The Battlefield is Everywhere
Cyber warfare is an existential threat. What should we do about it?
Francis Fukuyama was wrong about the ‘end of history.’ Violence is still in play, and global conflict seems to be escalating, whether we like it or not. The West’s adversaries have stepped up their game on the cyber front. North Korea is rumored to be funding their nuclear program by hacking DeFi protocols. Russia has terrorized Ukraine with attacks on its power grid, and the CCP is making use of TikTok to spy on dissidents and journalists.
Consider this passage from Unrestricted Warfare, a book of translated documents from two colonels in China’s People’s Liberation Army (PLA). Note that this book is from 1999*,* well before cyber warfare was on most peoples’ radar:
“Does a single ‘hacker’ attack count as a hostile act or not? Can using financial instruments to destroy a country’s economy be seen as a battle? Did CNN’s broadcast of an exposed corpse of a US soldier in the streets of Mogadishu shake the determination of the Americans to act as the world’s policeman, thereby altering the world’s strategic situation?”
“When we suddenly realize that all these non-war actions may be the new factors constituting future warfare, we have to come up with a new name for this new form of war: Warfare which transcends all boundaries and limits, in short: unrestricted warfare. ”
“This kind of war means that all means will be in readiness, that information will be omnipresent, and the battlefield will be everywhere”
Those last few words are ominous. The battlefield will be everywhere.
I’ll warn you, the first half of this post will not read as ‘optimistic.’ But I believe that it’s important to acknowledge truth. The second half of this post will highlight potential solutions and the people & companies working to bring them to fruition.
The (Digital) Faustian Bargain
The last 30 years have been about efficiency. Globalization has led many, many people out of poverty, but it has also eliminated redundancy to a degree that makes global supply chains fragile. Information technology has greased the gears of global commerce, allowing us to connect to each other from anywhere and do things like monitor critical industrial systems remotely. However, it has also opened us up to new kinds of risks that we weren’t cognizant of when we first started out on this journey.
As Joshua Steinman, a former US National Security Council member and industrial cybersecurity founder, said in a talk earlier this year:
“Over the past thirty years, the West has embarked on terrifying project: to turn nearly everything that is not a computer into a computer. Cars, coffee mugs, factories, [and] football stadiums.”
“Embedded compute has produced fantastic efficiencies. But removing humans has meant trading predictable downtime - people get sick - for the unpredictable downtime of digital catastrophe.
In the early late 90’s and early 2000’s, cyber attacks against industrial facilities were the stuff of Hollywood.
By 2010, elegant computer viruses destroyed a key Iranian nuclear facility, and illustrated to the world just how vulnerable digital equipment was to remote sabotage.”
I believe Josh is right in his analysis, and I’ve decided to dedicate an entire post to essentially unpacking this portion of his talk, and walking through what we can do about this. This piece is divided into two parts.
The point of the first half of this article will be to show you that cyber is a very serious threat - perhaps even more serious than you might already think it is, because:
a) There is more motivation for cyber attacks than ever before
b) It has never been easier to carry out an attack against an organization
c) The impact of an attack is uncapped
In the second half, I’ll walk through some potential solutions and areas I think we can work on.
Cyberspace as an Ongoing Theater of War
Now that we’ve connected so much critical physical infrastructure to the internet, we have to defend them against threats that weren’t there two decades ago. Power grids, water treatment plants, steel mills, and hospitals are now, by default, on the battlefield in cyberspace. The enemy might be the stereotypical black hat hacker working alone in their basement, or it could be a nation state who may see your company as a chess piece in an infinite theater of war.
The West (i.e. US and NATO) seems to view war as a binary thing. This binary view permeates the way that we talk about war and what we perceive as warfare. You’re either at war, or at peace. If we want to go to war, then Congress can vote to formally ‘Declare War’ and the US military can ‘mobilize’ troops in a large, formal logistical operation. Unrestricted Warfare paints a different picture. What if war exists on a spectrum? What if it were always brewing, and traditional formalities didn’t matter?
