False Security is Worse than No Security

Ostrich?

You’ve probably heard the old story about how when an Ostrich gets scared it puts its head in the ground to hide. The idea being that if the Ostrich can’t see it’s threat, the threat can’t see the Ostrich. There is a certain logic and humor in this story which is why it has been around for so long.

With the recent attention around the Sony hack as well as all the other large scale hacks (Target, Home Depot, Staples, etc.), the government has felt a need to respond with some reassurance that they are doing something to help

Generally the government’s help comes in two different forms – regulation and/or direct control. In 2013 it was a combination of both. The “Improving Critical Infrastructure Cybersecurity” Executive Order. The goal of this executive order was to improve the critical infrastructure through a establishment of standards, review and information sharing.

On the surface it seemed like a great idea. Bringing awareness to security issues, being proactive in helping the private sector review their policies and the establishment of a policy itself. But in reality, we can see how well this Executive Order has done in the past 2 years.  Sharing of information and data sounds great, but the recent attacks would not have (and have not) been stopped by any part of this Executive Order.

Undeterred by the fact that his Executive Order did not accomplish anything substantial (and did not stop any break ins) President Obama outlined what he thinks Congress  should do right now “For the children” during his State of The Union speech this week.

“No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyberattacks, combat identity theft, and protect our children’s information.”

Of course when you invoke children, it sounds perfect. But there are problems with parts of what his proposed legislation seeks to do. From reading his proposed legislation, there is even a potential we would criminalize security researchers and security companies.

Parallels in other industries?

This week I had the opportunity to attend the SHOT Show in Las Vegas again.  For those that don’t know what the Shot Show is, it is like the Consumer Electronics Show (CES) for the hunting and outdoor industry.  They bill themselves as “The Shooting, Hunting, Outdoor Trade Show and Conference for the firearms, hunting, and shooting and accessories industry.” During the show I met with quite a number of people from small business owners to large manufacturers who all feel they are over regulated by government agencies whose sole intent is to put all of them out of business by making the things they manufacture or sell harder to get, heavily regulated or illegal.

The problems we face in the computer security industry are similar to those faced by the Hunting and Gun Industry (and many other industries where government regulation is increasing exponentially) when you consider the parallels of creeping increases in regulatory measures which impose unnecessary burdens on law-abiding owners while doing nothing to address the actual threat of criminals having access to illegal weapons. The feeling of being safe is provided through the facade of regulations, but it is false because the actual criminals are still out there with weapons. Criminals don’t follow laws and regulations, they are law-breakers.

It is commendable to establish information-sharing standards among private security firms and as we all know, it is great to have a proactive attitude on security, but giving the government even more power to intrude in the operation of private infrastructure is not really going to help do anything except increase bureaucracy and sacrifice privacy for a false sense of security.

Facebook

Last year, Mark Zuckerberg, the CEO of Facebook, had some rather interesting things to say on this very point upon discovering that the NSA had masqueraded as a false Facebook server in order to infect target computers with malware. Mr Zuckerberg had this to say:

“To keep the internet strong, we need to keep it secure. That’s why at Facebook we spend a lot of our energy making our services and the whole internet safer and more secure. We encrypt communications, we use secure protocols for traffic, we encourage people to use multiple factors for authentication and we go out of our way to help fix issues we find in other people’s services.

The internet works because most people and companies do the same. We work together to create this secure environment and make our shared space even better for the world.

This is why I’ve been so confused and frustrated by the repeated reports of the behavior of the US government. When our engineers work tirelessly to improve security, we imagine we’re protecting you against criminals, not our own government.”

With activities like that being effected covertly by the government, is it really a good idea to give these same agencies unrestricted access to your private infrastructure? Is it a good idea to let them start telling you who to work with and who not to?

I think not.

There are already standards for encryption and best practices for maintaining security and the effectiveness of an agency providing security services is implicit in its record of protecting against attacks. Curiously, the government itself relies on private contractors and open security practices for its own security. Why should we not do the same?

NSA

I should also point out that despite the NSA’s invasive monitoring of the internet, they have not done anything to prevent any of the intrusions I mentioned earlier. After-the-fact detection is of little benefit to people whose data has been compromised.

And by the way, Ostriches don’t really put their heads in the sand. They either run. Or they fight.

Call us today and we’ll help you fight the security threats you face.

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *