Sign in Subscribe
2 min read

First Principles: Bad guys are humans, they're creative and driven, and they don't quit.

Here's the bigger question: If we do finally achieve 100% success in automating cyber defense, will the "bad guys" pack their stuff up and go home?
First Principles: Bad guys are humans, they're creative and driven, and they don't quit.
"The secret ingredient is crime"

If I had a dollar for every time I've been asked if AI will supplant white-hat hacking over the past few years, I'd have... several dollars.

Here's a first principle that has guided my thinking around security for the better part of twenty years now, and has served me fairly well:

  1. Humans are the origin of attack, and humans are creative and innovative—partly because of our creative construct, and in part because we are wired and incentivized to survive and succeed.
  2. Humans are also the author of the attack surface. We're powerful and creative and awesome, but we aren't perfect—and when you couple that imperfection with mathematical multipliers, you end up with web-scale imperfection (alongside all of the web-scale awesomeness).
  3. Therefore, human creativity will forever be the battleground.

Human fallibility and imperfection is ultimately the origin of crime, and the exploitation of this base truth predates the Internet by a few thousand years.

Cybercrime isn't a new thing; we've just sped up old things over the last hundred years or so.

Could AI solve 100% of today's security problems? Maybe. Most of the bets I'm placing right now assume that it won't (mostly because I don't believe that the macro market incentives support this outcome)... but I'm also allowing for the possibility. This idea could be a much, much longer post, but I'll leave it there for now.

Here's the bigger question: If we do finally achieve 100% success in automating cyber defense, will the "bad guys" pack their stuff up and go home?

Three thousand years of history suggests that they don't, and most likely won't in the future. Instead, they employ an entrepreneurial mindset, and they adapt and overcome. Where the cyber defense complex fails is in ignoring this base truth—and ultimately the reason we're all here in the first place—by treating it as a purely technical problem. Crime and the opportunities for crime are both deeply rooted in sociology. Cybercrime is a sociological problem, amplified by technology. It's not a technological problem; technology merely provides the theatre.

The implication of all of this is that human creativity is an ever-present fundamental of a good defense.

Published by:

caseyjohnellis