Cyber Security: A pre-war reality check

Original Article ↗ Hacker News Discussion ↗

Security vs. Protection & Resilience

  • Several comments stress a distinction between:
    • Security as robustness, graceful degradation, and “carefree ease” from practice.
    • Protection as products and services that create dependency and a feeling of safety without real resilience.
  • The current “insecurity industry” is criticized as selling protection layers instead of addressing root causes or simplifying systems.

Centralization, Outsourcing, and Cloud

  • Heavy outsourcing (India, China, big US clouds) is seen as hollowing out local operational competence and creating single points of failure.
  • Others argue outsourcing and centralization follow comparative advantage and often improve average security and uptime, though they increase blast radius when failures occur.
  • There is support for more regional or “friendly” cloud providers and data sovereignty, especially in Europe.

Critical Infrastructure & GPS Dependence

  • Multiple examples of fragile dependencies:
    • Trains and aviation increasingly relying on GPS; rail projects aiming to replace trackside equipment with GNSS.
    • Farmers and hospitals disrupted when GPS or IT systems fail.
    • Attacks on pipelines, healthcare providers, and telcos showing real-world impact.
  • Counterpoint: sectors like aviation and rail still maintain legacy systems (VOR, DME, track circuits, tokens) and are adding hybrid solutions, not pure GPS.

War, Ukraine, and “Pre‑War Era” Framing

  • Some see Ukraine as proof that cyberwar has been less catastrophic than feared; infrastructure largely functions.
  • Others note:
    • Prior Russian cyberattacks (e.g., NotPetya) caused global collateral damage.
    • Ukraine’s resilience rests on years of hardening and extremely risky repair work.
  • Debate over how much Western policy (NATO expansion, intelligence integration) contributed to the current war climate; views are sharply divided.

Complexity, Simplicity, and Secure Design

  • Strong agreement that complexity is the enemy of both reliability and security.
  • Suggestions:
    • Smaller, simpler stacks (e.g., minimalist OSes, simple databases).
    • Defense in depth, offline fallbacks, and independent local controls.
  • Skepticism that “just rewrite it smaller” works: even small C++ projects quickly accumulate serious bugs; patching and user updates remain hard.

Deterrence, Offensive Cyber, and MAD

  • Some speculate major powers hold large stocks of zero‑days and that there is a de facto “mutually assured destruction” in cyber.
  • Others question this, pointing out limited destructive cyber use in Ukraine if such capabilities truly existed.
  • A few suggest Western offensive capability is likely strong but deliberately under‑discussed.

Economics, Regulation, and Incentives

  • Core problem framed as misaligned incentives:
    • Security spending seen as a cost center; retrofitting is very expensive.
    • Cloud and centralization optimize short‑term cost and convenience.
  • Ideas floated:
    • Hefty fines for breaches and critical 0‑days to change vendor behavior.
    • Education and autonomous systems complementing, not replacing, regulation.

Personal and Organizational Experiences

  • Several anecdotes describe:
    • Soul‑crushing experiences in highly outsourced “nationally important” companies.
    • Being sidelined or pushed out after raising security concerns.
    • Difficulty finding security‑conscious work, and worries this might push some toward “black hat” paths.
  • Broad frustration that organizations optimize for quarterly costs and visible features, not long‑term resilience.