark doorways, waiting to pounce.
Mitigations that improve, but by definition do not perfect, security are worth nothing if we are not able to calibrate our trust to the level of security they provide. I trust that the lock on the front door to my apartment is good enough to withstand all but the most determined attacks. But if someone with a battering ram, explosives, or a talented black bag team want to get into my apartment, I know that I can't prevent intrusion by those kinds of attackers. Nevertheless, I don't stay awake at night obsessing over unlikely threats or threats I cannot defend against.
Nothing better illustrates the dangers of both security nihilism and unwarranted optimism than the state of voting security.
The right mental attitude toward voting security
Consider first the optimistic froth around blockchain-based online voting. As soon as we hear the magic incantation — "abracadabra, BLOCKCHAIN!" — an astonishing number of faith healers leap from the woodwork and start doing their medicine man crypto bruh dance, assuring us with great fervor that blockchain will be our salvation, the balm to heal all wounds, the future, hope.
Yet few proposals to secure electronic voting are easier to expose as complete nonsense than the idea of online voting, even when potioned by the magic blockchain spell. As CSO has previously reported, online voting is impossible to secure. Voting security expert Matt Blaze has delivered devastating broadsides against this nonsense, publicly saying again and again and again that blockchain has no place in voting security today.
The other extreme nonsense position — which we can call "nihilism" or just flat-out "denial" — is the loud insistence, fingers in ears, that nothing is wrong, everything is fine, nyah nyah nyah nyah nyah nyah, we can't hear you.
A judge in Georgia said as much a few days ago, reluctantly ruling that insecure voting machines could be used in the midterm elections in November, but publicly rebuking government officials for having their "heads in the sand."
"The State’s posture in this litigation—and some of the testimony and evidence presented—indicated that the Defendants and State election officials had buried their heads in the sand," the judge's ruling says.
Prevailing attitudes seem to be that either nothing can be done, nothing is wrong, or that some magical buzzword will save us. None of these is correct. The right answer requires us to calm down and do the work.
Ignorance the root of the problem
Security requires critical thought and a tough mental attitude, and if our republic is to survive the information security threats our voting machines face, then we need to educate the public to think critically about what defense looks like, what it can and cannot do, and move beyond security nihilism into an improved collective security posture based on a sane understanding of the threats and our defenses.
How do we do that?
Well, the midterm elections are coming up. The result of despair is lost trust. Attacks on voting machines are calibrated not to change votes, but to weaken trust. The purpose of technical security mitigations, perhaps even more so than in other contexts, therefore becomes a question of calibrating the precise amount of trust warranted.
The current level of trust warranted, unfortunately, is very low. As the 2018 DEF CON voting village demonstrated, electronic voting machines are woefully insecure. But woeful insecurity can and should be improved — and giving in to the anxiety in the pit of your stomach that all is hopeless, All is Lost, OH MY GOD DEMOCRACY IS OVER!!!! is not a particularly helpful attitude.
Too many politicians and policymakers have their head in the sand about this, however. The idea that weak information security could ever become a partisan political position is ludicrous, especially when the result is lost trust in elections. Our political discourse, so long the stage for grandstanding nonsense, has finally discovered information security. The consequences of pursuing policies like "everything is fine!" when it comes to voting machine security could be fatal to our republic. (One wonders if that is a bug or a feature.)
Information security is the central political question of our times. It is a hard problem that can never be solved perfectly. But the gap between the status quo and strong-enough security is a yawning chasm. Neither despair nor optimism will help us bridge that gap. A tough mental attitude is the best defense. Security professionals can and should lead by example.