It is well understood that there is generally an inverse relationship between system complexity and system security. That is, as system complexity increases, system security generally decreases. Complexity manifests itself in a variety of ways, and each introduces its own set of challenges and risks. Consider these three examples.
First, there is the complexity of the actual software implementation used in the system. Programmers tend to introduce x number of bugs per thousand lines of code, where x is influenced by the difficulty of the software, the maturity of the engineer(s), the correct use of effective tools, and even the organizational culture. But no matter how small x is, the number of bugs in software increases with the size of the source code. And every bug is a potential vector for an attacker to break in.
Second, there is the complexity of deploying the system correctly. Encryption can be used wrongly. Security apparatus can be deployed in less effective locations. Increased modularity may result in a larger number of per-module default passwords that all need to be changed. And key management can be a nightmare even under the best of circumstances.
Third, there is the complexity of using the system correctly (i.e., by the end users). Users of a web browser need to understand the browser’s warnings for bad SSL pages. Users of social media need to understand how to protect their own privacy. And talking of nightmares, how about teaching users how to create and manage passwords correctly?
But beyond the complexity of the system that needs to be secured, there is an ever growing complexity in computer security itself.
For an example, simply re-read this article from the perspective of the computer security professional. She or he has to have at least some familiarity with all of these topics, and these examples are just a scratching on the surface.
And the number of subfields is growing. I was speaking with a colleague a few weeks ago that explained the increased need for researchers and professionals in Identity Management. With the trend towards an Internet of Things and users that are always connected and interconnected, authentication and management of identifies is becoming critical. She went into great detail explaining nuances and subtleties that I had never considered.
Just a few days apart from this conversation, I had a discussion with other colleagues about the possibility that artificial intelligence could introduce new ways for bad guys to do bad things. It turns out that it already has. Researchers have identified that bad guys can trick a learning system into learning the wrong things.
One more thing for computer security people to learn?
Some might argue that not every person in computer security needs to understand security issues in AI. But as things become ever more interconnected, I’m not certain that is true. AI is becoming more widely deployed than ever before in our vehicles and in our “smart home” devices. As AI becomes more mass produced, and mass deployed, it will become integrated within our digital ecosystem and it will bring with it all of its security issues.
So what’s the problem with complexity in the field? As with most areas of human study, why can computer security not have its specialists and generalists? Can we not have one professional that focuses research and development into one very small area, and another professional that is trained in bringing together broad knowledge and application?
The problem is that computer security is adversarial and most other disciplines are not. There are individuals and organizations that are actively working against whatever security is put in place.
As computer security becomes increasingly complicated, the gaps between the specialist and the generalist may intensify. When that happens, adversaries will find new exploits and vulnerabilities, not just in the implementation, deployment, and operation of systems, but in the very field of computer security itself.