Will clouds and cryptography win back our trust in computers?

The world of IT security is ablaze, and making headlines: WannaCry virus stops production at Renault-Nissan, hackers shut down power plants in Ukraine and read Hillary Clinton’s emails. Emmanuel Macron’s, too, and that particular attack stands out from the rest.

Unlike other strikes, we all knew this one was coming. After Clinton was hacked, it became clear that hackers would attempt to discredit any candidates who stand in the way of their populist counterparts. Top French security experts knew and had time to prepare – and when the attack began, it was immediately detected by TrendMicro, a security vendor. However, the hackers won anyway: Emails and documents from Macron’s team were leaked, mixed in with fake data. So, if even the French president’s team armed to the teeth with the latest security gear couldn’t stop an attack they were expecting, can an ordinary, unsuspecting person or organization ever be safe? Can we trust computers?

Computers run our lives – we need to believe in them. If someone pressed a button that could shut down every computer in the world, the lights would go out, banks would be paralyzed, mobile phones would stop working. There would be riots, and people would die. In fact, we are only just entering an era when every “thing” will have an embedded computer. No other invention has changed human lives as dramatically as the computer, and yet it cannot be trusted.

The search for loopholes
Why is this so? Security experts jointly point their fingers at one culprit: the software bug. There are scientific studies that quantify this issue rather precisely. Steve McConnel, author of software engineering textbooks, estimates that the “industry standard” error rate is 15 to 50 bugs per thousand program lines. Not every bug is a security bug, but still, the math doesn’t bode well: The Firefox browser, for instance, has 16 million lines of code, and Windows has as many as 50 million.

Are bugs inevitable? Code can be written in such a way as to be scientifically bug-proofed. SPARK, for example, is a computer language developed specifically for this purpose: It is used for things like England’s air traffic control, so no need to worry when you land in Heathrow.

If software bugs are not inevitable, then why do we have them? One answer is that software teams often favor time-to-market over quality. Testing cannot find all bugs, simply because all scenarios cannot be tested. When development teams go after bugs, it’s the functional ones they’re really after, not the security ones. Perhaps the issue is that anyone can write code these days – modern development environments allow software to be created at the click of a mouse. In a sense, software development is not science anymore: Many of the people doing it are no longer building on the knowledge, rules or best practices developed by thousands of scientists in the field, because they simply did not study them. Another answer is that IT is only a few decades old – the thousand-year-old field of construction engineering, by contrast, is not plagued with 15 to 50 out of every thousand bricks consistently being laid wrongly.

The result is a goldmine of security loopholes. The word gold is used literally here, as so-called “0-day” – that is to say unpublished – exploits are routinely sold for tens of thousands of euros to buyers who reportedly include entities such as the U.S. government.

Salvation in clouds and numbers
Still, there is hope. First of all, IT security needs to become a top priority. Not system availability, not features, not performance, and not user requests. There is undoubtedly nothing worse than customer data being stolen or damaged. With the growing complexity and fast pace of change in the arena of security solutions, very few organizations can build and operate the required infrastructure themselves. Companies need to look not only for suppliers of security solutions, but also for security providers who can carry some of the burden and provide it as a service.

Cloud computing is not commonly viewed as a security service, although it undeniably has a strong security component embedded in every one of its offerings. Office 365 mail and collaboration suite, for instance, is not typically perceived as a security service, but it is precisely that: The cloud provider covers physical and systems security, in addition to managing spam and malware threats on a continuous basis.

There is one other tool that provides light at the end of the tunnel. It’s been here since the dawn of the universe: mathematics, or rather their application. Cryptography is a reliable way of ensuring the privacy of communications via encryption, verifying identity with digital signatures and certificates, securing integrity with hashes and signatures, or protecting information from being copied with blockchain. If Macron’s team had used cryptography, not only would the leaked files have been unreadable to the attackers, but the forged documents would also have been easy to identify.

It isn’t just up to software engineers and security professionals to restore our lost trust in computers. That is a job for every single user, because these tools and processes enable any individual to rebuild their trust in computing all on their own. Only then will we be able to enjoy the world of computers at its best: as the private, secure space and reliable tool we all know it can be.