If you’re not a computer security professional, you may not be aware of the magnitude of the attacks on the computer systems on which we rely. Andrew Burt and Dan Geer on Lawfare can give you a taste:
Attack surfaces have expanded beyond any organization’s ability to understand, much less defend against, potential adverse events. Common interdependencies, once assumed secure, are not, rendering entire protocols, infrastructures, and even hardware devices susceptible to exploitation.
So large is the deluge of potential security threats that a new phrase has entered the lexicon for information security professionals: “alert fatigue.” One 2015 study, focused on malware triaging efforts at over 600 US organizations, found an average of 17,000 alerts generated per week, with only 4 percent of such alerts ever investigated. And that’s just malware alerts. The information we have at our disposal about our vulnerabilities does little in the way of mitigating them.
This serves as an intro to a paper they’ve written for the Hoover Institute. I’ve not read it, lacking free time. But this alert fatigue is a warning that our systems are too vulnerable. Long ago, I briefly worked for Siemens Energy Automation Systems (long enough ago that I’m not sure I have the name right and I don’t even know if that entity is still around), a division of Siemens that supplied computer systems for controlling electrical grids, and I know that, at the time, many of those installations were available via the Internet. I know because I found myself debugging systems on the fly in other states and countries, without ever leaving Minnesota.
In retrospect, that’s an amazing lapse. It’s like putting a webcam in your bathroom so people can watch you do your thing. (Yeah, yeah, I’m sure some people do that, too, but I’m making a point here.) Now, I do recall some of my colleagues traveling to do the same sort of work, indicating that at least some of our customers had the proper level of paranoia, but I suspect that was a minority.
But I really do wonder how many systems that are on the web really shouldn’t be.