America has the most powerful military in the world from a traditional standpoint. The US spends far more on aircraft carriers, missiles, and fighter jets than any other country in the world. No one wants to fight a hot, industrialized war with the United States. A far better tactic for these adversaries is to weaken the US to such a degree that they don’t even want to pick up arms in the first place, or to at least fight them in a domain where they can’t use this physical might. Consider these other passages from Unrestricted Warfare (emphasis on certain lines is mine)
“Technological progress has given us the means to strike at the enemy’s nerve center directly without harming other things, giving us numerous new options for achieving victory, and all these make people believe that the best way to achieve victory is to control, not to kill.”
“The new concept of weapons will cause ordinary people and military men alike to be greatly astonished at the fact that commonplace things that are close to them can also become weapons with which to engage in war. We believe that some morning people will awake to discover with surprise that quite a few gentle and kind things have begun to have offensive and lethal characteristics”
“the new principles of war are no longer ‘using armed force to compel the enemy to submit to one’s will’ but rather are ‘using all means, including armed force or non-armed force, military and non-military, and lethal and non-lethal means to compel the enemy to accept one’s interests’”
Consider that this has been the worldview of PLA decision makers over the past few decades. Now consider that we have, as Steinman said, effectively connected all of our heavy industries & critical infrastructure to the internet. If you’re a company that provides a critical service to a Western economy or government, you must understand that you may be the target of a nation state that has thousands of people working around the clock to hack companies like yours. And as we’ll see, these hacks can pack a greater punch than ever before.
A Lone Hacker Can Do Incredible Damage
The internet is a place of leverage. Silicon Valley is littered with success stories of small teams who produced outsized, globally impactful results. Instagram had 10 employees when it was purchased for $1B by Facebook. One person launched Bitcoin.
This applies to the realm of security as well. It’s rumored that many of the exploits which have happened in crypto are done by lone rangers, and one man even took down the internet of an entire country.
According to this Wired article, several years ago, an American security researcher who goes by the handle P4X was a victim of a North Korean cyber attack as a part of a larger initiative by the country to target Western cybersecurity professionals. The lack of visible response by the US government to this action left P4X angry, so he decided to go after the Hermit Kingdom himself. From Wired:
“responsibility for North Korea's ongoing internet outages doesn't lie with US Cyber Command or any other state-sponsored hacking agency. In fact, it was the work of one American man in a T-shirt, pajama pants, and slippers, sitting in his living room night after night, watching Alien movies and eating spicy corn snacks—and periodically walking over to his home office to check on the progress of the programs he was running to disrupt the internet of an entire country.”
You can be hit from anywhere in the world, whether it’s a competent individual or a nation state. And unfortunately, it’s getting easier for attackers to do their job.
Cost of Attack is Plummeting
Unfortunately, much of the modern workforce still struggles to wrap their minds around the implications of these threats. Most ransomware attacks happen as a result of phishing. These phishing attempts are more successful than most companies would like to admit. Most attacks happen as a result of simple human error: an employee forgets to turn on 2FA, uses a weak password, or clicks on a link in a phishing email. Some social engineering attacks are really sophisticated, but there are many dumb mistakes that people still fall for.
There is a major asymmetry between the digital skillsets of nation state sponsored hackers, and employees at most organizations. Most senior employees at today’s large institutions are older, and older people are the most likely to fall for things like phishing attacks. They did not grow up with the internet or digital technology, and many of them have not fully learned how to operate in the increasingly adversarial world of cyberspace. This is a problem that is likely to get worse with things like generative AI and deep fakes. No grandma, this is not Tom Cruise:
In the world of cybersecurity, offense is usually easier than defense. Only a few minutes of audio and video of you speaking somewhere on the public internet is all that’s needed to create a near perfect deep fake video of you.
