Its hard to admit that youve been doing things wrong, especially when youve gotten really good at it. When a company—or even an entire industry—gets built on the foundation of a fatally flawed idea, something really big and obvious may need to happen before people are willing to move together toward a different approach.
I found an excellent example of this behavior in Phillip Windleys newly published book, "Digital Identity," from OReilly Media. Most good computer security metaphors have been overused to the point of dreary familiarity, but Windley critiques the current computer security paradigm with a comparison I havent seen before—and one that I hope will prove persuasive in changing the terms of debate.
"In medieval times," Windley begins, "strong walls and moats surrounded great cities." He observes that the well-secured city gates became serious bottlenecks on market days but that people saw their fortifications as the only way to protect themselves. "The walls were not broken down by enlightened thinking about how markets should work," Windley continues, but rather by the emergence of the trebuchet: the gravity-powered catapult, far more efficient than earlier designs, which made it much more cost-effective to destroy walls than to build them. Security for cities had to be redefined, not in terms of withstanding siege but in terms of active engagement of the enemy.
"Modern corporations are the walled cities of our time," Windley argues, with a siege mentality of defense against cyber-attack—a view that leads to cumbersome and ultimately ineffective measures that are familiar to every IT administrator. At the level of individual users, password expiration and complexity rules lead to Post-it notes on monitors that put peoples passwords out in plain sight; at the level of enterprise installations, firewalls accumulate application-specific exception rules that vitiate their protections.
I agree with Windleys view that theres an expensive arms race in progress between the builders of walls and the builders of siege engines, but I go further in arguing that its going to take a shared perception of catastrophe to break that cycle. Windley opines that it is "commercial enlightenment, rather than a weapon that cannot be withstood," that is getting corporations interested in identity-based security rather than perimeter-based security. Not to give offense to either Windley or to eWEEK readers, but I think he underestimates technical inertia and the tendency to think that doing more is the same thing as doing better. At least in terms of cost-effectiveness, the cyber-walls are crumbling as we speak.
Moreover, I dont confine this argument to the single problem of security. I do recommend Windleys book because it gets the reader to think from the bottom up about why IT security represents an opportunity to build a more competitive online presence rather than being just a cost of doing business. This isnt a revelation here at eWEEK Labs, where we said the same thing in our 2003 year-end issue. Its useful, though, to have a book-length treatment like Windleys that illuminates key technical points without overexposing readers to irrelevant detail.
Id like to broaden the scope of what Ill call the trebuchet argument. It seems like a well-timed contribution in other areas, such as chip design and software development. Weve lately seen a crumbling of the walls around Intels past assertions that faster clock rates measured its superiority, with a new and rather overdue focus on performance per watt of power consumption; weve seen a reorganization at Microsoft that turned out to be the final step of a wrenching process that threw out "Longhorn" and essentially restarted Vista from scratch.
I offer these examples not to criticize either company but to illustrate that change is hard. When youre good at climbing trees, it can be hard to sell the organization on coming back down to start building rockets. Thats what it takes, though, to get to another planet—instead of just getting an incrementally different view of the rock that youre stuck on today.
Technology Editor Peter Coffee can be reached at firstname.lastname@example.org.