The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Things are not getting better


I was reminded this morning that nearly 10 years ago testimony I gave before a US Senate committee about cybersecurity. Sadly, I think things are worse and we are continuing on the same self-destructive path.

Here is a copy of that testimony.

Anybody who thinks tools and patching are the solutions doesn't understand the problems.

Now that the government has decreed our national focus should be on quantum and artificial intelligence, things are likely to get worse even faster -- those technologies will introduce new vulnerabilities faster than they may fix any, especially as vendors seek to rush items to market.

CERIAS continues to be a bright spot, but there is so much more we (at CERIAS, and more globally) could do if we had the resources.

In early April is the 20th CERIAS Symposium. I invite you to attend to see what Purdue's continuing efforts are accomplishing, and especially to meet some of our bright and motivated students, and connect with some of our tremendously talented faculty and staff.


Posted by H. Carvey
on Thursday, March 7, 2019 at 08:26 AM


I’m not sure why you’d expect things to get better, honestly.

I’ve been in the infosec trenches since I got off of active duty in 1997.  I started doing vulnerability assessments, did the odd pen test now and again, and then moved into DFIR.  This is only to say that I _see_ the data, so when an auditor asks the senior sysadmin at a company if they have technical means in place to enforce strong passwords, and the admin says, “yes”, I know the truth.

I currently work at an MSS, and I see the messages our analysts send to clients about detected incidents, and I see the responses, if there are any. 

All I’m saying is, don’t expend your energy beyond what you can influence.  You clearly have influence over the next generation of security professionals, and that has to be enough. 

God bless.

Posted by John M
on Saturday, March 9, 2019 at 08:49 AM

I couldn’t agree with the above more.  I’ve tried to explain it to our younger folks, but it is a difficult sell.  Almost 40 years in telecom and cyber for AT&T, GTE, DoD, IC and what I see today is a more complex architecture (at least in the DoD) that is failing at the most fundamental level.  The truth is that all the bloated funding and security products applied can be eliminated with one click of a mouse by one adversary.  Once in, lack of fundamental hygiene and the failure to realize that anything created by a human has flaws does the rest.

Posted by John M
on Sunday, March 10, 2019 at 11:39 AM

H. Carvey;
Oddly enough, I do believe things were getting better in the 2001-3 timeframe.  The amount of personal collaboration in NANOG and NSP-SEC newsgroups as well as others was close to real-time and specifically detailed.  Then as the telecom and burgeoning internet ‘industry’ collapsed upon itself through mergers and buy outs, the reamining bean counters realized they could make a profit selling security products and services to a captive audience.  End of collaboration on a personal level and beginning of the bolt-on generation.  Leave the smartphones at the door.
Kind regards.

Leave a comment

Commenting is not available in this section entry.