What if someone calls you from a spoofed phone number who sounds like someone you know at your company, but it’s actually a malicious actor who wants to extract sensitive information? How long will it take for organizations to develop practices & organizational habits to properly respond to this threat?
Remote work also creates new attack vectors. You’re relying on your employees to do their work on secure networks, but what if they go to their local coffee shop to work for the afternoon? And what about physical security? Most employees are unlikely to be the target of a physical attack, but if a terrorist or agent of an adversary government knows you work in IT for a major oil and gas company and they see you at a coffee shop - don’t they have an incentive to use physical force to gain access to your laptop?
A final scary problem is that most companies have a hard time discovering that they’ve even been hacked in the first place. There is a decent chance that there are mission critical systems that have hackers or foreign entities lurking in the shadows as you read this. Take the SolarWinds hack for instance - some intelligence analysts estimate that Russian intelligence was snooping around in the servers of US government agencies and Fortune 500 American companies for up to 14 months before security professionals were able to snuff them out.
The Cost of Attack is Unlimited
To understand why the cost of attack is rising, let’s look at some of the recent cyber operations in the industrials, healthcare, and utilities sectors. The tail risk associated with these attacks makes it very hard to evaluate their true risk, and also has major implications for the cyber insurance market - which we’ll explore later.
Remote Industrial Attacks
A country’s ‘industrial base’ is a broad, overarching term for all of the physical stuff that a nation produces and maintains which are essential for day to day life. Power grids, steel mills, oil refineries, food plants, and a wide array of factories working day and night to produce things that the economy consumes daily. Now that software has eaten the industrial base, critical infrastructure is vulnerable to remote attacks.
In 2007, a team of researchers performed a secret proof of concept: they blew up a $300,000 generator from over a mile away with just 27 lines of code. The whole article on this is worth a read, but this proof of concept has seen live action several times since.
Here’s the declassified video footage of that 2007 test:
These sorts of attacks on physical infrastructure have actually been carried out in the years since the 2007 proof of concept. Someone (possibly the US + Israel) targeted an Iranian nuclear plant with the Stuxnet virus via a malicious flash drive. That which used to be sci-fi is now being done regularly:
Healthcare Is An Unfortunate Target
Hospitals have been hit as well. According to a report on the state of the cybersecurity insurance industry by the Government Accountability Agency (GAO), the healthcare industry has been under relentless attack in the last 2 years:
“The healthcare industry rapidly moved to digital while the virtual work environment expanded. In 2021, nearly 50 million people in the U.S. faced a breach of their personal health information, the highest number to date. Healthcare data breaches have tripled over the past three years. The healthcare industry’s move to digitized health records helped to accelerate these breaches.”
It’s not just personal health data that have been impacted either. Many attacks have directly influenced the day to day operations of healthcare providers. Apparently there have been enough cyber attacks on hospitals to run a survey that showed that mortality rates increased at hospitals that were hit with attacks. The survey is fairly comprehensive, and quite sturdy & transparent in its methods (you can read it here). One interesting finding is that the area of largest concern for healthcare providers is insecure medical devices. Hospitals have 10s of thousands of connected medical devices used within care, such as insulin pumps and pacemakers.
These medical devices have likely increased productivity in hospitals, and they even have a name: the IoMT, or internet of connected medical things (Thanks Deloitte!) But unfortunately, when you connect a medical device to the internet, that device enters the infinite front - the theater of cyberwar. Are the productivity gains worth the threat of a malicious actor being able to hack and remotely control or monitor a pacemaker? (note that it would be quite hard to hack a pacemaker, but this video from a few years ago explains that it is theoretically possible).
Attacks on Utilities May Be The Greatest Risk
There have also been multiple attacks on water treatment facilities in the US. There are 50,000 water treatment plants throughout the country, most of which employ software which allows employees to manage their facilities remotely. Unfortunately, this has the effect of making exploits more impactful. There are multiple reports of employee accounts being hacked and used to attempt to poison community water supplies.
