Comments on “Develop and mandate intrinsic cybersecurity”

I’m of (at least) two minds about this.

I’m a professional programmer (i.e. ‘software developer’ or ‘software engineer’), and I, personally, prefer the ‘correctness’ (‘better’) end of the ‘worse versus better’ or ‘good-enough versus correct’ spectrum.

But I also admit (and, previously, grudgingly) that my colleagues on the other (‘worse’) end of the spectrum are often generally more effective than I am, and the benefits mostly outweigh the costs too.

I suspect the tradeoffs being made aren’t too terrible either, generally, as many security failures involve ‘trusted insiders’ (e.g. human users), against which no amount of better computer security can protect. Most experienced professionals use cryptography pretty sensibly nowadays, but no cryptographic system can withstand ‘rubber hose cryptology’.

I’m also greatly disappointed in the various acts/bills like GDPR. I’m sympathetic to their aims, but they’re extremely unfriendly! Their plain language (‘reasonable’) interpretations are severe, or seemingly contradictory, and it’s not clear whether that’s so they can better serve as cudgels to be wielded against the biggest companies. It’s disheartening that there aren’t clear concrete guidelines for complying with their aims.