“The battle is over. We lost.”
This gloomy proclamation was made by a world-famous security expert at a professional association chapter meeting. (You know who are, Bruce.) It was before Equifax, DNC, Sony, Yahoo, Target, and other recent mega-breaches. But even then, attackers were making rapid gains, while defenders seemed to fall further behind.
This trend became known as “Shamir’s Law” in 2007, when renowned cryptographer Adi Shamir suggested it at a security conference. Modeled on the famous Moore’s Law, which posits that computing power doubles every 18 months, Shamir’s Law states: “Every 18 months, computer security gets 50% worse.”
Especially after Equifax, it’s starting to look like Shamir’s Law is right, in which case winning the battle seems hopeless.
Shamir’s Law has an ominous corollary. If security weakens 50% every 18 months, then it may reach a point of no return. The end of security.
Suppose Shamir was right back in February 2007. Then by August 2008, 18 months later, security was only 50% as good. By February 2010, it was 25%. Then 13% in August 2011, 6% in February 2013, 3% in August 2014, 2% in February 2016. Next August we can expect it to fall below 1%. Beyond 2018, diminishing returns, a future dystopia where any effective security costs more than no security at all.
Shamir’s Singularity is like Zeno’s arrow, we may never quite reach it. But once security falls below 1% of where it was a decade ago, it seems unlikely we could ever reverse the trend.
Shamir’s Law describes a widening gap between two distinct trends. Defenses may actually be improving. Shamir’s Law simply states the attacks improve even faster, the gap doubling every 18 months. We only need to bend the slope of either line to postpone the singularity, not necessarily both.
We lack reliable metrics to verify Shamir’s Law. But we feel it. We see it in the headlines. We lack data to prove it, so we rely on gut feelings and anecdotal evidence.
With a steady stream of bad news, it’s natural to feel discouraged. But if defenders grow discouraged enough to give up the fight, Shamir’s Singularity becomes self-fulfilling prophesy.
Let’s not fall into that trap. For every Equifax disaster, there are a thousand unsung victories. Let’s focus on that.
Maybe we "lost the battle", but the war isn't over yet. Now is not the time to give up. It’s time to bend the curve, just a little, and then a little more.
Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.