CT puzzle.2In 1974, a 30-year-old Hungarian professor who was living with his mother invented what was to become the world’s most popular puzzle. His name? Erno Rubik.  His puzzle? The famous Erno Cube. OK, actually the puzzle bears his last name, the Rubik cube, a puzzle that has been sold to hundreds of millions, and in all likelihood, played by billions.  The puzzle could appear to be maddeningly challenging to those for whom mathematics is a painful exercise. It was originally billed as having over three billion combinations and only one solution. But, solving it has become child’s play, thanks, in part, to devotees who have developed algorithms to make the process readily repeatable. The current listed world record for a single time on a 3×3×3 Rubik’s Cube is 4.90 seconds, faster than you can tie your shoes.

Wouldn’t it be wonderful if we could solve our cybersecurity puzzle so readily? Alas, this particular puzzle is a bit more challenging, given that the nature of the threat is evolving constantly.  However, Robert Knake just posted an interesting piece on Net Politics that propones what could be part of a solution. Fetchingly titled “Cash for Clunkers: Cybersecurity Edition,” the post begins with this: “It has long been a half hope-half joke within the cybersecurity community that the United States’ aging information technology (IT) infrastructure might be more secure than modern IT. Our collective image of hackers as young and somewhat lazy, suggests that when confronted with legacy IT systems, hackers might just decide to move on to more familiar IT environments.”

We have ample examples of breaches that make clear just how forlorn that half hope is, and Knake quickly acknowledges that fact.  But he moves on to argue that we have a systemic problem with legacy systems, and that the focus on cybersecurity too often results in spending decisions that divert money that should be flowing to IT modernization efforts. He has an idea of how government could help. His solution is to develop a tax policy that incentivizes investment in new, more secure IT systems that support critical national infrastructure.

Revising tax policy won’t solve the cybersecurity puzzle in 4.90 seconds. But it could very well make a significant difference in cyber defense over time. Perhaps a wise candidate for office will pick the idea up and run with it. One can only hope.

By Tom Davis, SDI Cyber Risk Practice

June 7, 2016