Let me demonstrate by the same method that it’s not possible to build a secure house.
When a house is built, the builder doesn’t know whether it will become infested by termites, mice, ants, dust, or mold. For some of these (termites) there are known preventatives, but they’re not perfect. Others (ants, dust) builders usually consider to be the owner’s problem. Others (mold) were not considered a problem until recently, when it became clear that they produce human illnesses. I could add small children or drunken adults to this list of infestations.
But what about the building itself? Well, it might have asbestos, or materials that produce volatile outgassings. The former wasn’t considered a problem a few decades ago and now is often outright illegal. The latter is only now becoming considered a problem as it becomes more clear that it can accerbate allergies or cause various diseases. And there is always the possibility of shoddy construction ranging from nails in the wrong place to mismeasured lengths and on up. Not to mention shorted or substituted construction materials, i.e., outright fraud and theft by the builder or construction crew.
But what about outside attack? That’s what most IT security seems concerned with; what’s the equivalent for houses? Plenty, including natural threats such as tornadoes, hurricanes, floods, fire, landslides, sinkholes, falling trees, etc. But IT security deals mostly with deliberate malicious attacks; what about those? Plenty of those, too, ranging from neighborhood children to burglars to eminent domain to sabotage to military atatck.
Obviously there’s no way to measure all those failure modes of house construction, so we might as well not bother measuring house security, right?
Of course, everybody already knows it’s not possible to build a secure house. Instead, we use an array of standards, education, professional associations, laws, and inspections during and after building.
One thing we need to do is to just admit it’s not possible to build a secure network, and get on with building networks and software systems that are sufficiently secure while dealing with the associated problems by a variety of means.
And let’s consider the malicious outside attacks. For houses, we also use alarm systems, neighborhood watches, police, laws, courts, education that breaking and entering is bad, and for military attacks, even our own armies, diplomats, and treaties. For both natural disasters and for attacks, we also use insurance, safes, safety deposit boxes, and even keeping duplicates of important papers in multiple locations, such as with relatives or at lawyers’ offices. In all these cases, we don’t depend on trying to build a house with walls that will withstand a tornado or a determined burglar, and certainly not a determined military force. For all these cases, we use forms of collective action.
Sure, we need specific local security measures, just as we need locks on doors, and it would be good to have some metrics as to how good they are. But that’s not the whole problem, nor even the main problem.
In other words, for the kinds of things that are most problematic in IT security, namely outside attacks, for houses we don’t depend going it alone. For aggregate damage we depend on collective action. We need to do the same for IT security.
-jsq