Contributing to the cyber security conversation

 Business, Canada, IT Security, politics  Comments Off on Contributing to the cyber security conversation
Oct 162016
 

My firm, Institute X, responded and provided a paper to the Canadian Government’s Consultation on Cyber Security. It’s a considered white paper that assumes government should do what it’s supposed to do (public safety and security; and support Canadian industry). We suggest that an “unreasonably” high standard for cyber security and directed support toward the Canadian cyber security industry (e.g., national security-protected procurement) will benefit Canada on multiple fronts.

Download it here: institute-x-cyber-security-consultation-submission-oct-2016.

The unbearable lightness of being… Snowden

 Uncategorized  Comments Off on The unbearable lightness of being… Snowden
Sep 302014
 

I read the news today (well, on the weekend, actually), oh boy. It seems that the Internet is coming under attack in the East. It made me wonder about the poster child for Internet utopianism: Mr. Snowden, in his lavish or maybe squalid Moscow apartment.

China has, of course, been a strong “administrator” of Chinese Internet for a long time now. Everyone there and here expects the regime to nose in on and strong arm service providers, search engines, portals, and users in their age-old quest to control everything about that society. But we all had such high hopes for Russia after the fall of the Wall in ’89. Democracy and capitalism would roll through the former Soviet Union like Siberia-bound train. It seemed to start pretty well, and then members of the billionaire oligarchy ended up in jail, their assets nationalized. Punk rock girls went to jail. People disappeared. The president, despite following constitutional rules slowly and steadily became an imperial government of one. Flash forward and the old bear is annexing Ukrainian sovereign territory and fomenting insurrection with some soldiers that they lent to (or “allowed” to go fight with) rebels in eastern Ukraine.

During this period, as everyone knows, Edward Velcro-hands absconded with classified secrets of the US and other governments, secured while he was a trusted contractor to the National Security Agency. Instantaneously, in the heady days of Wikileaks and Julian Assange’s 15-minutes of fame, Snowden became a hero to patriotic freedom lovers the world over, not least within the civil rights and other such communities in the US. So roundly loved and lauded was he, that he immediately fled the country first for Hong Kong and then for the loving embrace of Mother Russia. This, of course, so that he would not be tried as a thief and traitor.

The secrets about “Five Eyes” and US/other government surveillance of its own citizens showed clearly that the Western governments about whom he had discomforting information to reveal were not doing very good things–to their own citizens. To make a long story short, the whole episode and Snowden himself always speaking from Russia via video catalyzed and crystalized popular awareness of the dangers of the Internet. That is, it revealed that the Internet is not a utopian garden where there is peace, love, and understanding (except for the Nigerian scammers…), somehow removed from the rest of the world. It also showed that governments were bringing the rest of the world–all that bad stuff–to this electronic Eden.

What was revealed but did not obviously trouble those who were troubled by the trouble that Snowden found himself in was, in fact, that the world is a nasty place. The kind of ugliness that we see on television drama and in movies actually happens someplace in the murkiness of the shadows and behind closed doors. Moreover, it happens because while civil rights and protection from government encroachment on one’s privacy, to pick a popular theme in this situation, is important, national security might trump it. That is, its a judgment call: your privacy or your safety? It is arguable that we elect our governments to fall on the side of our safety when things get rough. But that is not the point here.

What Western governments were exposed as doing was in and of itself bad. But what Snowden exposed was tactical information that eliminated any kind of advantage in a bigger forum–like international affairs. In any case, the point is that although he is a wanted man, he is alive. He propagated navel gazing and pontificating about these subjects to the point that one has to wonder whether the safety issue has been sufficiently, artificially, and probably disastrously poisoned. But that’s enough back story and evangelizing.

Why I thought about Snowden this weekend is because of the laws that Tsar Putin is intending to have enacted. Specifically, Putin intends to extend the state’s right to control the Internet in Russia. The details can be found elsewhere, but the broad strokes are that any individual with a blog read by more than 2000 people will be considered a media outlet and subject to the laws governing media organizations. Portals, search engines, and other service providers online must operate specifically off of servers located in Russia which would be firewalled at the Russian border AND fully subject to the state having unfettered access to all logs and records. There’s more.

About Edward Zhivago, I wonder if he’s at all disheartened by this turn of events? It’s not like he can complain much about it. Perhaps he’s morally OK with the situation because the Russian snooping and surveillance would follow the rule of law, such as it is? Let’s admire the fact that Putin has no intent of spying on his people from the shadows: he’s fully up front about it. In any case, I prophesy that if he is as smart as alleged, he won’t be making any video appearances at SXSW castigating this unfortunately imposition on the privacy, rights, and freedoms of Russian Internet users. Or, if we do, it will only happen once.

IT Security and the rise of the Data Chemists

 Uncategorized  Comments Off on IT Security and the rise of the Data Chemists
Sep 072014
 

The days of perimeter protection for online security and privacy are dwindling. Those tried-and-true approaches for safeguarding data and ensuring organizational and individual data security are destined to the quaintness of punch cards. Relying on them as the paradigm of security for extensive or elaborate IT implementations that have a future is not wise. There is a better way.