One of these events occurred in the SF Bay Area, where an employee account was hacked and used to delete programs responsible for the cleaning of drinking water. Another event happened in Oldsmar, Florida, where an employee acted on the spot once he saw his mouse move without his control. The ghosts in the machine were attempting to flood the city’s with poisonous levels of lye.
Alrighty, so cyber warfare can blow up steel mills, hack medical devices, and poison water supplies. Maybe we can at least buy insurance to protect ourselves from at least some of the financial risks?
Yeah, this would normally work out fine. But the cyber insurance market isn’t doing so hot.
Insurance Is a Question Mark
In 2017, Russia launched a cyber attack on the Ukranian equivalent of TurboTax. Many, many business that operate in Ukraine use it for filing their taxes. But this virus was no ordinary virus - it spread around the world and impacted the IT operations of countless companies. Many of the firms impacted were massive, multi-national enterprises vital to the world’s economy. Merck (producer of cancer, diabetic, and HIV prevention drugs) had it’s manufacturing operations disrupted, Maersk (the world’s largest maritime shipping company) was unable to process shipments, and Fedex’s European subsidiary was massively impacted as well. Some government agencies around the world were also hit.
The US government estimated that the attack caused a total of $10B in damages. A former homeland security adviser called the move by Russia “the equivalent of using a nuclear bomb to achieve a small tactical victory.” (If you want to read about the NotPetya attack in its entirety, this piece from Wired is excellent)
Mondelez, the parent company of Nabisco & creator of famous snack brands such as Oreos and Wheat Thins, lost an estimated $188M as a result of the NotPetya attack. They held a cyber insurance policy, but their claim was denied on the basis that the NotPetya attack was an act of war - something not covered in their policy. Merck’s claim was denied by the same insurance provider. Mondelez & Merck filed a lawsuit as a result. These cases dragged out for nearly 5 years, but Merck won their $1.4B case in 2022, and Mondelez reached a settlement with Zurich just a few months later. To understand why Zurich denied the claims, and why their loss in court is such a big deal, we need to think a bit more about the nature of cyber attacks themselves.
Going Viral
Blowing up on the internet is not limited to the domain of cat videos and engaging tweets. The term ‘viral’ has the same root as ‘virus,’ and we don’t tend to associate viruses with good things. NotPetya went ‘viral’ in a pure sense of the word. What started in a few little servers in a Ukrainian office building traveled far and wide.
This was an act of war by Russia on Ukraine, but it had unbelievable consequences on many companies and governments that were completely unrelated to the Russia/Ukraine conflict. If you had an ice cream shop in the Bahgdad during the mid 2000s, it was clear that you were in the proximity of war. But with NotPetya, the internet was the theater, and we’re all connected to it. Chicago, New Jersey, Copenhagen - places where major supply chain disruptions occurred and billions of dollars were lost - were far from any domain of physical violence.
Let’s quickly revisit one of those ominous quotes from Unrestricted Warfare:
“The new concept of weapons will cause ordinary people and military men alike to be greatly astonished at the fact that commonplace things that are close to them can also become weapons with which to engage in war. We believe that some morning people will awake to discover with surprise that quite a few gentle and kind things have begun to have offensive and lethal characteristics”
Those “gentle and kind” servers sitting in a little Ukrainian office building were converted into weapons that, when detonated, spread collateral damage to people sitting thousands of miles away.
Some speculate that NotPetya was about more than Ukraine. They believe it was meant to send a message to everyone who had the gaul to even do business in Ukraine enough to use Ukrainian accounting software. Whether or not they’re right, we must acknowledge that the attack served as a proof of concept of sorts. You can wreak havoc on the other side of the world without firing a single shot.
With this as our backdrop, you can’t blame insurance providers. How in the hell do you assess the risk of an event that happens frequently, can emerge any time and any where, and yet cause an uncapped amount of damage regardless of whether you are 5 feet or 5,000 miles away from ground zero?
