Foreword
to the original volume
by
Dan Geer
The
single most important step in engineering
is to get the problem statement right. This is as true in
social
engineering as it is in information systems engineering. Wes
Kussmaul's
book is an attempt to do just that: to get the problem statement right,
and to
do so where social and information systems engineering meet, which is
to say
security. He deserves a gold star for even trying.
Such
work is not easy. Those who say it is easy
are either fools or charlatans. Kussmaul is neither a fool
nor a
charlatan. He brings to the task the benefit of prolonged
study but he
has necessarily bitten off a lot; the question for you, the prospective
reader,
is can you chew what he has bitten off? The answer is a hopeful
"yes," but it is not trivial the way marshmallow fluff is
trivial. This is difficult territory because it is important.
The
four verities of governance are:
- Most important ideas are not
exciting.
- Most
exciting ideas are not important.
- Not every problem has a good
solution.
- Every
solution has side effects.
In
no part of modern life is this more true than in the
interplay around security. Security is about tradeoffs
between simplicity
and flexibility, between effectiveness and precision. Forks in the road
appear
at every turn, between security and privacy, between the public and the
private, between the national and the local, and so forth. To
get
"the big picture," as it is generally called, is very, very
difficult. Getting the big picture absolutely does not mean
backing off
far enough that you can make blurry pronouncements as if details didn't
matter
-- security is exactly where details matter most. Getting the
big picture
in security means to have a near-complete view of every detail.
Why
every detail? Because for security to work
you have to know how it fails. If that doesn't strike you as
profound,
pause for a moment and re-think your intuition. How security
fails drives
how security can be applied and how it can advance; for that reason the
details
matter, and they matter enormously. All the security
technologies and
strategies that have been developed to date have something to teach us
about
what not to do next time. If we grasp the failure modes then
we can make
progress. If we cannot, then we are doomed to reinventing the
unworkable.
In
that bigger picture we, all of us, are jointly at a
considerable crossroad with respect to security. There is no
doubt that
"information society" is an apt enough description of the
future. Thus the main and nearly philosophical question
before us is
whether we craft security technology that conforms to the real world
intuitions
of real people, or whether we expect those real people to conform to
the
security technology that we actually build. In other words,
what is the
problem statement?
Kussmaul
attempts to answer this. and because he is
looking forward there is necessarily some speculation to what he has to
say. Perfect predictions of possible futures do not exist and
because
security is largely about tradeoffs he has to make some. This is a sign
of
rationality because it is only the fool or the charlatan who says that
"You can have it all." Instead, Kussmaul starts from "What
do we want?" and from that derives "What do we need?" He
understands that trust is efficient but only if there is recourse to
its
misuse. He understands the real world intuitions of real
people and
deftly uses analogies of the physical world to derive what is missing
in
today's security solutions.
He
has even gone so far as to practice what he
preaches. He establishes a base point -- that identity must
matter -- and
from there critically reviews nearly every one of the security world's
existing
answers to the identity question. He is skeptical (what the
great thinker
Santayana recommended by calling skepticism the "chastity of the
intellect") but, as every businessman has learned, there is no point in
complaining if you don't have an alternative. This book is
both that
complaint and that alternative. Kussmaul has become an
Individual
Adherent of the Latin Notariat (read on). He has implemented
the
technology for his vision if for no other reason than to prove by
demonstration
that it is can be done. His effort, in other words, is the
real thing.
It
is, of course, true that in the social and
technology marketplaces the best product frequently does not
win. If
"best" always won there would be no need for advertising, after
all. This is perhaps especially true when it comes to
technologies that
succeed most when they are least visible, and that describes security
technology particularly well. In fact, one of the National
Science
Foundation's four "grand challenges in digital security" is to make
being safe no longer require being an expert. If being safe
is to not
require massive re-education then being safe will have to rely on one
of two
things: the public's intuitive and thus willing participation in its
own
security, or the public's outsourcing its safety to someone else to
take care
of it for them -- a privatized digital nanny state. To this
writer, the
latter is anathema.
Thus
we come to a recommendation: Read this book.
Read it with the skepticism of its writer. If you like it,
then proceed
accordingly. If you don't, then offer an alternative at least
as far
reaching and no more costly. You will find that task
challenging -- not
exciting, merely important.
Dan
Geer
Cambridge,
Massachusetts
Now let's do as Dan says and
Read
this book.
photograph courtesy Philip
Greenspun |
