I’ve mostly been writing about contemporary events or reports. Let’s go back 38 years, to 1966, and listen to U.S. Secretary of Defense Robert S. McNamara speak in Montreal, after he got over his earlier enthusiasm for applying scientific management and engineering to the military, and as he saw a different path forward:
“There is still among us an almost [in]eradicable tendency to think of our security problem as being exclusively a military problem–and to think of the military problem as being exclusively a weapons-system or hardware problem.”
This seems a lot like our contemporary Internet security problems: we have an ingrained tendency to think of them as technical problems. We keep adding more defensive systems, and sometimes things like spam blocking lists that amount to offensive systems.
Yet, as McNamara pointed out:
“The plain, blunt truth is that contemporary man still conceives of war and peace in much the same stereotyped terms that his ancestors did.
“The fact that these ancestors, both recent and remote, were conspicuously unsuccessful at avoiding war, and enlarging peace, doesn’t seem to dampen our capacity for cliches.”
Internet security problems keep getting worse no matter how many firewalls and patches and intrusions detection systems we throw at it. These things are all necessary, but they are not sufficient.
“A nation can reach the point at which it does not buy more security for itself simply by buying more military hardware. We are at that point. The decisive factor for a powerful nation already adequately armed is the character of its relationships with the world.”
McNamara goes on to say security is development, and to define development as economic, social, and political progress. I don’t think we can push our analogy that far. Crackers will attack just for the hell of it.
However if we abstract his point slightly, we can see the analogy. Some security problems are beyond the capabilities of a single company, no matter how large and capable the company. The power grid can fail; the telephone system can fail; and the Internet can fail. No single company can prevent those things, nor hurricanes, tornados, fires, and floods.
In the politics of nation-state security, McNamara says development is the answer and sometimes military force is needed to provide order so development can happen.
In corporate Internet security, other means are available, just as they have been since the seventeenth century: insurance and its relatives. A corporation can ameliorate its risk by pooling it with similar risks of other corporations by buying insurance, or using other financial risk-transfer instruments.
McNamara also said:
“The plain truth is the day is coming when no single nation, however powerful, can undertake by itself to keep the peace outside its own borders. Regional and international organizations for peacekeeping purposes are as yet rudimentary, but they must grow in experience and be strengthened by deliberate and practical cooperative action.”
In Internet security, cooperative action can include reputation systems such as the incident reports by CERT and US-CERT. It can also include more direct action by groups such as the Anti-Phishing working group.
The main point is the same as McNamara’s: companies can’t go it alone anymore in Internet security; various forms of cooperation are needed. These forms are new Internet risk management strategies, including financial risk instruments and reputation systems.
The following year McNamara resigned from the U.S. government and became president of the World Bank, attempting to implement what he recommended. (Whether the World Bank has succeeded is another subject.)
This speech by McNamara is surprisingly hard to find online; thanks to Dave Hughes for making it available:
“Security in the Contemporary World,”
Robert S. McNamara, U.S. Secretary of Defense,
before the American Society of Newspaper Editors,
Montreal, Canada, May 18th, 1966
It is apparently also recorded in the Congressional Record, May 19, 1966, vol. 112, p. 11114.