Most insurance policies - whether they’re homeowners insurance, business insurance, or even life insurance - don’t cover acts of war. You can buy war extensions in some parts of the world under some conditions. Cyberwar though, is a bit more of a gray area. Cyberspace has no clearly defined borders, and an attack can proliferate through the world at light speed. All of this makes it a nightmare for contract law, and due to the potential for unlimited damage, extremely hard to underwrite as an insurer.
All of this is leading to a rise in the cost of cyber insurance. It’s estimated that from Q1 2021 to Q1 2022, cyber insurance premiums increased by 28%. This dynamic is likely due to get worse because:
The cyber insurance market has relatively low competition (unlike homeowners, life, or auto insurance)
Cyber insurance is extremely hard to price because it’s tough to evaluate risk
Potential losses are uncapped in almost every scenario. Providing cyber insurance when things like NotPetya are possible is like having a Hurricane Katrina level threat anywhere in the world at any time of year that could be triggered by one employee, one virus, or one hacker.
The fact that Mondelez and Merck won their cases against Zurich is a double edged sword for the industry. On the bright side, it forces insurance firms to re-evaluate ‘acts of war’ and draft up more clear language regarding what does and does not constitute coverage. But the downside is that it might deter insurance providers from even offering cyber coverage in the first place.
The Government Accountability Organization (GAO) has done some comprehensive research on the state of the cyber insurance market. Dan Garcia-Diaz, director of the GAO, commented on this dynamic - saying that this is already happening:
“One insurer reported that it opted not to insure the energy sector because of its vulnerability to attacks and because of concerns that energy operators do not follow robust cyber security protocols. Another insurer stated that its appetite to provide coverage to certain industries — including electric grid operators and airlines — is limited.”
All of this is going to have second order effects. Premiums might get so high that small to medium sized businesses will opt to forgo cyber insurance altogether. And in the even more unfortunate case, many types of businesses won’t even be able to find a provider who will cover them at all.
This means that businesses are increasingly on their own to defend against cyber risks. It will also mean that businesses will be incentivized to deal as little as humanly possible with sensitive user data (a major shift from a time when many businesses try to collect every piece of arbitrary data possible). There are more downstream consequences of this dynamic, some of which we’ll address in part 2 of this post.
If you’re curious, I’d recommend reading the entirely of this report from the GAO if you want to go deep on the state of the cyber insurance market. This report is from October of 2022.
So What Can We Do About This?
This all started with the ‘digital transformation.’
It’s been the buzziest phrase of the technology consultant industrial complex over the past decade. Everything went digital, and it created a real efficiency boost.
They’ve actually been mostly right about the efficiency gains. The economy is probably better off as a result of our ongoing digital transformation. But it’s come with security tradeoffs and fragility. Cyber warfare is a black swan risk.
The answer is probably not to go back to pen and paper. Digital transformation is likely a one-way track. We need to figure out how to:
Harden our digitally connected systems against attacks
Limit the surface area of any single attack
Develop a cyber insurance market that is capable of supporting new demand for protection
Train new cybersecurity professionals to be able to build the software, processes, and systems needed to win the cat and mouse game against adversaries
Hardening Existing Systems With Better Software & Tooling
Hardening existing systems technically starts with writing better software. But the reality is that people make mistakes, and priorities are difficult to manage within companies. Focusing on security alone will prevent a firm from being able to ship new features which keep a platform competitive in the market.
It’s important to balance these concerns, and also to invest in tools that help with monitoring and prevention.
The cybersecurity software market is saturated and filled with quite a few large claims. Matthew Holland, serial cybersecurity entrepreneur and former Canadian intelligence agency operator, dove into this on an episode of Farnam Street a couple of years ago.
In short, Holland believes that most cybersecurity software companies are overstating their ability to provide services, and are giving their clients a sense of false security.
