The Internet's lack of friction made it great, but now our devotion to minimizing friction is perhaps the internet's weakest link for security. Friction—delays and hurdles to speed and growth—can be a win-win-win for users, companies, and security. It is time to abandon our groupthink bias against friction as a design principle.
Highways have speed limits and drugs require prescriptions—rules that limit how fast you can drive a vehicle or access a controlled substance—yet digital information moves limitlessly. The same design philosophy that accelerated the flow of correspondence, news, and commerce also accelerates the flow of phishing, ransomware, and disinformation.
In the old days, it took time and work to steal secrets, blackmail people, and meddle across borders. Then came the internet. From the beginning, it was designed as a frictionless communication platform across countries, companies, and computers. Reducing friction is generally considered a good thing: it saves time and effort, and in many genuine ways makes our world smaller. There are also often financial incentives: more engagement, more ads, more dollars.
But the internet's lack of friction has been a boon to the dark side, too. Now, in a matter of hours a "bad actor" can steal corporate secrets or use ransomware to blackmail thousands of people. Governments can influence foreign populations remotely and at relatively low cost. Whether the threat is malware, phishing, or disinformation, they all exploit high-velocity networks of computers and people.
It's time to bring friction back. Friction buys time, and time reduces systemic risk. A disease cannot become an epidemic if patients are cured more quickly than the illness spreads.