Improving the image of computer security

I’m not big on image, but it means a great deal to many people. One of the best anaesthetists I knew often used to pop in to see patients wearing oil-soaked jeans, tatty trainers, and a scruffy T shirt – hardly the usual hand-crafted suit or operating room rig.

Image is, though, important in the media, and often decisive in the tech industries. Say the right thing the wrong way, and stand by to see others twist your meaning to match their perception of your image. Nowhere has this been more important than in computer security.

For users and consumers, the image of the computer security researcher is charged and ambivalent. Researchers are usually seen as young, brash but shadowy, potentially still malevolent, and persistently disruptive. By publishing details of vulnerabilities, researchers appear to be in conflict with everyone except for the malicious attackers, with whom they remain in cahoots. Underneath, every hat is really black.

This is made more complex by the troilist nature of the relationship: researchers discover vulnerabilities in commercial products; the vendors of those products want customers to keep buying them regardless of security issues; the customers grow uncomfortable about trusting either the researchers or the vendors, and feel that neither really cares about them. It’s even worse than the teacher-pupil-parent triangle.

If security professionals want to change that image, they need to determine their best interests, and learn from other professions. I offer four suggestions which I think could do a great deal to improve the relationship between researchers and consumers, and maybe the computer industry as a whole.

1. Kill the schadenfreude

Security researchers enjoy what they are doing, just as medical practitioners enjoy their work, which involves diagnosing and managing illness. However if you went to see your doctor, and they told you that they were really excited as they had discovered that you had a serious cancer, you would be less than impressed.

There is considerable skill in successfully communicating serious matters without appearing to take glee in them. Security researchers need to learn that and use it, whether talking at press or security conferences, or just among friends. If they really do believe that the vulnerability which they are describing is serious and important, then they should not be seen to revel in its discovery. This doesn’t mean you have to adopt the demeanour of an undertaker, it just requires care.

You should also stop being openly critical of vendors, particularly in accusing them of making dumb or stupid mistakes. I have often apologised to patients on the behalf of others who have screwed up – and I hope when I screwed up and was unable to apologise personally, someone else did that for me. Whilst I don’t make their excuses, I assiduously avoid being critical even when I am shocked at the errors which they appear to have made. Treat everyone with respect, and let the facts do the talking.

2. Look beyond diagnosis and paying customers

Provide advice and help to consumers, who are the people caught in the middle. Using a different analogy, you wouldn’t take your car to a mechanic who could only tell you what is wrong, and say that they will suggest a remedy to the manufacturer.

I know that some researchers are already heavily involved with open source projects, and that a lot of benefit flows from the research community into software and hardware development. But most people see researchers as just finding bugs, disclosing them, and then moving on to research the next topic. Where you are able to do more, let the world know: post explanatory articles on your blog, even a press release, perhaps.

3. Do more practical prevention

If you’re good at discovering vulnerabilities, then you should be able to come up with strategies to prevent such vulnerabilities in the first place. Publish and publicise those too, for the benefit of the engineering community.

Prevention is the big hole in most of Western medical practice: just like researchers with vulnerabilities, most doctors spend most of their time and effort diagnosing and trying to treat disease. The popular adage prevention is better than cure applies to computer security just as much as it does to medicine.

Some researchers put time and effort into developing tools to help detect and deal with security threats, and release them as freeware for the benefit of consumers. This is truly wonderful and not only reflects well on them, but on the research community as a whole. If you cannot do that yourself, at least help and support others who do.

Help specialist journalists and others in the media to publish more and better information about security, particularly preventing problems. When you see articles which fall short, and need to be improved or corrected, don’t just ignore them, or post derogatory comments: be understanding and offer to work with the author to get things right. As far as this blog goes, for instance, I am only too keen to correct the errors which I make; if you would like to write a guest post, you are also very welcome to do so.

4. Work on standards which bring security into the mainstream, not an afterthought

In most industries, even healthcare, safety started with trial and error, went through a learning process, and is now built into the standards to which the industry operates. Although the computer industry probably has more (and more flexible!) standards than any other, when consumers look to standards which can assure them of a product’s security, there is an almost total blank.

You and I know that security is extremely complex, and that products and problems change so rapidly, making the development of effective standards difficult. But without standards, the industry will continue to bump along from one bug to the next, like a drunk sways down a corridor. And standards bring security matters into the heart of hardware and software engineering, so that products are designed to be secure, rather than having their security problems fixed as they become apparent after release.

I hope that these suggestions will engender thought, discussion, and a better future for such an important community.