Interview with Alex Smirnoff

Email interview held on 2nd October 2017 – as follows between Alan Radley (questioner) and Alex Smirnoff (relator):

1) What are your thoughts on the current state of cybersecurity, both for organizations and for consumers?

Cybersecurity is in the same miserable state as ever, and it is expected to be like that, in given circumstances.

Physically modern society is safer than it has ever been (for most of us, people who are taking the problem of cybersecurity closer to their hearts than a risk of food shortage, drinking water contamination or long-term electricity outage). Consequently, cybersecurity is assumed to be a kind of safety problem, similar to those many dangers thwarted long ago, such as lethality of common cold.

Good results were achieved in a physical world, e.g. construction safety rules:
strictly follow such and such rules and the roof won’t fall on your head — indeed it works.

There is something about cybersecurity, however, what is quite counterintuitive for most people and where the aforementioned analogy does not work. Problem #1: there are no failproof “construction safety” rules in cybersecurity. Cyber environment is hostile. Imagine you need to build every shed with a roof that should withstand a missile attack. Even worse, there is a new kind of missile every few months, specifically designed to crush the roof over your head.

But, if cybersecurity was always like that, why didn’t we adapt? Why do we miss even baseline rules (which do exist, contrary to safety rules mentioned before, in fact insurance companies use these rules very practically) and make inexcusable mistakes in a way which can only be qualified as negligence? Ok, we could accept a failure to withstand a missile attack. But why does it fail so often to withstand a slingshot projectile, launched by a random half-educated schoolboy for fun?

Unlike construction safety, software development is a business where negligence is rarely perceivable (let alone proven) and personal responsibility is almost unheard of.

Moreover any business is a permanent competition where the ultimate winning move is to minimise your expenses. Of course, you have other needs too, you need to ship faster, and probably you’d like to make it secure also.. but you only know how to measure time and money, you cannot measure security, there is no established way to do so. Maybe a security professional can, but typical business can not and would not do — whatever metric you employ it is doomed to be uncertain, elusive and probabilistic, therefore dismissed by a serious business.

And here we face the Problem #2: people assume security to be intrinsic property of any system they use, but when they choose a system, they cannot evaluate if this property was implemented to meet their expectations. No consumer will pay premium price for security, because “the vendor is supposed to take care of that already”, yet at the same time consumer forces vendor into a feature race and price competition in a way he cannot pay appropriate attention to security, which never comes for free. It is “Lemons market” par excellence.”

When people finally see that #2 is a problem, they desperately run into what constitutes the Problem #3: you cannot “add” security as a product. Especially if you have misdiagnosed the problem. Way too often people confuse a symptom with a disease — resulting in a treatment of “malware” with “antivirus” while mindlessly asking for propagation this false remedy from desktops to IoT, mobile and SCADA environments for the sake of familiarity and a feeling of safety.

All the said (and imagined) calamities are inevitable, since they are rooted deep inside business processes, human psychology and social self-regulation.

2) What – in your estimation – are the reasons behind the many computer security breaches/failures that we see today?

I practiced breaking into random system “just because i could” in my teenage years in early 90’s, and even at that time I had an impression that I came a bit late and missed a lot of fun; so I am quite confident to say the situation did not change much, or at least it did not get fundamentally worse.

While the essence did not change, the scale did, and implications of cybersecurity in our everyday life became easier to notice, and it is a kind of a growth problem which will be affecting us indefinitely long, sure it won’t get any better soon, and yet mankind will survive, but there will be victims, collateral damage, suffering and woes.

3) Where do you go to find your “science” of cybersecurity?

After the secondary school, I gave up “real” natural science to study chimaeras of human invention, computers and cybersecurity in particular. It never ceases to amaze me, but I feel it is most important to always remember that it is about people, not about bytes, electric currents or finite automata.

4) Do you recommend a particular cybersecurity blog that our readers could follow? , for sure! I also enjoy “Top Level Telecommunications” blog (more for fun rather than for any practical purposes)

5) What keeps you up at night in the context of the cyber environment that the world finds itself in?

I am pretty calm. I got used to the fact humans do almost everything in amazingly inefficient and somewhat dangerous ways, but it is our way of living, genetically and socially programmed and it is not always possible to overcome. It does not mean you should give up trying and stop fixing things, of course — but panic and sense of futility does not help anyone.

Thank you kindly Alex Smirnoff for taking the time out of what must be a busy schedule to answer our questions in such a purposeful way.

Interviewee: Alex Smirnoff,

Information security/risk management consulting,

Founder, Glanc Ltd.

Alex Smirnoff – Biography

20+ years of experience in information security.

Specialities: Network security software design, implementation and project management, security governance, security audit and analysis, risks management, vulnerability management, compliance, incidents prevention.