Skip to content

Hanlon’s Razor and Government Spying

The_Greeting_At_The_Port_1Hanlon’s Razor says “Never attribute to malice that which is adequately explained by stupidity.

There’s a lot of content out in the world on the NSA, government spying and Snowden. *A lot* of content. There was a sentence in this blog post that stood out to me, primarily because someone tweeted it.

“[I]f we ever found out just how insecure the Internet is, we would all take our ball and go home.”

The blog post itself is deep into the conspiracy theory that the government is just pulling the wool over our eyes and allowing us to believe we’re making progress.

“After all, if it were so easy to hack into systems to steal sensitive data, the house of cards would quickly fall. But perhaps those in power realize this and severely regulate their tools to be used only when needed. That way, the rest of us IT security professionals would naively play along, keeping busy downloading worthless security patches and updating outdated virus signatures.” But but, if they knew that we know, then they’d have to … oh wait.

I’m all for a good conspiracy, but it just doesn’t pass the Hanlon’s Razor test for me. It seems much more likely that while there’s some clear intent to collect vast amounts of data on the part of the NSA (renaming a program doesn’t really make it go away), the majority of the Government isn’t coordinated or cooperative enough to engage in that kind of a coverup for that long.

That’s not actually what I wanted to talk about, however. What’s underneath this sentiment is the incredibly damaging notion that the goal of information security is to be secure. It’s simply false, and leads to more conflict and confusion in information security than just about anything else. Except in some particular cases, information security should be about risk management, about running a business in a world full of risk. What’s really far more astounding is that businesses continue to succeed, make money and deliver services despite the fact that the Internet, and technology in general, are so “insecure.” It should make us wonder, really, how “secure” you have to be to be successful. And that should drive, in turn, an approach more focused on the business than the technology.

Post a Comment

Your email is never published nor shared. Required fields are marked *