I don't agree at all that more critical systems are online. What I see instead is a greater recognition of the variety of critical systems that are and always have been exposed, leading in turn to better security for those systems. And we're kidding ourselves if we think that the attackers we're facing today weren't active 10 years ago.
20 years ago, owning up someone's voice mail was a funny joke (teenagers were literally owning up switching systems.) Today, we're all carrying HSMs in our pockets. Things are better, not worse.
Owning someone's voice mail, or even a PC, is ultimately very low impact on societal scale. But what about the increasing amount of physical systems that are on-line - factories, powerplants, hospitals, cars, pacemakers (via phone), etc.? Is this not as big of a problem as it seems to be?
The point isn't that voicemail is super important; the point is that infrastructure wasn't even secure a decade and a half ago. The systems you're talking about were all exposed then too.
As far as I can tell, the first openly networked pacemaker was implanted in ~2009 [0] (Probably earlier in not-announced mode, but not by much). A decade and a half ago, people pretty much only had a home PC connected to the internet in their house. Now they have everything from their lights to thermostats to home security systems connected. 15 years ago, there were probably some internet systems with large collections of personally identifying information on them, but western society as a whole hadn't yet decided to put all the data one could want to know about them in one place (multiple times over).
Everything might be more secure, as you say, but there are so many more ways a small hole could be exploited to do damage now.
Look, Dan Geer is fine, so I won't snark and say "that's one of the nicer things anyone has said about me on HN"†, but let's be clear: Dan Geer and I have a very different kind of day-to-day workload. We'd probably come to different conclusions about all sorts of things. I would also in a million zillion years never quote Nassim Taleb on anything. He's wrong here, as he has been in the past. We've all been wrong about things! I just happen to be right about this one thing.
† Sure, I just did, but I'm being upfront that it's a cheap and unfair thing to say. I'm human.
You don't agree at all that increasingly critical parts of society have been subsumed by the Internet during the last _28_ years? What planet are you living on?
Please elaborate because I don't see how you can even remotely defend what you wrote.
Well, angry anonymous commenter, I've been working in software security since (checks notes) 1993, and professionally since 1995, and the claim you're making just doesn't hold up. "The Internet" may have subsumed all sorts of things, but it's ~1.5 behind computers and telecommunications. Before there was an Internet, the world ran on dial-up modems and X.25, and people were breaking into things then too.
Things have gotten better, not worse, and personally, if I was being more aggressive about the argument (which I guess I am now), I'd go further and say you can't have been paying any attention in the 1990s (or to the history of what happened in the 1980s) and think otherwise.
I'm stating the following since I've seen you appeal to your work history and say "trust me, I've been in this for a long time" far too many times to give you a pass here.
There are plenty of tptacek posts on HN, where it is crystal clear to anyone with similar years in the domain as yours that you're either entirely wrong or deliberately misleading. You need to make a proper argument if you want to convince me.
There were computers, telecommunications, dial-up modems, X.25 and private networks in the 90s but the degree of cohesion, sublimation and intra-connectivity wasn't anywhere close to what we have today. Consequently, the actor domain looked very different and concepts such as cyberwarfare weren't even in the public eye. Morris worm vs NotPetya. Sure, barrier to entry was very low compared to now. But, as Dan Geer has repeatedly shown, risk has grown tremendously even if the field has gotten a lot harder. You don't think that completely disproves you?
Dan Geer is wrong. I already made the argument, upthread. I'm responding to your appeal to his authority with an appeal to my own experience. It has gotten harder to break into things, not easier. The Morris Worm was arguably bigger deal than NotPetya --- certainly, it was more sophisticated. Every couple years, there's some malware or other that manages to infect huge numbers of machines. IIRC, Nimda took down the entire Naval Marine Corps Internet. They said then that we had crossed some threshold, and from now on attackers were just going to get worse. Who cares? Guess what: the opposite thing happened.
20 years ago, owning up someone's voice mail was a funny joke (teenagers were literally owning up switching systems.) Today, we're all carrying HSMs in our pockets. Things are better, not worse.