The 99.999 percent cybersecurity problem
Near-perfection is a lofty goal, one utilities strive for. “Five nines” has become, it’s said, the “holy grail” of reliability: Under this scenario, customers have service 99.999 percent of the time, with outages averaging only about five minutes per year. Now, that’s service.
A major telephone company set this standard, boasting of its 99.999-percent reliability. Now, some are calling for “five nines” service from Internet providers and websites.
Perhaps we should ask how cybersecurity, too, might achieve this standard. How can our industry protect data with near-perfect reliability, especially as an ever-growing number of “connected” devices join the global data network?
Telephones weren’t always so reliable. In its early years, the industry faced challenges similar to cybersecurity’s. Phone service began as a strictly local phenomenon: The earliest adopters in 1878 had to buy the phones they wanted to use on either end — one for home and one for work, for instance — and hire a telegraph line installer to connect them. Reliability wasn’t difficult to ensure at this small scale, as long as someone heard the caller whistle through the line — the pre-ringer signal that a call was coming in.
Likewise, cybersecurity in its earliest years relied almost exclusively on firewalls to filter out “untrusted” Internet traffic. Safeguarding a single desktop computer connected by phone lines to a contained World Wide Web was fairly simple. As happened in the telephone industry, however, the cyber scale is quickly expanding – and so are the challenges.
According to the book “Seeing What’s Next,” by Clayton M. Christensen, telephones first appealed to businesses, which saw value in enabling workers to communicate more efficiently among themselves and with other offices. The trend soon spread to households, and by 1900, the number of phone users reached 1 million. By 1904, more than 6,000 telephone companies independently provided phone service, which, by most accounts, fell far short of the “five nines.”
“Coordination was difficult, network monitoring was next to impossible, operators experienced diseconomies of scale, and service quality suffered,” Christensen writes. Sound quality also suffered, shared “party lines” often forced people to wait to make calls, and long distance calling was extremely difficult, complicated and expensive.
And yet — the industry reached “five nines” availability. How?
Consolidation is one answer: As Christensen’s book details, the Bell Telephone Co. bought its competitors, forming a virtual monopoly throughout the U.S. One positive result was standardization, which enabled the utility to invest heavily in research and development. It also led to new technologies for use across its ever-expanding service area: private phone lines, direct dialing as opposed to placing calls via operators, long-distance calling and 99.999 percent reliability.
As a result, the telephone has become an essential item for all, even given for free to low-income residents under a federal program.
The telephone’s success happened, in part, because innovators moved beyond a piecemeal approach to design on a grand scale, engineering improvements across the entire network. At the same time, they figured out how to give people what they want: around-the-clock reliability, with the phone company — not the customer — held responsible when things go wrong; ease of use – making a call today, even long distance, today is a simple, intuitive task , requiring no special training; and quality experiences, without the frustrations of dropped calls or distorted sound.
What can we in cybersecurity learn from this success story? In many ways, our profession seems still in the early, “piecemeal” phase, with many focusing on protecting their own organizations’ data and that of their customers, or on developing apps to secure a single device or network.
But as the telephone’s history indicates, success may come only when we “think big,” enlarging our scale, moving beyond the local (company-focused or product-focused) to the global (industry- or even Internet-focused). To get there, we might collaborate with one another for a common good — such as data protection — and innovate strategies and solutions to thwart intrusions systemwide.
And, like the phone industry, we ought to always keep the customer front and center in whatever we design, aiming for easy-to-use cybersecurity with nearly perfect reliability.
It’s one thing to manage cybersecurity on a single cell phone, tablet or laptop. It’s more difficult when you’re protecting all the devices in a single business. And it’s exponentially more challenging to design security for systems used by millions and billions of users.
The Internet of Things, with connected devices perhaps numbering in the trillions someday — potentially serving as hackable portals to our networks and data, could explode the cyber scale almost beyond comprehension. Do we wait until that happens to finally figure out how to keep data safe?
For truly effective cybersecurity design, scale is becoming a critical factor. Ironically, as the telephone’s narrative shows, large-scale solutions can be not only the most difficult to devise, but, once achieved, the most effective. Now, as never before, we in the profession need to ask: How do we solve for the really big problems?
JR Reagan is the global chief information security officer of Deloitte. He also serves as professional faculty at Johns Hopkins, Cornell and Columbia universities. Follow him @IdeaXplorer. Read more from JR Reagan.