Get in touch
2543934363
gsatactical@gmail.com

GLOBAL SECURITY AGENCY (GSA)

Cybersecurity Is a Social, Policy, and Wicked Problem

Richard Bejtlich • June 25, 2023

Cybersecurity is a social and policy problem, not a scientific or technical problem. Cybersecurity is also a wicked problem. In a landmark 1973 article, Dilemmas in a General Theory of Planning , urban planners Horst W. J. Rittel and Melvin M. Webber described wicked problems in these terms:

“The search for scientific bases for confronting problems of social policy is bound to fail, because of the nature of these problems. They are ‘wicked’ problems, whereas science has developed to deal with ‘tame’ problems. Policy problems cannot be definitively described. Moreover, in a pluralistic society there is nothing like the undisputable public good; there is no objective definition of equity; policies that respond to social problems cannot be meaningfully correct or false; and it makes no sense to talk about ‘optimal solutions’ to social problems unless severe qualifications are imposed first. Even worse, there are no ‘solutions’ in the sense of definitive and objective answers.”

Other wicked problems include climate change, smuggling, and nuclear weaponry. 

There is no “perfect new normal” because there is no “solution” for cybersecurity. 

To quote Marcus Ranum from the September 2007 issue of Information Security Magazine : “Will the future be more secure? It'll be just as insecure as it possibly can, while still continuing to function. Just like it is today.” 

A report by the Australian government titled Tackling Wicked Problems: A Public Policy Perspective suggests that there are three strategies for mitigating wicked problems: authoritative, competitive, and collaborative. Similarly, cybersecurity will likely require some combination of all three.

In summary, my modest new normal is this: anyone commenting on cybersecurity will recognize that it is a wicked problem that cannot be “solved,” but it may be mitigated, over decades, using expertise and approaches from multiple disciplines, least among them technical acumen.

If pressed to provide a technical element of the new normal, I offer “building visibility in” as one tenet. Asset owners need to understand how their digital resources are used and abused, and anyone providing computing resources should include the logging and access needed to do so.

* I found this note dated 1 June 2020 on my hard drive and decided to publish it today.

Make the most of the season by following these simple guidelines

By ZenBusiness Admin September 19, 2023
The new season is a great reason to make and keep resolutions. Whether it’s eating right or cleaning out the garage, here are some tips for making and keeping resolutions.

Keep in touch with site visitors and boost loyalty

By ZenBusiness Admin September 19, 2023
There are so many good reasons to communicate with site visitors. Tell them about sales and new products or update them with tips and information.

Tips for writing great posts that increase your site traffic

By ZenBusiness Admin September 19, 2023
Write about something you know. If you don’t know much about a specific topic that will interest your readers, invite an expert to write about it.

How-to: Reversing and debugging ISAPI modules

By ron June 27, 2023
Recently, I had the privilege to write a detailed analysis of CVE-2023-34362, which is series of several vulnerabilities in the MOVEit file transfer application that lead to remote code execution. One of the several vulnerabilities involved an ISAPI module - specifically, the MoveITISAPI.dll ISAPI extension. One of the many vulnerabilities that comprised the MOVEit RCE was a header-injection issue, where the ISAPI application parsed headers differently than the .net application. This point is going to dig into how to analyze and reverse engineer an ISAPI-based service! This wasn’t the first time in the recent past I’d had to work on something written as an ISAPI module, and each time I feel like I have to start over and remember how it’s supposed to work. This time, I thought I’d combine my hastily-scrawled notes with some Googling, and try to write something that I (and others) can use in the future. As such, this will be a quick intro to ISAPI applications from the angle that matters to me - how to reverse engineer and debug them! I want to preface this with: I’m not a Windows developer, and I’ve never run an IIS server on purpose. That means that I am approaching this with brute-force ignorance! I don’t have a lot of background context nor do I know the correct terminology for a lot of this stuff. Instead, I’m going to treat these are typical DLLs from typical applications, and approach them as such.

The Origins of the Names TaoSecurity and the Unit Formerly Known as TAO

By Richard Bejtlich April 1, 2021

Security and the One Percent: A Thought Exercise in Estimation and Consequences

By Richard Bejtlich October 31, 2020
#securityonepercent

MITRE ATT&CK Tactics Are Not Tactics

By Richard Bejtlich October 23, 2020
MITRE ATT&CK

If You Can't Patch Your Email Server, You Should Not Be Running It

By Richard Bejtlich April 7, 2020
disturbing story today

Skill Levels in Digital Security

By Richard Bejtlich March 27, 2020
Google Books

Stealth Alternate Data Streams and Other ADS Weirdness

By Matt September 20, 2011
1
More Posts
Share by: