A blog post by the EFF has a curious phrase towards the end:
…the higher the stakes, the worse the security…
Sample size? The author clarifies that “worse” means “easily resolved”. This seems to assert a shade of negligence — a decision to not fix security even when it is easy. He tries to explain why this would happen:
I suspect the reason for this pattern is that organizations that handle life, health, and money do not think of themselves as software engineering organizations, and so seek to minimize engineering costs. Additionally, engineering-driven companies tend to be disruptive newbies who have not yet made a big enough impact on the market to control much important information.
I find his analysis lacking for at least a couple reasons:
- Organizations that handle life, health and money do in fact think of themselves as innovators, not to mention software engineering organizations. Investment firms, for example, or research hospitals often have talented staff dedicated to inventing and building software and hardware.
- Engineering-driven companies are not all “newbies”. They have been around for decades and they too have grown old.
My personal experience does not resonate with the EFF. Perhaps what the author is trying to say is more in line with what President Clinton described in his keynote speech at the RSA Conference today: “it is easier to think about solutions in developing nations than developed ones.” I resonate more with that.
Higher stakes (higher asset value) do not automatically bring worse security, in my experience. I have found environments that embrace change are easier to secure because they welcome regulation and will pay for innovative solutions. Conversely, those that resist regulation and fear change fall behind on some forms of security fixes. They tend to demand extensive risk-based analysis and cost predictions before they are willing to agree to apply even “easy” security fixes.
A developed environment, if I can borrow the term, is unlikely to allow a Windows XP-based system to be upgraded to Windows 7 when the system is critical (to life, health, money, etc.). The FDA may not allow any “easy” resolution of a security issue unless they have thoroughly tested for other potential harm. That is why “better security” is not typically measured only on whether a problem is “easily resolved” — resolution can introduce other unforeseen and greater problems that threaten the valuable assets.
The delays may drive an IT security professional mad because it seems incredibly slow compared to an easy fix for the problem they see. Yet, this is an opportunity in security to reflect upon greater principles and exercise caution: will an expedient change always bring “better security”?