, , , ,

One only needs to look at the healthcare.gov debacle as an example.  Software development of this scale needs agility; fast iterations to get all the ideas, both good and bad, on paper.  Everything form the user experience to how data will be stored, accessed, and verified must be hammered out on paper before coding begins.  But agility, as I can tell you from my own experience, rarely happens when a government (or any large, bureaucratic) entity is involved.  From the reports I have read, these poor developers did not get the go ahead to implement until March or April.  With an October deadline, that leaves very little time for rigorous testing of any software solution.  I am not defending the developers, they made missteps too, including not having the in-house capability to handle such a colossal technical task.  There is a lot of blame to go around.

Success is rarely determined by the quality of your ideas. But it is frequently determined by the quality of your execution.

Atwood (Coding Horror), Jeff (2012-07-04). Effective Programming: More Than Writing Code (p. 45). Hyperink – Guide to Effective Programming. Kindle Edition.

It has been my personal experience that if you give a great idea to a mediocre group of people, they will mess it up.  On the other hand, give a mediocre idea to a great team and they will not only make it happen — they will make it better.

Secondly, cyber security is hard problem.  Let me illustrate with a simple analogy: Think of cyber defense as a sphere of Swiss cheese, and this ball of cheese is as big and ever expanding as our universe.  The holes, also infinite, are all the possible vulnerabilities of the system.  There is a very small subset of holes (vulnerabilities) we know about and we can “fix” or plug them (actually, this is not always possible.  There are vulnerabilities that we do know of but no practical fix exists… yet).  We cannot possibly plug every hole.  Attackers only need to find one good hole, or maybe a small handful of holes, to compromise a system.  The defenders have to be vigilant everywhere all the time; its an asymmetric problem.  And I haven’t even addressed the case where an attacker, like a mouse, worms its way in making a new hole.

Now, I know what you must be thinking: “Ok smart guy.  What’s the answer?”  Frankly, I am not sure there is one or will ever be one.  Lots of very smart people in academia, government, and industry, have been working this problem since the beginning of this whole Internet phenomenon.  And all we have to show for it is a handful of anti-virus (AV) and intrusion detection systems (IDS).  Some products are more effective than others but they don’t catch everything.  Attackers still persist.  Becoming more sophisticated, more determined.

So, lots of bright people have tackled, are still tackling this problem, and still no solution.  There may never be a solution.  Does that mean we should curl up into a fetal position, sucking our thumbs while crying, “mommy”?  No!  This is what makes research so exciting.  How to turn the attacker’s asymmetric advantage against them?  There are many interesting research ideas proposed.  However, one thing is certain: we will never solve these problems if our government keeps acting they way it has been lately.

Governments will always play a huge part in solving big problems.  They set public policy and are uniquely able to provide the resources to make sure solutions reach everyone who needs them.  They also fund basic research, which is a crucial component of the innovation that improves life for everyone.”

Bill Gates

If congress seriously wants to “win the war on cyber-terrorism”, or prevent a “cyber-9-11” event, they must quit their sequestration/shutdown shenanigans.  There are organizations active in researching ways to defend our critical infrastructures but they are hamstrung by congress’ actions — er make that in-action.  It is hard to do your job when your representatives aren’t doing their jobs.