Change is a constant in a digitally and technologically driven society and it is repeatedly said that cyber security specialists have a hard time keeping up with the "new" in the area. But regardless of the state of the technology, the principles and ethics which drive the mission and application of security remain stable and actually long lived. So there is a question as to why these security principle and ethics are not being embodied in the technology we consume.

Back at the start of April I was delighted to teach my first module on the new Cyber Security Executive MBA programme at Lancaster University. In the first session we looked at the classic paper from Saltzer and Schroeder. This covers their ten design principles, the most famous of which is “Least Privilege”.

While the design principles themselves were interesting to discuss, it was the fact that this paper was published in 1975 which caused considerable surprise! These ten, core design principles are nearly 50 years old! Not only that, but this is one of the first papers which discussed the concept of penetration testing to find security issues – lots of my students think that pentesting is a modern invention.

The security of systems is not new. The processes we need to use to design and implement secure systems are not new. Failures in the security of systems can be traced back to a failure to consider one of the Saltzer and Schroeder’s design principles. But companies are still being hacked and seem to not know what to do. Our data and services are not being protected properly, and the security in our digital systems always seem to fail on a disappointingly regular basis.

Experts such as Ross Anderson and Bruce Schneier have built on work by economists such as Hal Varian to understand why, despite knowing what to do, people still don’t do it. There has been lots of work by the NCSC and others to raise awareness in the population and in organisations about the seriousness of cyber security, its importance for good business process and the ethical obligations of companies. At Lancaster I have been involved in over £10M worth of government funded projects (GM Cyber Foundry, Lancashire Cyber foundry) to work with businesses to enable them to engage more proactively with cyber security. And while it might be the product of the various social media and news feed algorithms, I am seeing an up-tick in articles from mainstream business outlets, like Harvard Business Review, regarding the importance of cyber security in business and to the board.

It is after all market forces which drive the inclusion of features and the quality aspects of the products and services we buy – digital or otherwise. The markets are changing, the consumers are becoming aware of security issues and how they might affect them individually – Hang on a minute, what do mean my pension data has been leaked over the Internet, what about my retirement? This is especially true when the computing is tangible such as in the form of cars – why should I have to pay a subscription for an update to make sure people in another country can’t unlock my car? But awareness is not enough when there are large scale technology monopoly’s and lack of general understanding of what to do if there is an issue. This disconnect between awareness and inability to act is a potential timebomb waiting to go off.

Added to this is continued, face-paced development of new innovations. Whether these innovations are in the technologies themselves, or in their ability to be adopted at scale, they continually challenge the status quo. The radical ideas of Mark Weiser – the progenitor of ubiquitous computing and the Internet of Things – have come to pass only 25 years after their research conception – Smart home technology, factory 4.0 and digital governments are a reality. Advances in Quantum computing hold the key to radically change the security landscape, from disrupting conventional cryptography as well as affording new, better protections. Machine Learning is not new, but the ability for school children to use it to help them understand the concepts they are taught for free is.

It is difficult to predict the future, but trends can be spotted and it is fair to say that disruption is here and is becoming more unpredictable. There will be the point of inflection in technological and societal trends which will push the elasticity in these systems beyond what they can handle, and deform them to create a new reality. The pandemic was one such source of energy which deformed the socio-technical landscape – can you imagine not making at least one video call in a day?

And yet, the fundamentals of security are not being integrated into the DNA of our systems and organisations which we rely on for our day to day lives.

We have reached a security epoch a half century in the making. The technologies which enable us are going to radically shift the security landscape. It is going to take real leadership from all quarters to be able to deal with these future challenges. But to empower this leadership, we have to get the basics we have known for the last 50 years right as a matter of course – not the exception. How can leaders truly tackle future challenges if they are always forced to deal with the easily avoidable mistakes of the past? And if you are working for an organisation which is not taking the protection of it’s digital self or its customers seriously then perhaps its time for you to use your market power and work for a more ethical organisation.