Myth #13: Drastic improvements in cybersecurity are urgently needed.
Andrew Odlyzko

Myth: The Internet and all other information systems need to be re-engineered from the ground up to provide robust security. Failure to do so will expose society to rapidly escalating financial losses, as well as greater erosion of privacy and a corrosive “post-truth” environment, and might end in a “digital Pearl Harbor” that could bring the economy to a halt.


Busted: Cyber risks are real and are growing. (#10) But they are not much different from the threats in the physical world and are similarly manageable. They have been managed in the past, and that experience of living with and depending on obviously insecure systems over several decades provides useful lessons for the future.

We have learned that we cannot build secure systems of substantial complexity. Even if we could, human vulnerabilities that are exploited so effectively through techniques such as phishing would remain. However, in the past the damage from lack of cyber security has been tolerable, typically less than from other forms of crime, natural disasters, and innocent bugs or operational errors. The key issue has always been risk management, not absolute security, just as in the physical world. This is because security is not the paramount goal and only a certain level of it is necessary to allow individuals and organizations to function and flourish.

An instructive example is that of two-factor authentication. It has been known and available commercially for about three decades, but it is only now becoming widely deployed. Clearly organizations decided in the past it was not worth using it. And, in retrospect, it is hard to argue this decision was incorrect. An even more obvious example is that of rigorous observation of standard security practices (prompt application of updates, use of secure passwords, and the like). It is standard, and is universally accepted as desirable, but is seldom followed. If necessary, security could be increased by simply adhering to those standards.

There is of course the threat of a large scale cyber attack. (#12) Experience indicates that such could realistically only be mounted by large state actors. Hence they have to be deterred by government agencies and so hopefully will not be much more of a threat than giant geomagnetic storms.

For most individuals and organizations, the only serious worry should be routine criminal attacks. Protection against those can be improved in various simple ways. Among the most important of those ways is providing secure backups and engineering systems for quick recovery. Such measures would also provide protection against large scale attacks.


Truth: We are not facing a cybersecurity crisis, and there is no need for a fundamental re-engineering of our information systems. Cyberthreats are mounting, but in a measured way, and we already have many tools for strengthening our security. Hence we are likely to provide adequate levels of security by acting as before, taking small incremental steps as necessary.


Source: Andrew Odlyzko, Cybersecurity is not very important, ACM Ubiquity, June 2019, 1-23,