I’ve also seen first hand a lot of borderline unethical marketing tactics from cybersecurity sales teams and agency owners. For example, people will (falsely) tell you that they’ve found a compromise in your tech and try to get you to take a meeting with them to fix it. Many times these claims are either overblown or borderline false. The industry seems to run on fear tactics.
But this doesn’t mean that we don’t need good cybersecurity software. There appear to be some great tools on the market, and new technologies are reaching maturity which might help us play defense. Deep learning is great for finding patterns in unstructured data, which can in theory be really helpful for anomaly detection & threat intelligence. Even some of the research coming out of the crypto boom seems like it’s helpful here. Cryptography advancements in zero knowledge proofs & public/private key management might help solve many problems of data privacy and 2FA errors. Maybe in a subsequent post, I’ll go through some of the specific companies and technologies that are most useful.
Limiting Surface Area
I have a friend in the crypto world who calls every smart contract a ‘non-consensual bug bounty.’ In other words, anyone can see when a contract (i.e. program) deployed on a blockchain holds funds, and if they identify a vulnerability, there is an immediate reward to exploiting it.
In the traditional cyber world, there is an incentive to exploit systems, then hide out for a while. When the goal is espionage, as in the case of the SolarWinds breach, it makes sense to stay in the shadows for as long as possible, or to at least wait for a prime moment to strike. Crypto is different. Hackers exploit vulnerabilities the moment they find them because there is often a huge amount of money involved, and any second wasted is time that the original developer might use to patch the mistake or tell users to withdraw funds.
One idea that some cyber teams are implementing is known as ‘honeypotting’ - providing ways for hackers to immediately earn moderate sums of money should they find an exploit. This may a) potentially catch the hackers in the act and b) act as an alarm that alerts a company that they have been hacked. This sort of tactic is unlikely to work on a motivated nation state, but may be effective against rogue hackers and cyberterrorist groups.
In the case of industrial systems however, it could be worth temporarily unplugging where possible, or at least developing contingency plans which involve pen and paper in the event of a shutdown. But, even though it would enable long term robustness, disconnecting some large industrial systems from the internet is unlikely to happen - partially because it would almost certainly create short term inefficiency
Corporate America seems to suffer from a kind of institutional myopia about the dangers of hyper-efficiency. Consider the incentives at play: Wall Street focuses on quarterly earnings, the average tenure of a C Level executive is 5 years, and executives are compensated almost entirely via stock options. Throughout the last 30 years, when faced with decisions about whether or not to enable long term survival against unlikely events or short term growth, they chose the growth. This focus on short term profitability has been great for F500 executives and the stock market, but it has created a kind of deep fragility that was not there before the world was so globally connected. The problem is not the internet or globalization - both of those things have done some incredible things for the world. The problem is taking both of these things to their absolute limit: pushing globalization to the point where there are single points of failure in supply chains and connecting systems to the internet before we were truly ready for it.
One thing we’ve learned during the NotPetya attack, COVID, & the Russia/Ukraine war is that just-in-time supply chains can be dangerous during disruptions. Most of the world has been able to manage so far, but a little more redundancy could be healthy.
Develop a Cyber Insurance Market
Prior to 9/11, acts of terrorism were generally covered as a part of most insurance policies without much additional cost to policyholders. But after the attacks, insurance against acts of terror became either ridiculously expense, or entirely unavailable. This is understandable, but insurance is often a requirement for certain types of business transactions. For example, no one wanted to break ground on new construction projects without first having terrorism coverage.
So, as a response, congress passed the TRIA act. This act guaranteed that the federal government would act as a backstop in the event of a foreign terror attack in the future, covering up to 80% of the damages in some cases. This gave the insurance market the confidence to begin offering terrorism insurance at reasonable prices once more, and helped the economy to get back to normal (note that TRIA money has never actually been paid out because no terrorist attack since 9/11 has fit the criteria).
