What is Security? In an old essay1, I argued that Security is the “(methods or processes of) configuration of Power.” You currently have quite a lot of Power over the contents of your home, and you would prefer some burglar not having such Power over your possessions. The process/methods of ensuring that doesn’t happen is Security.

And this applies both defensively (your private home) and offensively. If you want to reconfigure a hostile nation state to have less Power over an oppressed minority or disputed resource, that’s generally considered a Security issue.

Cyber Security is an important subfield of Security more broadly. How do you keep digital assets safe, access and authentication well configured? You don’t want random ransomware gangs to have Power over the encryption status of your hard drive.

Buying Cyber Security

Lets say you’re an up and coming digital business that wants to purchase Security for your digital assets by moving them into some well managed cloud. You are pitched by two companies:

• AWS, the largest and oldest player in the field

• Some Upstart™ Inc.

Which one do you expect will have better Security?

Well, the obvious answer is AWS. They’ve been around for a long time, are trusted by many, are very experienced, etc. Nothing controversial there.

But what process actually underlies this intuition?

• Is it that AWS has some kind of awesome, cutting edge, super security software? No, unlikely, if anything they are probably tethered to tons of horrible legacy systems they have to keep maintaining.

• Is it that AWS has the best talent? Sure, there’s definitely some of this, but did you look up their head of security’s CV and decide based on that?

• Is it that AWS has the best security processes? Maybe, but did you make the decision based on them describing their code deployment checklists?

• Is it that AWS has been hacked less? Surely not, the upstart is likely to have had much fewer critical security incidents than AWS has, and AWS is being targeted directly by the most dangerous threat actors 24/7.

What I want to point out is an underlying intuition I call Security by Blood.

Security by Blood

The reason we trust AWS’ security is because they have Paid in Blood, they have made every possible mistake, gotten hit by every possible threat actor and are still here.

AWS is trusted for security not because they have the best formally verified software stack, or because their head of security is a genius, or even because they don’t get regularly hacked. It’s because they’ve seen everything, been hit by everything and have built, iteratively, agonizingly, a robust enough system.2

This is not the only way one could, hypothetically, reach Security. There are methods such as formal verification that could be used to prevent hacks from ever happening in the first place.3

But in practice, this is just too hard/expensive to do, so people don’t.

Punchline: Everything is like this

The punchline is that AWS isn’t unique, everything is like this!

Security is most often gained not by the best planning, the best processes or mechanisms ahead of time, but by agonizingly throwing yourself against the problem over and over and iterating without dying.

If you can survive a lot of Bleeding without Dying, you can acquire Security.4

But if the Bleeding kills you, you need another method.