Principles not products: Why we need more top-down security engineering.

In only the last three days Google, Apple, and Microsoft have each been the subject of dispiriting security news stories exposing their deceit and fundamental lack of trustworthiness. Readers unfamiliar with cybersecurity won't know that this is our daily grist, just the latest in a seemingly endless litany of betrayals. We all try to act "unsurprised".

Online conversations in forums like Slashdot, Hacker News, and the blogs of Bruce Schneier and Brian Krebs are becoming noticeably frustrated, thrashing in circles of whataboutism as the tech community realise there really are no "good guys" left to turn to, no harbours on this wild and violent sea.

The ruse of "Other Blaming" - for example, pointing the finger at TikTok as data collectors for the Chinese government - looks empty when every single one of our own companies has its pants around its ankles and it's thumb up someone else's pie.

This is why I think the credo of "Principles not products" which I've stood by for my whole career is now more important than ever and why I am doubling down on it as a teaching method.

Once I taught cybersecurity mirroring the OSI model. Layer-1 would be the physical hardware, a foundation which if untrustworthy makes everything above it moot. And so on, with layer-2 being microcode/BIOS, layer-3 the Boot-loader and OS, etcetera. Of course most people focus at the application and network layer.

A modern outlook adds layers 8 and upward (the personal, organisational and political levels), so as to make sense of social engineering, cybercrime, geopolitical alliances etc.

Most security thinkers seem to pivot around some "economic" centre of gravity, where efficient markets meet "inevitable", singular notions of progress, and in that model layers-8/9/10 accrue from the technological determinism of the lower levels, as surely as poverty or wealth accrues from agriculture, architecture and communication (road, rail etc).

It is a bottom-up view of things. It's starts with what we have, picks up the ball and runs off with it, in an ecstasy of technology, without ever asking what the game is. Why are we doing it this way? Is this the only way? It's made everything in the canon of industrial progress - from building nuclear power plants that are too big to be safe, to road networks that go nowhere, to pesticides that kill us - into a total own goal.

Computer security is the latest in this long line of broken thinking, and I've come to see our entire approach as upside-down.

The tragic death of Ross Anderson last week has affected me a lot and made me reflect hard on what we are really doing in cybersecurity. Ross was one of the few fellows who had the courage to openly ask top-down questions in our field.

I've always started my classes with a different set of fundamental questions. What is security? Why would you want it? For who? From whom? To what end?

Because if you go at it bottom-up, most people, by the time they've learned about storage, networks, encryption, and protocols, are so exhausted they've forgotten why they're doing it by the time they get to the upper layers. At that point, they just look at a bunch of products and say "Hey, looks like this one meets our needs". And that's it.

They're also in no position to really understand the importance of layer-9; compliance, ISO standards, data protection and so on. These are taught - and uncritically gobbled down - as-is. Students have no context to know why data protection and privacy laws were needed, fought for and hard-won. This also allows vendors to sell "solutions" that look like they tick a bunch of boxes to organisations without a competent cybersecurity team.

With top-down clarity we see that if starting with an assumption like "We'll use Microsoft, Google or some other commercial BigTech products", as a foundation, then you're sunk from the get-go as surely as if your microprocessor has undocumented malicious instructions.

It is no longer a meaningful question to ask which of the BigTech products is the most secure? All of the BigTech products are essentially treacherous and deceptive. We can no longer keep track of the lies, leaks, and Darth-Vader style "altering the bargain" that comes along with commercial tech products, and the vendors seem intransigent to regulation and fines which are merely the cost of doing business.

We can no longer ask in good faith "Which of these companies offers the best solution to our cybersecurity problems? Big Tech companies are the cybersecurity problem. And that's not going to change, not with regulation, or assurances or fines or putting CEOs in jail. A radical change of culture is needed.

We must see that getting free of the assumptions at either extreme of the stack is therefore equally important. That's why I think that starting with any product, whether it's made by Google. Apple, Microsoft or Cisco, is already a terrible security decision. We want students to return to basic principles (not products), without which no clear security questions can be considered, and no meaningful decisions can be made.

Many arguments may follow that, with respect to cost and efficiency, necessity, regulation, compatibility… they are all legitimate and they may lead us eventually to buy computing "products" like Office 365. But that must happen with eyes wide open and must be seen in the light of that initial, fundamental sceptical enquiry starting at the top.

Why the hell would you ever trust Google, Microsoft, Apple, Amazon, Meta, except for the pressure and belief that "you have no choice"?

You absolutely do have a choice.