(Topics: Administration & Security | Back to Home)

The single biggest immediate threat to the American economy, and the world economy in general, is the fragility and criticality of our digital infrastructure.

It may be impossible to overstate this point. At any point, a rogue actor could cause massive damage to the entire country through a network-based attack.

This isn't a theory. It's reality. The Center for Strategic and International Studies maintains a list of “significant cyber incidents” and it is downright harrowing to read [1]. You'll recognize some of of them, like the Colonial pipeline attack in May 2021. That was against one company, but it caused fuel shortages and price spikes throughout the southeastern United States.

There are scores of people working in government and in private industry to defend against these kinds of incursions, but the perimeter is thin and the targets are soft. And while we could dedicate more resources to cyber defense, it's not likely to help much. This is a problem that is embedded in the nature of technological progress. This is about why information technology is not like anything that has come before.

We all know that computers have changed the world. We know there are computers in our pockets, dozens of computers in our cars, computers in our home appliances, and computers on every desk and in every office. But most of the computers in the world are those that we can't even begin to identify, the ones that are running all kinds of routine operations for businesses, organizations, and governments at every level. These are computers that know tons of things about you, from every post you've ever “liked” on Facebook to every purchase you've ever made at Target to every time you walked in front of a particular security camera. Computers are absolutely everywhere.

But that's not what makes them different. Civil engineers have done an amazing job figuring out how to build roads and bridges and buildings, and these are everywhere. Electrical engineers have made electricity and electrical appliances available almost everywhere. Mechanical and aeronautical engineers have built modes of transportation that are unquestionably ubiquitous. And the safety record of roads, bridges, buildings, trains, buses, and airplanes are truly amazing. We know these inventions are built well and highly reliable, and we trust them.

But computers are different: mainly because they are extremely new and advancing at an incomprehensible pace. We've been building roads and bridges for thousands of years. We've been making powered vehicles and airplanes for a century. But a modern computer system is barely more than a decade old. You'd think nothing of living in a house from the 1800s or flying in a plane built in the 1970s. A computer system last updated more than five years ago is almost unusable. And more importantly, it is certainly insecure.

More than one pundit has suggested technology must be stopped through edicts [2]. But that's not how the market works. Computers make a lot of money for a lot of people and do a lot of good in the world. It would be difficult (if not impossible) to slow that down.

The other problem is economic. Computer technologies double in capacity about every two years [3]. Imagine if advancements in materials science meant steel was twice as strong every two years, or the weight of concrete decreased by half in the same period. We wouldn't bother to create buildings to last for generations. In fact it the rush would be to get them completed, knowing they would be replaced before they had to be repainted.

This is why digital infrastructure is fragile. It is being replaced at breakneck speed, so there is not much motivation to build it to last.

The best answer to the cybersecurity threat is for all of us to be prepared for future incidents. As individuals, we would benefit from having a bit more water, food, and fuel on hand. That way we can personally absorb some of the shock of these incidents—while understanding that we cannot prepare for everything.

Institutions, too, need low-tech backups. That means secondary systems which don't rely on cutting edge information technology [4], and additional inventory and reserves. It's also good for there to be so-called “air gapped” computers in place [5] which aren't connected to the Internet or any other networks. This will provide additional security for critical systems. Especially if those systems are only to be used in a crisis.

We are going to get better at cybersecurity, but mostly because eventually traditional computer technology isn't going to advance as rapidly. We will see microscopic electronic circuits reach physical limits, and we will see automated and intelligent software testing get ahead of manual attacks.

As this happens, the arms race will tilt. The good guys will have enough computing power to come up with all of the ways the bad guys might attack, and the good guys will plug those holes. As long as the institutions designing and protecting software systems have more resources and they aren't innovating faster than they can do so safely, we'll see cybersecurity come into line with traditional security.

But for now, we need to acknowledge the risk. It's huge: and the best thing we can do is to be ready to be offline on occasion.

Which is probably good advice for all of us, anyway.

[1] https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents

[2] Commentator Tucker Carlson, for example, has suggested banning self-driving trucks to protect the logistics industry.

[3] This is sometimes called Moore's Law, but in general there is a doubling of available network speeds, processor performance, hard drive sizes, etc.

[4] There have been reports that the October 2021 Facebook outage was prolonged because even the electronic door locks on the buildings relied on Facebook infrastructure.

[5] https://www.thesslstore.com/blog/air-gapped-computer/