Gibson Index

2015-01-03: Everyone should be a hacker.

We need to escape the media and government cycle of rhetoric that hackers are bad. It’s leading to levels of ignorance and fear that are absurd.

After the recent Sony Pictures hack, this fear led people (including the FBI) to accuse North Korea of perpetrating or contracting the hack. It’s certainly true that there are hackers in the world who can be contracted on behalf of nations, mostly because it turns out we’re all living in a William Gibson novel, but this DPRK accusation might be founded on scapegoating rather than facts.

Nonetheless, the US government has forged ahead, using the hacking incident as a reason to put more economic sanctions on North Korea.

That resulted in this tweet from none other than Neil deGrasse Tyson:

From someone who is normally considered a bastion of reasoned thinking, this tweet just highlights the lack of knowledge everyone has about what hacking really means.

Creating an unhackable system is nigh impossible, because creating unhackable people is impossible.

Systems are built by people. They’re executed in the cold interior of machines that should be 100% logical - but those machines are also created by people.

People make mistakes. They can even create mistakes that don’t look like mistakes - everything can be going perfectly fine, until the moment it isn’t.

More importantly, people make decisions. When building a complex system, thousands of decisions are made. Each one of them might contain a nugget of a vulnerability without anyone realizing it. This is observed all the time in plane crash investigations: a seemingly innocuous decision combined with unanticipated factors dooms an entire flight.

Can we make uncrashable planes? No. We can get close, as 2014 demonstrated - it had the lowest number of plane crashes and plane crash fatalities in decades. This took decades of reform and regulation in the aerospace and air travel industries. An amazing amount of research and training went into achieving a remarkable safety record - and yet, despite that progress, three crashes of huge importance happened. The crashes of Malaysia Airlines Flight 370 and Flight 17, as well as AirAsia Flight 8501, all received unprecedented media coverage.

People die when planes crash. Multiple industries face doom if faith is lost in the safety of air travel. This is a huge motivating factor.

Corporations don’t have this motivation at heart when making IT decisions.

They think of security as an unnecessary burden, a hassle they have to deal with, a budget line item they can’t bother funding.

Unhackable? We can’t even create systems and infrastructures that have security audits, because it’s seen as irrelevant - or worse, it’s seen as something that would be a black eye to the company, so it gets swept under a rug. Many corporations fly by the seat of their pants when it comes to information security, because they don’t want to be embarrassed by finding out how poorly secured they actually are.

Maybe the fear created by the Sony Pictures hack will change things. I doubt it. But I also don’t think information security reform should be driven by fear. I think it should be driven by a complete understanding of what it means to be a competent security-conscious entity in today’s fundamentally interconnected world.

Everyone should be a hacker.

Everyone should know what makes a system or an infrastructure insecure. They should know all the tactics that can be employed to penetrate a system or a corporation. They should be able to formulate strategies to combine those tactics into a full hacking campaign, like what took down Sony Pictures.

Only then will they know how to combat those tactics and strategies in their daily life.

Only then will corporations realize their responsibility to create secure systems and infrastructures.

Only when we know how things fail, will we be able to fix things.


comments powered by Disqus