Why is Information Security So Complicated?

One of the more common criticisms of Information Security is that it is all too complex—with the subtext being that some of that complexity is artificial, or that security professionals are failing to manage (or hide) that complexity.

Some of this criticism is valid, and I’ll address that in another article, but here and now I’d like to address the reasons why Information Security really is genuinely and intrinsically complicated.

There are three main reasons that I can think of, and three other ‘honorable mentions’—but I expect that I’m missing some others, so I’m sure to be underestimating the drivers for complexity.

It’s important to note that each of these reasons actually feeds off and reinforces the others. Even if you restrict your attention to the 3 big ones, it isn’t a case of ‘10+10+10 = 30’: it’s more like ‘10 x 10 x 10 = 1,000’.

3 Big Reasons

Big Reason #1: Breadth and Depth

The first reason why InfoSec is so complicated is that it’s horribly, wonderfully, insanely broad in scope, and you can’t ignore that scope. It’s hardware and operating systems and in-house applications and third-party software, and libraries and scripts, supported or abandoned or emerging, and every version of all of the above; it’s front-end and back-end and middleware and storage and compute, and it’s networking and network topology, and it's algorithms. It’s on-prem and it’s in the Cloud, and it’s a box and it’s a process and a technology and a service, and it’s data and it’s operations, and it’s confidentiality and integrity and availability and accountability.

And that’s just the most obvious 1% of it all: it’s also psychology and organizational theory and game theory and economics, and crime and law (local, state, national, and international), and industry regulation and standards, and history and politics. It’s global, and an swirling mix of things that happen over decades interacting with things that happen inside a millisecond.

And it’s all of those things smashing into each other in uncontrollable combinatorial ways. It is, in the words of William James, “one great blooming, buzzing confusion”.

And you can’t ignore any of that, because of Reason #2.

Big Reason #2: The Adversarial Nature of the Field

InfoSec is an never-ending war against both an uncaring universe and consciously-malicious opponents. Everyone ‘knows’ that, but almost everyone profoundly underestimates the extent to which that aggressively drives complexity upwards.

The truth is that any boundary-less and iterated adversarial system like this inevitably grow more and more complex over time. Every move the defender makes is an invitation for the attackers to go around those new defenses, or subvert them, or confuse them or overpower them. The defender then has to add yet another layer of protection (but can’t get rid of the old ones, because their justification doesn’t just go away), so both the attackers and defenders are constantly adding layer upon layer to the accumulated complexity of the past.

There is a strong parallel here to the tax code [1]. The tax system is an open-ended and never-ending war between those looking to maximize tax revenue and those looking to minimize their tax burden. If you restrict your attention to the USA and add up all the laws themselves, plus the IRS regulations and revenue rulings, and the relevant case law, you’re looking at about 70,000 pages. This complexity may seem ridiculous, but is almost certainly inevitable. If we were to heed the ‘get it down to 10 pages’ cries, you would immediately find a hundred special cases where the simplified code horribly but accidentally trampled over the innocent, and a thousand special cases where the simplified code allowed for horrible abuses by the wealthy and savvy via edge cases and loopholes. If the legislators fixed that mess, we’d wake up on day two with a hundred pages, and a new, larger collection of more complicated edge cases and loopholes, and the cycle would repeat itself.

I suspect that these dynamics only slow down when the complexity becomes self-limiting: when neither the defenders nor the attackers properly understand the structure they’ve built in unwitting collaboration, and (for ‘sufficiently many’ attackers) it’s simply not worth the effort to subvert it further, and therefore not worth the effort of further defensive refining [2].

One key point is that because adversaries are consciously drawn to where the defenders aren’t, defenders can’t afford to ignore any part of the landscape described in #1. Ignore psychology and people, and social engineering flares up. Ignore networking and the attackers flock to replay attacks and man-in-the-middle, and on it goes.

Big Reason #3: The Essence of Hacking is Anti-Simplification

The third big reason, and the one that probably isn’t as ‘obvious’ as the two above, is that the essence of hacking, and therefore the essence of InfoSec, is to consciously not buy into the simplifications and abstractions we are offered every day, and the “just stick to the expected path” implicit agreements we all make.

