It’s interesting to compare progress in Computer Security with progress in Medicine Science. Think of computing technology as being analogous to the human body, and under attack from multiple potentially damaging external forces. Of course we have for years talked about computer “viruses”, so the comparison is a natural one.
So if we were to look at progress in medical science and progress in computer security, hoping to draw optimistic conclusions from the comparison, what would we find?
Medical science has had a catastrophic history. For centuries it killed more than it cured, and did a lot more harm than good. Instead of a story of inexorable, relentless, heroic and glorious progress led by generations of insightful geniuses (as some medical historians and sloppy TV documentaries like to tell it), it was in fact (until very recently) a history of unbelievable stupidity, superstition, cock-ups, led by a cast of charlatans and incredibly dim-witted individuals. In short its a history of unmitigated disaster, which reflects very poorly on our species and its efforts at scientific improvement.
I only really fully appreciated this from reading David Wooton’s book “Bad Medicine” (Oxford University Press). What an eye opener! Read the book and discover how bloodletting was still used as a serious medical treatment up until about 1850. But one short anecdote will suffice for now.
Prior to 1800 all surgery took place without anaesthetic. In 1795 the value of nitrous oxide (laughing gas) as a very effective anaesthetic was discovered, and published. Then.. nothing happened. Surgeons continued for the next 50 years to operate without any anaesthetic. Eventually a dentist in an obscure American backwater, Dr. Horace Wells, started to use nitrous oxide to perform painless dentistry. His efforts to have the blindingly obvious accepted by the medical establishment fell on deaf ears, and eventually they drove him to suicide. Surgeons slagged it off as the “Yankee Dodge”, and spurned to use it. Finally it was widely adopted after that. But think of it - 50 years of unnecessary agony!
How to make sense of the delay? Wooton suggests we could look at “the role of emotions, the limits of imagination, the conservatism of institutions” but still wonders “what it was like to have become so accustomed to the screams of patients that they seemed perfectly natural and normal; so accustomed to them that you could read with interest about nitrous oxide, could go to a fairground and try it out, and never imagine that it might have practical application”.
Many computer security professionals can probably relate to this when they recall the screams of their unfortunate customers…
And I have certainly been astonished at the continued prevalence of primitive mechanisms like Username/Password as a solution to the problem of user authentication. This is surely analogous to bloodletting, or operating without an anaesthetic. More generally we are happily using the PKI (Public Key Infrastructure) to secure the internet based on the technology of the 1970s, and blithely ignoring the research discoveries of the last 50 years.
As far as computer security is concerned it would appear that we are more or less where medical science was in the mid 1800s. Still trapped in the dark ages. But having waited for that same 50 year period, hopefully our industry is finally ready to gain traction and make some real progress.
Addendum: There is a surely a delightful irony to be found in the recent global ransom-ware attack that attacked vulnerable computer systems world-wide. Like all viruses it had most success with the weakest. And who were the weakest and most ill-prepared? Health services (like the UK National Health Service)!
