Editor’s note: Lou Shipley is a lecturer at the Martin Trust Center for MIT Entrepreneurship and president and CEO of Black Duck Software, an open source solutions company.
The topic of digital security often brings to mind the image of bleak and dark future, where computers, mobile devices and other systems are riddled with malware and cyber criminals lurk, ready to steal our data and crash our systems. We have good reason to be nervous. We’ve seen plenty of cyber-security breaches in the past few years, like credit card thefts at Target and password issues at sites like LinkedIn.
Digital security is a major concern. Few other issues affect everyone, from individuals to companies to entire nations. So what is the future of digital security?
One discussion thread centers on email encryption, prompted by Yahoo joining forces with Google and Microsoft to develop an encrypted email system. While encryption is a step in the right direction, it’s probably not sufficient by itself. In addition to usability issues — like compatibility of platforms and the human tendency to reuse the same basic passwords — email only covers a portion of the digital world. It’s a partial “attack surface.”
The broader answer to digital security demands openness and cooperation among traditional competitors. The Facebook TODO project (Talk Openly, Develop Openly) is a good example. TODO brings together Google, Twitter, Box, Walmart Labs, Dropbox and others to facilitate and improve open-source projects.
Applying open-source best practices to digital security builds on transparency and meritocracy, where the best ideas win. For example, starting almost two decades ago, Linux developers came together to create an operating system that today runs a huge swath of enterprise IT, global networking, telecommunications and a dizzying array of other intelligent device applications, and is helping to drive the build out of the Internet of Things.
Another prime example is the development of the Apache web server, followed by a hit parade of other projects under the Apache Foundation umbrella, including Hadoop, Tomcat, Libcloud and scores of others. These and other open source successes prove that it’s better to develop as a community, in the open, because given enough eyeballs, all bugs are shallow (Linus’s Law) and fewer bugs means better security.
By using open source methods, the developer community is able to lock out black hats. If individuals attempt to insert malicious code into a project, that code will be seen and tested by developers across the community; it will be excised by vigilant open-source white hat developers faster and more reliably than with proprietary code.
Not all organizations are ready to commit to open source methods. Open-source security best practices require companies to move past traditional models of competitiveness to collaboration among corporate peers for the greater good. It also requires some sacrifice of privacy/secrecy in favor of transparency.
These are small prices to pay because digital security is a critical global issue. Just as we’re working on other major crises – the environment, global security, and emerging pathogen threats – it’s going to take more than one individual or one company (or even one nation) to meet the digital security challenge. Winning the digital security arms race can only be accomplished with openness and collaboration.