Instead, the hacker mindset is to do the reverse: to seek out and embrace the vastly complex and dirty machinery that makes things work, with an eye to then messing with that machinery. Instead of sticking to the expected path, the hackers’ first instinct is to veer off that path, and see what happens.

This whole aspect of InfoSec runs contrary to a big cultural trend and narrative, so is easy to not see it clearly. As consumers and users of technology we complain about companies that “make things complicated” and contrast them with companies where “it just works”, but the truth is that in both cases the reality is astonishingly complicated, and the first group is failing because they hide only 99.9% of that complexity under cosmetic simplicity, while the other ‘simpler’ group is succeeding by hiding 99.99%.

I’ll expand on this point more in a separate article (given how meaty a topic it is), but suffice it to say that this hidden pool of actual complexity means that when someone wants to look under the hood, there is a vast playground for mayhem and surprises. And because the attackers live in that world, so too must the defenders.[3]

3 Smaller Reasons

Honorable mentions for some other drivers of complexity:

Smaller Reason #1: Immaturity

The first modest-sized reason for the complexity we see in InfoSec is that it is still in its infancy, and some of what looks like complexity is just a symptom of the inconsistency and confusion that comes with immaturity. That will improve over time, but we probably won’t notice, because the other factors will make things worse much more quickly than this factor can make things better.

Smaller Reason #2: The Need for Broad Response

(This next reason is almost a side-effect of the bigger ‘Adversarial’ issue, but deserves to be called out as its own entity.)

Another big driver of complexity is a kind of double-negative: certain obvious paths to simplification are dangerous when used by InfoSec defenders, and so have to be avoided or minimized.

I’m thinking here of the natural instinct to simplify by taking a long list of ‘to do’ items and doing them one at a time in a measured, sequential way. That greatly reduces execution risk and avoids all sorts of synergistic confusion and complexity, but the sad fact is that it can be fatal for InfoSec. If you’re the captain of a submarine, and someone tells you you’ve got 3 gaping holes in the hull, you simply don’t get to fix one, do a tour at sea, then fix the next, do another tour, and so on. Potentially fatal problems wait for no man.

Now, obviously, you don’t want to go to the other extreme and try to boil the ocean, but there is absolutely an added complexity from the need to juggle multiple things in flight.

Smaller Reason #3: Lack of Control

The final reason why InfoSec is prone to complexity is that reactive work is generally more complicated than proactive work: instead of getting to tune your sequencing and timing and the prioritization so as to reduce complexity, reactive work forces you to dance to the tune of the attacker. And since too much InfoSec work is reactive, this phenomenon adds to the complexity.

A final note on this issue is that it is yet another reason why driving to maturity is a good idea: not only does it reduce risk, it increases efficiency and predictability.

Conclusions

In summary, InfoSec is always going to be complicated, for deep, unavoidable reasons. That puts an onus on practitioners to lead a schizophrenic life: one the one hand they can’t ignore that complexity (and so need to recognize it, embrace it, and manage it), and on the other they need to refrain from torturing everyone else with that complexity, so need to devote a lot of effort to simplifying and communicating.

The other side of the coin is that senior leadership in other fields—whether they be in IT, politics, or any of the thousand other fields impacted by InfoSec—need to try to meet that outreach halfway. It’s no longer considered acceptable for leaders to be technology-illiterate, and the same needs to happen for InfoSec issues: a certain level of engagement and security-literacy has to be considered table-stakes for 21st century leaders.

 ----------------

[1] Which means there is a really good analogy begging to be made, and one that would resonate with one of the audiences we really need to mind-meld with.

[2] That raises the possibility—likelihood?—that the tax codes will grow vastly more complicated once we’ve got artificial intelligences leading the fight for both the attackers and the defenders. It wouldn’t surprise me if the body of tax code ‘stuff’ is (equivalent to) ten million pages by the year 2030.

[3] Proposed logo for the entire InfoSec industry: a close-in head-shot of someone with a worried/annoyed look on their face, and the slogan, “Well, actually….”

------------------

?Disclaimer