Nobel Prize-winning physicist Richard Feynman warned about "cargo cult science" in a 1974 Caltech commencement speech.
Kevin Fleming—Corbis via Getty Images
By Robert Hackett
May 19, 2018

Happy weekend, Cyber Saturday readers.

It has been busy here at HQ between a Fortune 500 issue close and New York City’s “blockchain week,” so I’m passing my weekend column duties onto a pinch hitter. Today’s essay comes to you courtesy of Oren Falkowitz, a cybersecurity entrepreneur, NSA alum, and regular reader of this newsletter. His contribution is timely, you’ll discover as you read on, given that it was the 100th birthday of the late scientist Richard Feynman last week. Hope you enjoy.


When the Nobel Prize-winning physicist Richard Feynman delivered the 1974 commencement speech at Caltech, he warned against “cargo cult science,” in which people arrive at erroneous conclusions by misinterpreting the causality of results. The phrase derives from religious movements on isolated islands in the South Pacific that received airdrops of vital supplies during World War II. There, witch doctors pronounced that building new airstrips and bamboo headphones would make the supply-laden airplanes reappear.

Unfortunately, this sort of deluded thinking is just as prevalent in our modern world; nowhere more so than in cybersecurity.

We witness this cargo cultism when people ascribe insurmountable superpowers to cyber actors, simply because we struggle to stop them. We encounter it in the industry’s xenophobic biases, which treat software developed in Russia or emails from Nigerian internet addresses as suspect, even when we can’t actually pinpoint maliciousness. And the phenomenon manifests itself in a persistent belief that, if we just try harder, we can train people to spot phishing attacks that are, in fact, designed to fool them.

Despite the billions of dollars spent on cybersecurity, damages from cyberattacks continue to mount, and the underlying economics of being a bad guy on the internet remain a really good business. Hackers are moving on a frightening trajectory from data theft and data ransom, to data manipulation, to physical destruction. Now they are threatening the very stability of society.

Products that return disastrous results, as the current crop of cybersecurity solutions do, usually don’t survive the ruthless equilibrium of the marketplace. But in cybersecurity, accountability is essentially nonexistent. We should demand that vendors offer guarantees, or price products based on performance. You wouldn’t pay for a car if it broke down as soon as you took it off the lot and onto the highway, and you shouldn’t pay for cybersecurity that doesn’t work.

The witch doctors of cybersecurity have offered sham remedies. Trends in business like the transition to cloud computing, through Amazon Web Services and Microsoft Azure, are conditioning customers to pay only for what they use. Cybersecurity should be no different: Pay for performance, rather than pay-for-misses. Quite simply, does it protect you or not?

Until cybersecurity companies produce solutions that actually stop cyberattacks—provably, transparently, and repeatedly—we’ll continue dutifully making faux radar towers in palm trees. Humans are capable of accomplishing amazing feats, and our history of accomplishments as a species should give us the confidence that solutions in cybersecurity are just as surely within our grasp.


Mr. Falkowitz is a co-founder and the Chief Executive Officer of Area 1 Security, you can follow him on Twitter @orenfalkowitz

Robert Hackett


Welcome to the Cyber Saturday edition of Data Sheet, Fortune’sdaily tech newsletter. Fortune reporter Robert Hackett here. You may reach Robert Hackett via Twitter, Cryptocat, Jabber (see OTR fingerprint on my, PGP encrypted email (see public key on my, Wickr, Signal, or however you (securely) prefer. Feedback welcome.


You May Like