Cyber terrorism is covered in under TRIA, but it’s unlikely that the TRIA framework can be effectively applied to cyberspace. One reaspon for this is that, with cyber attacks, attribution is often murky. For example, there are quite a few hacker groups in both Russia and China which aren’t officially part of government, but seem to carry out attacks against the adversaries of these two nations. After NotPetya (which was attributed by most Western governments as an act of war against Ukraine by the Russia), Putin denied any responsibility. In his own words:
Boys will be boys. Hackers gonna hack?
There are events which can happen here that fall outside of any existing insurance framework. NotPetya was an attack between two foreign nations that created collateral damage in other places. Other attacks might be acts of war that look like acts of terrorism. It might be good to include an extension to TRIA which gives clear guidance for the cyber market.
The solution to these problems is not ‘more insurance,’ but it may soon be a requirement for many business transactions to have cyber insurance. As attacks continue to increase in scope and magnitude, we don’t want cyber coverage costs to be a constraint on the economy.
In the meantime, rising insurance costs will mean that companies are going to have to take additional steps to show that they’re doing what they can to prevent against attacks. They’re likely to face greater degrees of scrutiny from their insurance providers. Are they training employees on how to properly identify phishing emails and avoid ransomware attacks? Are they effectively cybersecurity software? What about customer data?
These forces are going to make companies less likely to collect and abuse your personal data, and they’re going to make them far more skeptical of vendors who want to sell them tooling which manages that personal data or connects previously unconnected systems to the internet. It may slow the ‘digital transformation.’
Train new cyber pros
We know that the average employee needs more training to handle cyber threats. Most people have had to sit through basic cybersecurity training sessions on things like identifying a phishing email, but there are relatively few people who have the multidisciplinary skillset needed to be cybersecurity professionals.
Even for most software engineers, the skillset needed to actually be a professional in cybersecurity feels massive. It seems like you need to be an expert in many different areas of computer science - including networking, cryptography, embedded systems, and more. Investing in more in professional educational programs & requiring cybersecurity focused classes in CS programs might help with this.
White hat programs and bug bounties are a huge net positive for the space. In crypto, I’ve seen companies like Immunefi harness the common developer desire to ‘hack’ for good. You want smart, honest people looking at your codebase and pointing out vulnerabilities before your enemies find them. One of the most toxic things you can do for your organization’s cybersecurity profile is treat white hats poorly. If you do this, you’re sending them an implicit signal that a) you don’t respect them and b) they’d be better appreciated by those who want to do you harm.
Fortunately, some areas of the software industry are learning how to secure battle tested systems. I would argue that, within the next 10 years, developers who have built highly secure apps in crypto are going to be among the best security minds in the world (even outside of their crypto bubble). I heard Balaji Srinivasan argue that crypto is churning out the equivalent of combat veterans who are going to understand how to build defense minded software as well as anybody. There have been a lot of hacks in web3 - let’s hope some learning is going on (:
What’s The Point?
I suppose the macro lesson here is twofold. Those who lament the speed at which digital technology is being adopted need to ‘get with the program’ to some degree, but they weren’t all wrong about the downsides of the internet. But whether they like it or not, it’s now a requirement for us all to understand the battlefield that we’ve stepped into.
On the other hand, for us who work in the world software (myself included), we need to be more mindful about what it means for software to eat the world. Sure, we all think about the positive, wealth generating functions that the deployment of software unlocks. But what about the negative ones? Is it actually good that all of our critical infrastructure is now subject to attack from people sitting in a dark room thousands of miles away? Or that so much of our sensitive personal information is now floating around on the dark web for sale? Or that we have social media platforms that are so good for hijacking our attention? I’m not so sure that all of this is good by nature, but I also doubt that we’ll be undoing any of it.
The best option we have is to build new tools, create new practices, and educate a new generation to be able to handle these challenges properly.
The fate of the world might depend on it.
-Sam