BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

The Illusion Of Perfect Cybersecurity

Forbes Technology Council
POST WRITTEN BY
George Finney

“Security is mostly a superstition. It does not exist in nature, nor do the children of men as a whole experience it. Avoiding danger is no safer in the long run than outright exposure. Life is either a daring adventure, or nothing.” – Helen Keller

One of my employees has a theory. The lock on your front door or the padlock on your locker isn’t actually a lock -- it’s a social contract. When you walk up to a door, the lock there is a little reminder from the owner that the stuff inside is his, and he would like you to leave that stuff alone.

We know in the physical world that locks aren’t perfect security. A padlock can easily be picked, shimmed or cut within seconds. Yet our society functions as though we believe our lockers, cars and homes are secure. A door can be taken off the hinges. You can break a window open. There hasn’t ever been a lock that couldn’t be picked. Almost.

For 67 years, the world thought it had a  perfect lock. Joseph Bramah was so confident in his lock design that he painted a challenge on the lock itself and hung it in the window of his shop in London. The winner would have won what amounts to about $25,000 by today's standards.

Rather than keep his design a secret, he published detailed information on how it worked, in contrast with the commonly accepted maxim “security through obscurity.” If the lock really was impossible to pick, then being completely transparent and open about the details of the lock would only serve to reinforce the strength of the design.

American locksmith A.C. Hobbs would eventually pick the lock, shattering the image of perfect security. But it took Hobbs two weeks of actually living upstairs in that London shop, spending every waking moment attempting to pick the lock. After the perception of the lock’s impregnability had been broken -- even though it took two weeks of trying by an expert locksmith in ideal conditions -- people stopped wanting to pay premium prices for very nearly perfect security when they could get good enough security cheaply in the form of mass-produced locks.

Security through obscurity works because it takes time to defeat obscurity. The effectiveness of encryption, for example, is measured in the amount of time it takes to break it, not that encryption is unbreakable. We know with certainty that the processing power of a computer in just a handful of years will be able to break in a few minutes what would take hundreds of years today.

It is understandable, then, that the social contract concept is more difficult to understand when it comes to computers. I think this is in part due to the fact that to get into another person’s computer, I never leave my own keyboard. It is further complicated by the nature of digital information. If I break into your house and steal something, then it is more clear that I have violated the social contract. It is less clear if I break into your house and simply take photos or replicate your stuff with a 3D printer. It’s still a violation of the social contract, but psychologically, this behavior is more like voyeurism or espionage than theft.

Is there such a thing as perfect cybersecurity? No. But this doesn’t stop people from asking the question, “Is our network secure?” as though it is a yes-or-no question.

Helen Keller’s notion that security could be an adventure is a fascinating one, and I think this is the journey we are on as a society. We face dangers every day, from stolen banking information to interference with the political processes that our countries rely upon. How we rise to meet these challenges defines who we are, and it actually gives us an opportunity to become greater than who we are today.

Our present state reminds me of how Dr. Oliver Sacks, one of the world's most famous neurologists, describes his patients. In talking about his patients at the beginning of his work in An Anthropologist On Mars, Dr. Sacks writes, “Sickness implies a contraction of life, but such contractions do not have to occur. Nearly all of my patients, so it seems to me, whatever their problems, reach out to life -- and not only despite their conditions, but often because of them, and even with their aid.”

Rather than attempting to create perfect security, let's instead think of ourselves as daring adventurers being driven by our imperfections.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?