The theft of data from the Office of Personnel Management is a disaster with long-lasting consequences. It is hard to imagine what event —without causing broad, immediate physical damage— could give the government a stronger incentive to support work on improving computer security. I’m worried the opportunity will be missed anyway.
Current computing systems are not at all secure, but almost all work on computer security focuses on “patching” inherently broken systems rather than on developing methods for building systems to be secure in the first place. Decades of experience has shown us that patching is inadequate, especially against a nation-state adversary.
My fear is that the theft of OPM will now cause research funding to go toward work on detecting intrusion, since the attack was found by a company demoing a tool for security diagnosis. That would be exactly the wrong response—the damage was already done by the time the attack was discovered. Let’s not work on better methods for closing the stable door after the horse has bolted.