Information technology is the fundamental sector on which all others depend. Software is critical infrastructure and deserves the same security investment.
The United States recognizes 16 distinct sectors of critical infrastructure, which are systems that are considered crucial to national economic security and national public health. Other countries have similar lists. Many of these sectors are common sense, such as food, water, and energy.
One sector is information technology, which encompasses hardware and software systems and services. I would argue that this is the single most important sector, a kind of ur-sector on which every other sector depends.
Think about it:
Everyone relies on information technology. Everyone understands the importance of information technology.
Why, then, do we see a persistent parade of headlines about data loss, system compromise, and failures?
Fungus thrives in a warm, moist environment. Similarly, software vulnerabilities thrive in complexity. If one developer writes 100 lines of code, how many vulnerabilities might you expect to find? Modern software is measured not in hundreds of lines of code but probably in hundreds of thousands of lines. How many vulnerabilities would you expect to find lurking inside 100,000 lines of code? Millions of lines of code?
We are building systems that are more complex than anything we’ve ever built before. The technology is constantly evolving, and we are assembling functionality faster that we can figure out how to secure it.
Don Knuth once said, “Software is hard,” and by golly was he right. We can build amazing things, but we can neither guarantee that they work as intended nor unequivocally protect them from malice.
Software vulnerabilities are an attractive attack vector for threat actors of all kinds.
In brief, the required effort is low, risks are low, and rewards are high. This asymmetry means that breaches, compromises, and other cyber calamities will continue until the cost and risk of cyber operations increases to match the potential rewards.
We’re at an inflection point—as a species, we are starting to understand our dependence on the machines we’ve built, and we are learning how to drive down the risk of the software systems that are the foundation of our societies.
Fundamentally, reducing risk happens when we get better at building software and buying software. A coherent software security initiative (SSI) helps organizations reduce risk overall; a secure development life cycle (SDLC) helps organizations build more secure, safer software.
The thing that’s hardest about software security is grasping the big picture. In the heat of the moment, it is easy to make the wrong decision. When your company’s bank account is low and everyone’s telling you, “We have to release this product NOW,” it’s going to be hard to say, “It’s too risky to release because we aren’t meeting our security policy.” When your biggest customer says, “I need you to open this port in your firewall NOW,” it’s hard, to say “No, let’s take little time and find the right way to get this done.”
In the end, it’s simple: Software is critical infrastructure. The resources required for security in the short term are justified by reduced risk and lower expenses in the long term. This is a significant shift from the get-it-done-and-ship-it-yesterday mentality that’s been the status quo, but if we’re going to build all our other infrastructure on top of software, we need to change our thinking and our processes to build software right.