Two essential and indispensable books for the serious information security professional are Russ Anderson’s masterpiece Security Engineering: A Guide to Building Dependable Distributed Systems and Aircraft Safety: Accident Investigations, Analyses & Applications by Shari Krause.
While the need for Anderson’s book is obvious, what does aircraft safety have to do with information security? In a nutshell, everything. Today’s commercial aviation industry is mature, functional, relatively safe, but complicated. Today’s information security industry is relatively immature, dysfunctional, and complex.
Some lawyers specialize in aviation law and physicians who do nothing but aviation medicine. The FAA employs thousands of people, and hundreds of thousands of people work at airports. All of the US aviation regulations (known as FARs — Federal Aviation Regulations) would fill a large room. Yet with all of these regulations, training regiments, and advanced technologies, planes still fall out of the sky, and pilots fly their planes into mountains.
If the aviation industry with billions of dollars and hundreds of thousands of people can’t guarantee passenger safety, then those in the information security industry should curb their hubris using hacker-proof and bulletproof terms when describing their products. Boeing can no more ensure the safety of their airplanes than United can guarantee a flight will arrive on time.
What one sees in Aircraft Safety: Accident Investigations, Analyses & Applications is a comprehensive look at why serious aviation accidents and events occur.
Dr. Shari Krause (a Professor at Embry-Riddle Aeronautical University) looks at over 40 aircraft incidents and accidents and analyzes why they occurred and offers suggestions to avoid future calamities. Krause concentrates on four probable accident cause areas (human factors, weather, mid-air collisions, mechanical failure) and highlights the perspectives of pilots, crew members, air traffic controllers, and the National Transportation Safety Board.
Many of Krause’s conclusions center on two areas, pilot error, and failure to properly use the technology. Many of these pilots are not some newbie’s who read a for dummies book or are recently certified via some technology boot camp. They are professionals that have spent thousands and tens of thousands of hours in the cockpit. These commercial pilots are required by law to have physicals every six months and pay significant amounts of time annually being monitored, retrained, and tested.
These pilots work in cockpits whose avionic hardware costs millions of dollars. Yet with all of this, these same pilots will on occasion neglect standard operating procedures (and common sense) and perform irrational actions such as attempting to land during an active thunderstorm or fly their airplanes into rock-hard mountains (officially known as CFIT — Controlled Flight Into Terrain), and more.
Continuing with the aviation theme — there is a joke told in which a large group of programmers is asked if they would feel safe in a plane built by Microsoft and if they would get on such a flight. Only a single hand went up to which the reply was, “If Microsoft were ever to build a plane, I would have no qualms about getting on the plane. Because I know that if Microsoft built it, there is no way the plane could ever get off the ground”.
While Microsoft is an easy target for security problems (they should also be commended for their Trustworthy Computing initiative), much of the blame falls on management. They often spend money on incorrect security technologies and then expect those technologies to work without ever training the very people expected to implement them properly.
With that, information security needs to learn from the established aviation industry; in that complex systems must be developed with architecture and design. As Ross Anderson deftly explains in his book, security must be engineered. Anderson views security engineering as being able to build systems to remain dependable in the face of malice, error, or mischance. As a discipline, it focuses on the tools, processes, and methods needed to design, implement, and test complete systems, and to adapt existing systems as their environment evolves.
The information security sector has a long way to go to be on par with its counterparts in the aviation sector. Both Security Engineering: A Guide to Building Dependable Distributed Systems and Aircraft Safety: Accident Investigations, Analyses & Applications attest to that.
Originally published in the ISSA Journal — 2003