> Information Security: "We Can Do It, We Just Choose Not To"
Maybe not.
It's convenient to think that misaligned incentives [0] or
insufficient motives [1] explain failures of infosec. These are
popular explanations amongst tech people, because we want to believe
infosec can work. Our jobs depend on it.
Now there are gargantuan fines, shelves of regulation, auditing and
compliance, even jail time for executives. Has it fixed anything? No.
If anything the landscape of breaches is accelerating. And things like
Microsoft Recall, cloud "AI" services are only going to amplify it.
Even if we had a "corporate death penalty" that simply shut down
companies on their first breach, it would fix nothing. We'd just get
fly-by-night tech companies with an average lifespan of 18 months.
What if the people who said "Data wants to be free" are right? What
if data containment is impossible in principle?
Once we put aside wishful thinking, how can a technological society
survive. It requires radical and brutal re-thinking of cybersecurity.
How we define it. How we teach it. How we legislate it. How we address
harms.
[0] Bob secures Alice's data while Alice pays the price for Bob's
failure
[1] Many people don't care. Not everyone has a security mindset, not
because they lack intrinsic self-respect but because they are
unable to comprehend the harms.
That’s the thing. There’s a ton of grifters and/or idiots in the compliance space. If you talk to an actual lawyer that specializes in SOX litigation, or similar, you’ll find that many of the measures your compliance or fake-infosec people are telling you that you have to do aren’t actually required by any law or regulation.
> a government pentesting agency that fines companies without waiting
for the first breach.
I've heard serious suggestions floated for a tax and contribution
funded pentesting agency that helps companies without waiting for
the first breach. But I think the scale of it all is just a bit much.
Maybe not.
It's convenient to think that misaligned incentives [0] or insufficient motives [1] explain failures of infosec. These are popular explanations amongst tech people, because we want to believe infosec can work. Our jobs depend on it.
Now there are gargantuan fines, shelves of regulation, auditing and compliance, even jail time for executives. Has it fixed anything? No. If anything the landscape of breaches is accelerating. And things like Microsoft Recall, cloud "AI" services are only going to amplify it. Even if we had a "corporate death penalty" that simply shut down companies on their first breach, it would fix nothing. We'd just get fly-by-night tech companies with an average lifespan of 18 months.
What if the people who said "Data wants to be free" are right? What if data containment is impossible in principle?
Once we put aside wishful thinking, how can a technological society survive. It requires radical and brutal re-thinking of cybersecurity. How we define it. How we teach it. How we legislate it. How we address harms.
[0] Bob secures Alice's data while Alice pays the price for Bob's failure
[1] Many people don't care. Not everyone has a security mindset, not because they lack intrinsic self-respect but because they are unable to comprehend the harms.