Marcus Ranum has written another poignant piece (labelled as a rant) on the state of IT security, called The Anatomy of Security Disasters. You might think from the title that Ranum was embarking on a microscope and tweezers dissection of a recent security incident, which is normally the reason security people get anatomical. However in this case the disaster for Ranum is not a single discrete event but rather the cumulative effect of many business-driven IT decisions taken over the last three decades that have rendered a grand IT failure all but inevitable. For Ranum, we have passed the point(s) of no return in avoiding this disaster, and tragically, the disaster may be a necessary trauma to reset the current complacency towards IT (security) risks.
Ranum sees many similarities with the epic failure of the Space Shuttle Challenger which broke-up shortly after take-off on its tenth mission in 1986, killing all seven crew members. His simple and brutal explanation for the disaster is that “space travel is dangerous”, but the public, as well as many in senior management at NASA had forgotten the inherent risks in the space program. An independent analysis by Nobel Laureate Richard Feynman (who was dying of cancer at the time) on the Challenger incident made a telling observation
It appears that there are enormous differences of opinion as to the probability of a failure with loss of vehicle and of human life. The estimates range from roughly 1 in 100 to 1 in 100,000. The higher figures come from the working engineers, and the very low figures from management. What are the causes and consequences of this lack of agreement? Since 1 part in 100,000 would imply that one could put a Shuttle up each day for 300 years expecting to lose only one, we could properly ask "What is the cause of management's fantastic faith in the machinery?"
Returning to IT, Ranum is essentially asking the same question - what is the cause of management’s fantastic faith in IT? Putting critical IT assets online is simply dangerous.
Business decision-makers are clearly not listening to security engineers, and a huge reality gap has developed between management expectations and IT reality. So much so, that when problems arise management righteously claim that they were lied to. Ranum quotes one of his colleagues as basically believing that any IT thing that is worth doing can be done securely. Security people should stop being “whiners” and just do their job of securely enabling IT for business.
Compound this disconnect between management and technical people over hundreds of thousands of projects at the corporate, national and international levels, spanning the last 3o years, and you have the disaster Ranum is describing (and lamenting). You also have the coming disaster that he is fearing (and loathing), since we have passed the point of no return. Those project decisions cannot be undone - only contained.
A predictable Black Swan is gestating.
I have developed a FreeMind map of Ranum 's article here which gives you some navigational freedom for reading.