Chess Vs. Poker
Or: why we're playing the wrong game
Nota Bene: This post is a summary of a disconnection I've noticed in the information security community (myself included) and has been influenced by discussions with others, namely Prof. Bratus; please consider this an invitation to dialogue or comment, and not a one-size-fits all argument.
Having spent a busy spring and summer traveling to and speaking at various information security conferences (including some "hacker cons"), I've started to notice a disconnect between the work being performed and presented (and selected for presentation) at these events, and the greater problems the "Internet civilians" encounter on a daily basis. In short, we as the research community are playing chess problems: starting with an out-of-the-ordinary initial starting condition, and finding/presenting the most elegant solution to "victory". This elegance is what secures speaking positions, money and fame within the community and by examining the Black Hat USA schedule, one notices a large percentage of these "chess problems" presented (my talk included). As information security researchers, these "sexy" problems provide an intellectual challenge and inherent beauty that attracts us to spend copious amounts of time perfecting that ROP chain, or exploiting a cache-timing weakness just so.
The "Internet civilians" on the other hand are playing a game of poker, in which all parties are playing the player(s), not the game. A computer user has a motivation to use their technology for purposes other than gaining fame with a slick new ROP mitigation, and an adversary is motivated by (generally simple) goals that typically do not include presenting on how he or she built the next spam bot-net at Black Hat. Motivators including financial and/or political gain are what drives most cyber-crime (at the non-nation-state level) and spending time on "elegance" is a waste of resources for the attacker.
Information security is an interesting field, as everyone who connects to the network (which at this point is almost everyone) is a practitioner (or at the very least fair game), regardless of if they are a "cyber-soldier" or "civilian", the flatness of the Internet removes the national boundaries that are traditionally defended by the military, and exposes everyone. The unsexy challenges that the civilians face when connecting to the global battle-field called the Internet are considered "common sense" by those skilled in this arena, and are overlooked or assumed a solved problem (e.g. password strength and reuse, least privilege principle, etc.). Simply because a problem has been solved and is common sense to one skilled in the art does not mean the civilians have access to or knowledge of that solution.
It is challenging to discern an analogous field in which the cutting-edge knowledge circulated in the research community must be disseminated to the general populace in order to be effective. Additionally, attackers are specifically attempting to misuse our systems and software; a civil engineer rarely designs a bridge to be resistant to an RPG strike, whereas every piece of software is a active target. Example: I know nothing about the latest advancements in energy production, however the efficiency of the power grid is not dependent on my cognizance of how it works (and how the energy sector is viewed as a whole).
As the gap between the chess players and poker players grows, our contributions to the field become decreasingly relevant to the majority population of the Internet and we risk becoming a marginalized group, even though we are the most capable to help raise the bar for everyone. It is crucial for the research community to keep the motivations of both the adversaries and civilians who use the network in mind, so we can assist them by playing the proper game. I certainly like the chess problems of today, and by no means am I calling for research in the more esoteric fields to cease, merely a friendly reminder to beat the attacker at his or her own game, not play yourself and declare yourself the winner.
Cyber-security Philosopher and Boffin