Sign In

Communications of the ACM

Viewpoint

The Case for Disappearing Cyber Security


View as: Print Mobile App ACM Digital Library In the Digital Edition Share: Send by email Share on reddit Share on StumbleUpon Share on Hacker News Share on Tweeter Share on Facebook
The Case for Disappearing Cyber Security, illustration

Credit: Getty Images

In May 2017, WannaCry ransomware rapidly proliferated around the Internet, despite availability of a patch released by Microsoft in March. This is simply one of the most recent and notable attacks exploiting known flaws—there is a constant barrage of attacks, large and small. Although cyber security is more complicated than a simple failure to patch end systems, analysis of cyber security incidents has consistently shown that a failure to apply patches is one of the leading enablers of successful attacks.

We have reached a point in the evolution of cyber security where handsoff, behind-the-scenes cyber defense should be the norm. Clearly, the best solution would be to deploy less-vulnerable systems. This is a topic that has received great attention for approximately five decades, but developers continue to resist using tools and techniques that have been shown to be effective, such as code minimization, employing formal development methods, and using type-safe languages. Additionally, consumers are widely believed to be reluctant to accept the software limitations and increased costs that result from some of these more secure development practices. Those issues, coupled with the vast amount of legacy code in place and being reused, have meant that better security is often, at best, an "add-on" rather than "built-in" function. Patching and configuration changes will be required indefinitely to keep the current infrastructure at least moderately secure.


Comments


Des Kenny

I just apply the software patches from the vendor as soon as I see they have arrived, trust my software vendor, and sleep well at night. This has worked well for me for over 30 years, so far, so good I have never had any software security issues with my vendor. If this process stopped working I would change my software vendor. I have no desire, or time, to analyze the details of software security patches. This would mean digging deeply into the operating system software, which I will not do, even if I could learn to do this. In principle I could do this, maybe. But in practice, for me Life is too short for such deep system software analysis activities. Most times you just have to trust somebody else to do a good job, otherwise your life will be miserable.


Displaying 1 comment

Log in to Read the Full Article

Sign In

Sign in using your ACM Web Account username and password to access premium content if you are an ACM member, Communications subscriber or Digital Library subscriber.

Need Access?

Please select one of the options below for access to premium content and features.

Create a Web Account

If you are already an ACM member, Communications subscriber, or Digital Library subscriber, please set up a web account to access premium content on this site.

Join the ACM

Become a member to take full advantage of ACM's outstanding computing information resources, networking opportunities, and other benefits.
  

Subscribe to Communications of the ACM Magazine

Get full access to 50+ years of CACM content and receive the print version of the magazine monthly.

Purchase the Article

Non-members can purchase this article or a copy of the magazine in which it appears.