zlacker

[return to "A case against security nihilism"]
1. dfabul+Ng[view] [source] 2021-07-20 20:41:22
>>feross+(OP)
The article says that although "you can't have perfect security," you can make it uneconomical to hack you. It's a good point, but it's not the whole story.

The problem is that state-level actors don't just have a lot of money; they (and their decision makers) also put a much much lower value on their money than you do.

I would never think to spend a million dollars on securing my home network (including other non-dollar costs like inconveniencing myself). Let's suppose that spending $1M would force the US NSA to spend $10M to hack into my home network. The people making that decision aren't spending $10M of their own money; they're spending $10M of the government's money. The NSA doesn't care about $10M in the same way that I care about $1M.

As a result, securing yourself even against a dedicated attacker like Israel's NSO Group could cost way, way more than a simple budget analysis would imply. I'd have to make the costs of hacking me so high that someone at NSO would say "wait a minute, even we can't afford that!"

So, sure, "good enough" security is possible in principle, I think it's fair to say "You probably can't afford good-enough security against state-level actors."

◧◩
2. bitexp+dh[view] [source] 2021-07-20 20:43:32
>>dfabul+Ng
Most organizations should not really be factoring state level actors into their risk assessment. It just doesn't make sense. If you are an actual target for state level actors you likely will know about it. You will also likely have the funding to protect yourself against them. And if you can't, that isn't a failing of your risk assessment decision making.
◧◩◪
3. titzer+pn[view] [source] 2021-07-20 21:13:32
>>bitexp+dh
Meanwhile, the biggest state-level actors are developing offensive capabilities at the scale of "we can wipe out everything on the enemy's entire domestic network" which includes thousands of businesses of unknown value. The same way strategic nuclear weapons atomize plenty of civilian infrastructure.

Sure, in that kind of event, an org might be more concerned with flat out survival. But you never know if you'll be roadkill. And once that capability is developed, there is no telling how some state-level actors are connected to black markets and hackers who are happy to have more ransomware targets. Some states are hurting for cash.

[go to top]