To Build In, Or Bolt On, That Is the Question

Somewhere in chapter 1 of any intro to information security textbook you’ll find a brief history of computing ending with a point that much of the woe we’ve faced in information security over the past 20+ years is due to the fact that when we initially built the underlying technologies, security was an afterthought. Early computer networking protocols, for example, were designed to send communications to every computer on the network, with a presumption that only the intended recipient would process the message. All other computers on the network were meant to see that a given transmission was intended for someone else and disregard. That’s right, the honor system. What could possibly go wrong?

In a recent talk, a Facebook engineer admitted that they were likely still years away from following through on last year’s pledge by Mark Zuckerberg to apply end-to-end encryption to its messaging platforms and said they were “still in a place of having more questions than answers.”  Well, nobody said this stuff was easy.

Facebook is facing the very worst of technology problems, which is you built something entirely one way, and now you have to change it to work in the complete opposite way. It’s like remodeling a kitchen so that everything that was once on the left is now on the right. Worse, the change has to do with security, which everyone knows is harder/costlier/riskier to execute in a retrofit vs. a day 1 design.  “Bolting it on” always costs more and never works as well as building it in. 

For Facebook, implementing meaningful messaging security seems to be raising even deeper questions related to doing it right vs doing it at all. Doing it right means much more than just bearing the cost of the engineering projects. It means committing to the reason why you are doing it. It’s hard to retrofit something to incorporate to end-to-end encryption after you’ve (technically) built it otherwise, but it’s even harder to do after you’ve built your entire business and product line on access to customer data. No matter what you say you want – even if it’s 100% honest, and I give the benefit of the doubt to Facebook here – it’s hard to go against your nature. That nature is built into the spirit of great products. So, while the story today is all about the daunting technical challenges ahead for Facebook and whether they’re up to them, the real story is whether those projects can ever be truly successful without a real shift in underlying corporate culture, principles and priorities. That kind of shift can’t be managed in a Gantt chart.