Andrew Myers

Security, programming languages, and computer systems


Deterrence

Nice article about how deterrence cannot work for computer security at Slate.

The real problem is that computing systems are generally vulnerable to attack. This is not an inevitable state of affairs, but currently no one knows how to build secure, usable systems in a cost-effective way. It is not merely an engineering problem; it is a science problem. We lack the science base to do better. Why? The government has underfunded scientific research on cybersecurity defense for decades (offense is another story). Corporations have no incentive to invest in security research either. I don’t have the figures on the SaTC budget, but I would guess the National Science Foundation spends several million dollars a year on computer security. That is peanuts compared to the magnitude of the problem we face. Sure, other agencies spend money on security, too, like DARPA and NSA, but most of that goes to “beltway bandits” doing more engineering than science, or to research on the offensive side. The article linked above shows that the offense-oriented research is just not going to make us safer.