It all started with a prompt…
Because the prompt represented interactivity, the ability to rapidly instruct a computer to do things. Then came sharing, the ability to show and share what had been done. Lastly came security, the ability to restrict what we shared with only those we wanted to share it with.
Unfortunately, that last part turned out to be the most difficult and the most critical one.
In our haste to build systems that shared information, we ignored the importance of privacy and security. This flaw remains in nearly all aspects of networked computing today. It is the missing puzzle piece that everyone is searching for and it has become the holy grail of computer security.
When Sun Microsystems came up with the moniker “The Network is the Computer” they were foreshadowing a trend that was far bigger than just networked workstations. Today, the network IS the computer, a reality being accentuated even more with the advent of cloud services. Following that analogy though, if the network is the computer, it really needs a password! With all the different ways that information can be shared, the ways to protect access have become quite complicated in use and implementation.
We are seeing an interesting new kind of arms race, one of both information and security. With state actors entering into the picture, the stakes of this arms race are going up. What if instead of the emails of Hollywood executives, the plans for highly dangerous nuclear devices were leaked onto the internet? What if Wikileaks had exposed much more than just cables between embassies? What if the world’s stock trade systems were compromised?
Security is more of an issue now than ever, and the people who take it seriously in the form of advancing the state of the art are going to be the ones who win the war.
During another arms race, The Cold War, the US employed an interesting strategy against the USSR: outspending. By creating things like the “Star Wars” program and a unilateral arms race, we bankrupted the USSR by outspending them. It was an effective strategy and it worked quite well. There is no USSR today.
In the Security Arms Race, it’s a different story. The US/USSR arms race was based on the physicality of armaments and threats. The security arms race today is built more on establishing dominance in security practices and protocols. Without security being built implicitly into communications we have to solve the problem in different ways. Some possibilities are:
1) We rebuild the internet with implicit security. Reinvent the wheel starting with security instead of openness.
2) We establish standards for security and force adherence.
3) We encourage security practices and standards via awareness.
Option 1 is preferable, but very, very difficult to do at this point. There are issues of trust and implementation that are hard to overcome with the scale that the problem has reached. The cost to do this would also be astronomical and the logistics complicated.
Option 2 is currently being attempted by the government. My previous blog entry underscored some of the problems in this approach. The main ones being trust and competence. Forcing compliance would require government intervention into private organizations in a way that is far more invasive than anything we have today.
Option 3 is probably the most achievable, but it requires that organizations self-evaluate how they run their security. From an economical standpoint, this option is also the best way to build out our security advantages because it is self-funded. The stakeholders who have the highest interest in maintaining high security of their assets will fund their implementations.
In an arms race you need arms, and in a security arms race you need the same. We see some of this in the media in the form of different kinds of viruses and virus detectors, security protocols and security key crackers, encryption standards and their mathematical weaknesses.
Among all these things there is one thing that stands out though, the issue of awareness. In the Cold War, the awareness that each side had towards the stockpiling of nukes was very acute. In the security arms race, this point is not so clear. Organizations often dismiss security as “good enough”. They feel a few passwords make things secure. However, as we have seen recently, this is not nearly enough. Awareness needs to be constant and machine-assisted. Security attacks are often done through anonymous networks of machines and detecting them is the first step in thwarting them.
A lack of awareness at different levels leads to a strengthening of the kinds of attacks that can be attempted. For example, networks of compromised machines can be used by botnets to do all sorts of mischief from denial-of-service attacks (like the one that took Facebook down for half an hour last week) to encryption-cracking networks. A lack of security awareness at a machine-level can lead to increased threats at a larger level.
So that’s the first thing we need to think about in security, becoming aware of the kinds of attacks and being able to rapidly detect and stop them when they happen.
The second part is the arms themselves. In this area, it comes down to knowledge. Knowing all the different kinds of attack techniques is something that good security professionals keep themselves on top of. The techniques continue to evolve as the stakes grow. With nation-states becoming more active players, security threats are no longer relegated to criminal networks. In the US, the NSA is the single largest employer of mathematicians and you can bet that in other countries there is a similar trend. To keep on top of the latest developments in security is no longer a matter of getting the latest McAfee virus file. Security has become a major area of study.
That’s where my company comes in. We don’t regard your security lightly. To do security right, you need to be aware and armed for intrusions. Milton’s technologies and expertise will help you stay ahead in the security arms race. Give us a call and let’s talk.