The RSA conference for 2015 is beginning. This is the ‘woodstock’ of companies and professionals working in the field of cyber security to get together and showcase their innovations. The who’s who of cyber security is expected to be present.
Well, good time to talk about cyber security. Isn’t it?
From ‘wheel’ to ‘whatsapp’, technological innovations and revolutions have been taking place but never ever has been the ‘security’ of any innovation has been such a demanding subject as has been with the cyber or software related innovations. I mean I am sure there are ‘automobile-security-conventions’ somewhere but its not likely that it has created an industrial ecosystem worth multi-billions of dollars.
Let us try to understand why security in the software world is such an important subject.
Like any other form of engineering, software too, is a form of engineering. Just like in mechanical engineering, principles of basic physics, mathematics, energy transmission etc are applied to create products that transmit one form of energy into other to reduce the human effort (for e.g. wheel, automobiles, cranes etc), software engineering is the application of mathematical principles and computer science to create products that are of use to humanity.
Earlier in the days, these products were largely centered around easing the communications and information exchange. Today, however, we have software products in just about every aspect of our life. Health care, personal finance, automotive, entertainment, mass communication, personal communication, food delivery, law enforcement or governance, you name a domain and you will see application of software product in that domain.
Nearly 2 decades ago, computers were predominantly owned at institutional level. Very few in the society had personal computers. Internet access was even lesser and mobile phones, though available at a staggering rate of 32/- per minute of calling, were only for telephony.
Today, almost every household has multiple devices to get to internet (phone, tablet, laptop, desktop or even television) and we have software products touching our lives nearly 24 hours in a day.
So what is it about “software stream” of engineering that causes its “products” to proliferate at such a rapid rate whereas other streams of engineering are still limited in their types of offering? I mean despite being there for much longer, the types of automobiles that have come up is still a handful (trains, buses, trams, trucks, cars, mopeds, scooter etc), whereas the list of software products is so high that I am not sure if anyone can even come close to enumerating them.
There are 2 very big factors that make creation of a product in software much easier than any other form of engineering, and thus there is this rapid proliferation.
1) No physical raw material - You can create software with minimal raw material waste. The only thing that is wasted is human effort. Whereas if you try to innovate something in the brick and mortar world, you better be sure as the upfront capital cost in acquiring all the raw material itself is so high. This has caused innovation into software far more easier and inexpensive than the brick-and-mortar world. As the innovation now has a commercial value (where else would you see 30 year old billionaires), it has further fueled the creativity of engineers to come up with new and newer concepts and feature driven software to catch the fancy of the user. If it fails, big deal. Let’s come up with another one. Doesn’t cost much, re-use the parts and bam, a new software application is ready.
2) The elastic nature of software - Unlike the counter parts of the brick-and-mortar engineering, the software products can be deployed, upgraded or debugged with much ease. I mean, imagine if a car had an issue in it, the company will have to recall all the models (Toyota as well General Motors had to recall a large volume of their cars in recent times) and then give a new version. Furthermore, imagine the risk with drivers driving unstable cars. Whereas in software, when a buggy or unfit software gets released, the manufacturers push a new upgrade very easily. And whats the worst that could happen? I mean nobody is dying just because you can’t attach videos to your favorite messaging software. A new version will fix it.
The whole industry is driven by the desire to hit the market with your software as soon as possible with as new features as possible. The immense competition is not making it any easy. As a result the traditional quality controls and safety checks as often practiced in other streams of engineering, are often ignored. Because of the upgradable nature, the cost of failure is further perceived less and the quality and safety takes even more of a back seat.
Having seen mechanical engineering shop floor and a software engineering production methodologies, at least in my experience I can attest that the quality and safety procedures followed before shipping a software are far below where they need to be. Consequently we are now sitting on this enormously large labyrinth of software applications, which is extremely feature rich but has “cracks” all over the place. These cracks exist because the industry was focussed on ‘features’ rather than quality. And these cracks lead to what we call as ‘vulnerabilities’. The ‘vulnerabilities’ provide the attackers opportunity to ‘exploit’ them (just like how cracks in your doors or walls will give thieves an opening to break-in). As more and more everyday life’s functions get dependent on software infrastructure, it is leading to rise in motivation for attackers to find such ‘cracks’.
This fact gets validated by the evolving attacker/hacker profiles who, few decades back, were bunch of college kids trying to have fun, to modern day hacking for financial gains and now nation state sponsored hackers.
Cyber security has become a big enough problem that law makers have also started taking cognizance but law is a much slow moving machinery than software and it would be a while before it catches up.
Till then, let us be ‘cognizant’ of the fact that while its fun and convenient to use all these various software applications around us, they are built on top of a infrastructure that has plenty of cracks. As cyber security professionals are filling them, newer ones are being uncovered.
So happy surfing and safe surfing.
