« Smack web spoofers with SpoofStick | Main | More SpoofStick »
Getting the definition right
[Yesterday, ZDNet published a short commentary I wrote called “Getting the definition right”. I’m very grateful to ZDNet for giving me a forum with a few orders of magnitude more readers than this fine blog. In order to make the article suitable for the mainstream, the ZD editors stripped out most of the jokes from the original piece and altered the ending a bit. They were probably right to do so – security is no laughing subject. Still, for the “benefit” of my original reader(s), I’ve decided to post the “controversial”, err, “uncut”, um, “eXtreme” version here.]
Getting the Definition Right (the director's cut)
“Security”, like other vaguely defined segments stalked by industry analysts, is subjected to cyclical patterns of fashion and scorn. Are we in a security-fueled investment bubble, or are organizations still sitting on their IT wallets? Much of the answer depends on your assumptions and definitions.
In his now (in)famous January 2000 essay, “Terror Versus Security”, Salman Rushdie offers a working definition:
Security is, after all, the art of making sure certain things don’t happen: a thankless task, because when they don’t happen, there will always be someone to say the security was excessive and unnecessary.
This and others pieces are republished in Rushdie’s newish book, Step Across This Line: Collected Nonfiction 1992-2002. Mr. Rushdie is something of an unwitting expert on security matters, at least at the receiving end. Compelling snapshots throughout the book recall a decade of fighting (and dodging) the Iranian fatwa placed on his head after publication of The Satanic Verses. While his insights are keen, this definition is part of the problem.
If you think of security in purely negative and restrictive terms – preventing attacks, denying access – it’s hard to be optimistic about the industry. After all, restrictive security places a burden on the many legitimate transactions in an attempt to prevent the few unauthorized ones. This is practically a Sisyphean undertaking (heh, “Sysyphean Undertakings for Dummies” – I’m gonna write that book). Too much restrictive security and the economy grinds to a halt while people proclaim that “the terrorists have already won”. Too little and you’re accused of being negligent. Rushdie’s punch line is that any security you decide on is by definition the wrong amount. What fun.
However, there’s a different way to look at the industry. Instead of thinking about security as just negative and restrictive, think of it as active and enabling. Active security is not just about stopping the bad guys; it’s about making the normal lives of the good guys better. Instead of just intercepting a few illegal transactions, active security aims to make the vast majority of legal transaction faster and more efficient. There are new security technologies that allow people to do more and to do it quicker. Think of ATM machines, trusted traveler documents and digitally signed mortgage forms. All of these applications make life easier for legal users and, by extension, make it easy to catch the illegal ones. Also, since active security deployments focus on speeding legitimate transactions, they can have a net positive effect on the economy. The more active security you have, the more it pays for itself. This is the exact opposite of the negative feedback cycle of restrictive security economics.
A great example of a large active security program is the Common Access Card (CAC – bad name, different topic) of the U.S. Department of Defense. The CAC is a smart card issued to every member of the DoD and is intended to be used for many applications including logical and physical access, secure email, document signing and payments. These are applications that people want and that were largely unavailable before the CAC program. Of course the system is built on cryptographically strong technology, so even though people will use their cards for convenience, they’ll be getting security.
I wrote a chapter on “Active Security” in Inside the Minds: Security Matters. If you like this blog, but not the pesky attempts at humor, the chapter may be more your speed. From what I’ve seen in the past two years, spending on active security technology is growing in both government and commercial sectors.
Towards the end of his essay, Salman Rushdie adds a cautionary note:
In the past, security didn’t save President Reagan, or the pope. Luck did that. So we need to understand that even maximum security guarantees nobody’s safety.
Certainly this conclusion is correct. Security isn’t about guaranteeing absolute safety. It’s about letting people undertake both important and pedestrian actions with a reasonable expectation of a speedy, safe and correct outcome. Still, I can’t quite agree with the first two sentences. If you watch the video of either assassination attempt, you’ll see that, even though security couldn’t prevent the initial shots, each attacker was frustrated in his attempt to finish the job by a massive bodyguard pile-on, while the injured principal was quickly and efficiently whisked away from danger and towards medical care. So maybe it’s more accurate to say that President Reagan and the pope were saved by security and luck. And by “luck” I mean eight hours of surgery.
It’s easy to make a case for security if you get the definition right.
April 6, 2004 | Permalink
Comments
Coming from the Security industry, I appreciate this perspective.
"Active security is not just about stopping the bad guys; it’s about making the normal lives of the good guys better."
Posted by: Prasanna | Apr 7, 2004 12:26:23 PM
Thanks,
It’s a way of looking at things that goes a bit against the conventional wisdom of what security is all about, but I think it’s difficult to have meaningful security without it. If the effectiveness of your security system is based on its ubiquity of adoption, and if a system’s adoption is based on how compelling it is to average users, then the effectiveness of a security system is largely determined on what it does for the good guys, not just on how hard it tries to keep out the bad guys. That’s a mouthful.
Posted by: Phil Libin | Apr 8, 2004 9:16:31 PM
