Sunday, 13 August 2023

If Your Car Was Engineered Like Your Cloud Computing Solution


When you take engineering seriously, the
results are resilient, and elegant.
Imagine you're buying a car from a reputable manufacturer. That manufacturer doesn't build all the components itself. It partners with other specialists and works with them to tight tolerances so that all the bits fit together and work properly.

In a tightly controlled supply chain like that you end up with complex systems that can take you hundreds of thousands of kilometers through extreme environments. When engineering is taken seriously like this, amazing, resilient, elegant machines are the result. Unfortunately, the digital transformation we're living through hasn't been approached with that in mind.

There is nothing elegant about how we've
engineered our 'digital transformation'
2347: Dependency
If your car was built like the cloud infrastructure your business / school / government depends on to operate every day, your software 'manufacturer' scours the internet looking for free bits and pieces of code that will do a job that they can't be bothered to code themselves. This freeware, often taken without consent and seldom supported, becomes part of an under engineered stack of software that makes your magical, money saving cloud infrastructure work. Any time someone decides they want additional functionality, another piece is patched into this mess.

Imagine if your car was built like this. Every tire would come from a different manufacturer with different specs but they all got chucked onto the car because they filled a need at that particular moment. Some of the tires come from tire manufacturers, some came from a guy who thought he could build a better tire in his shed, and they're all different makes and sizes. Some are tested for safety, some aren't even technically tires, but fill the wheel well and roll like a tire. The other parts of your franken-car would also be sourced like that, with simplistic needs met but with little thought for integration or upkeep. Some parts of your rolling nightmare are updated regularly, others never have nor will be, meaning what fits together this week might not next.

One day your engine bolts might update themselves and suddenly the motor won't start because nothing fits. The horn that got installed might not actually be a horn but a fire hazard waiting to burn your new car to the ground when you press the button. You might be running a 1990s transmission with a 2023 chassis that only superficially work with each other but will fly apart the first time you take a corner.

https://www.huawei.com/en/huaweitech/publication/81/open-source-powers-cloud-ecosystem
If there were any consistency in how open source software is integrated into business systems, this might work, but in most cases complex cloud based information management systems are cobbled together collections of corporate systems and under-resourced open source freeware. Why would this chaos suit some companies?

"Tech" companies seldom make the technology you're purchasing from them. In most cases that fancy new operating system you're buying was lifted from freeware and modified to fit the money-making paradigm - in many cases while ignoring the original intent of the freeware developer to provide functionality to those who need it while not supporting a profit mandate. Life's good when you're living a 'move fast and break stuff' tech-disruption life. That's what we're all depending on now to make our critical infrastructure work.

The stack of hardware and software your data passes through to use the internet is staggering. On your computer (laptop, smartphone, whatever, they're all computers) you're using a browser likely made by one company on an operating system made by another. The drivers that run the hardware that connects you online are a third company and in all three cases they may well have 'grabbed' some open source software to make their piece of the puzzle work. Once your data actually leaves your device it hits your router that is running another bunch of hardware and software before getting fired out to your internet service provider (ISP), who is running goodness knows what (but probably with ample amounts of 'free' open source software). From your ISP your data bounces from server to server on its way to its destination. If you're reading this through social media you've now picked up all their bad habits (TwitterMetaGoogle, though notice that they all make monetizing free software look like a community service).

This mad hack-fest is how the internet works and it's how the cloud based programs everyone finds so convenient are built. Your brand new 'mission critical' cloud based accounting software depends on the slap dash engineering to work... all day, everyday. This approach almost begs to be abused, and it is.

How can we possibly secure this mess? Well, it's nearly impossible, which is why you see so many criminals taking to this new frontier. The people using this technology are now decades into a digital skill crisis that shows no signs of abating, so the people who drive these terrible cars don't have the skills to know just how bad they are. Our information and communication technology illiteracy also affects management who make ill informed decisions about how to integrate technology with resilience and best engineering practices first. It's easier to play the victim than take responsibility for the technology we depend on.

The vast majority of online systems depend on open source software that introduce all sorts of chaos into what should be a coherent and carefully engineered system. When you pile on missing user and management digital fluency, it's amazing that the lights are on and your online banking works at all.

Imagine that you are the under-resourced mechanic for that franken-car. When something breaks you may find that it doesn't fit into what the car has changed into as other parts got updated. You might find that the intention of the part you need to replace was misunderstood to begin with and it was never the right thing for the job. Picking 'off the shelf' software to run your system can do that. Whenever you open the hood you're not expecting to see branded parts that were designed to be engineered together, you're seeing a hodgepodge of bits slapped together to work in a given moment. Your maintenance of this car becomes a panicky grab at anything that might make it work, which only makes things worse.

That under-resourced mechanic has a lot in common with cybersecurity specialists tasked with trying to keep our 'digital transformation' functional. When I read an article like this scattered piece in the Globe and Mail I get a sense of just how panicky and clueless our approach has been. They would rather portray criminals as better organized than resourced than government supported businesses in order to explain our ongoing cyber-crisis. The picture this article paints suggests that the slap-dash architects of our digital transformation are now helpless victims of their own poor judgement, but don't worry, it's your data that gets leaked. I found it particularly galling that the writer then insinuates that cybersecurity experts are somehow untrustworthy because they understand how poor our systems are.The spin in this is incredible.

Cybersecurity is an uphill struggle. You can expect the systems you work on to be cobbled together nonsense that no one in their right mind should have made the foundation of a business (or government, or school system). The users you're trying to protect in this digital hodge-podge are so lacking in understanding of how it works that they are your single biggest threat, even beyond the atrocious engineering. The people working against you (many with organized crime or foreign government support) only have to get it right once while you have to get it right all day everyday. It's no wonder we're in a decades long shortage of cyber-talent and seeing burnout in the few who dare to take it on.

The decision to start taking online security from software development on up seriously is going to take a revolution in thinking. Perhaps the coming quantum disruption to encryption in cybersecurity will prompt this change. The hacked together mess that powers our 'digital transformation' into the cloud is begging to be burned down and redone properly.