The concept of perimeter security is inspired by the notion that if you put all your eggs in one basket then you have but one basket to guard and protect. It is a castle, high on a hill with thick stone walls and drawbridges over impassable moats. The stuff inside is safe because the bad guys are kept at bay. Until it’s not.

One problem with perimeter security is that it depends on meeting force with force. So attempts to breach firewalls and ports are met with clever shields and redundant blocks. That is not a bad thing; it’s just a recursive cycle that probabilities suggest will always end in breaches. Moreover, it hardly matters how strong the perimeter is: once there is a crack, everything is in jeopardy. Since things have to move across the perimeter to function properly, the perimeter is porous by design, raising the odds of compromise.

To deal with the hole-y perimeter and make it reasonable for individuals to pass we take cues from the Old Testament. The Gileadites augmented their perimeter, keeping out the Ephraimites by demanding everyone crossing the border say the word “Shibboleth.” To make an old story short, those that could not were obviously trespassers and were dealt with in a decidedly Old Testamentary way. The concept introduces the demand for secret password identification.

In prevailing IT security, a previously established password presented at the perimeter gets compared to the one held behind the perimeter walls. This system can be compromised on the outside by capturing the password or matchable token from the individual to whom it belongs. Alternatively, the store of passwords/comparables inside the perimeter is, in fact, a geometrically more valuable treasure.
This approach is ever-less effective. In fact, it is practically a law that the value of perimeter protection is inversely proportional to participant sophistication.

So, what is the viable alternative? In Introductory Financial Management many years ago, I was introduced to the concept of diversification. It refers to investing in assets of varying risk profiles so that the aggregate risk would be more readily predictable. There is a lot of calculus and probabilities math behind this, so it must be scientific. Those who avoid scientific language might be inclined to describe diversification as spreading the risk or not putting all your eggs in one basket.

Critically, the risk is inherent in the value of the asset itself. If data is the valuable asset and the risk is that its acquisition by unauthorized parties can result in privacy or confidentiality breach which could have significant financial impact, that sounds a bit more like securities. In which case, managing risk more like a financial wizard becomes sound policy.

This challenges a core assumption of today’s IT security, being that one can prevent breach from happening. In other words, we presume and measure from zero, trying to keep the needle there (like airline safety). After all, if there is a lot of valuable data in one spot AND breach will affect lots of data and people, ANY breach is catastrophic and must be prevented. This base notion results in a course of action that takes us along the path that IT security has followed thus far.

What if that presumption were inverted? Instead, accept that there will always be (many) breaches. Then the goal cannot reasonably be to prevent them all, but rather to make them small, unprofitable, and essentially meaningless. In other words, diversify the risk away. This different starting point will result in a different approach. (That is the intent of encryption, but it should be quite evident that encryption alone is necessary but not sufficient in the cyber-security arms race.)

Take this idea further. What if there were no stores of meaningful aggregated data? It would not be worthwhile to penetrate the challenging security of an online service if there were nothing useful to acquire. Nobody would bother to break into a bank vault for one bar of gold. The crime doesn’t pay. Such a circumstance would require CIOs and security specialists to become “data chemists.” It is nothing less than alchemy—in reverse. Take gold and turn it into lead (or its elemental components). The real magic is in the owner being the only one able to reconstitute it into gold—when needed.

So, where does this leave us? Unfortunately, without specific answers; but with an idea for alternatives in the post-perimeter IT security world. The next wizards of security and privacy will succeed when they courageously change the metaphor and the starting point for their practice.
Start soon though: Our privacy and confidentiality depends on it.

Personal Information as Money

 ethics, IT Security, Privacy  Comments Off on Personal Information as Money
Aug 192014
 

I’m a fan of bit torrents. To be clear, I rent movies legally; I do not “share.” Still, bit torrents fascinate me because the peer-to-peer system represents thinking for what could be the next great leap in online privacy protection.
The obvious problem with privacy (online) shows up in one of two types of news items. One: a breach of data on some organization’s servers or lost off someone’s USB drive puts thousands or perhaps millions of people’s private information into the hands of unauthorized and probably unsavoury characters. Two: an organization that has amassed privileged, personal information about customers or citizens for some purpose shows its industriousness and uses its “intelligence” to draw undesired conclusions about and harass those same people. In either case, when such a situation is exposed, people feel justifiably violated… even if there is no real harm done.
As I say, these are obvious challenges to privacy. They are not, however, the real issue. Privacy breaches are a symptom and proxy complaint. What’s happening in both circumstances is a breach of trust. In the first case by criminals (or the government) who have larcenously acquired private property (your information), and in the latter by an institution that said “trust us with your important information,” then misused it without your understanding or approval. Blame gets properly directed toward those that have let us down.
Funny that we don’t turn that blame inward. After all, the root of the problem is that we have trusted some organization to keep safe and use only as prescribed something of value to us: our most personal information. At least that’s what we say while we’re railing on about its loss or misuse. But we did let go of that information in the first place, likely without appreciating the potential impact. And probably for not even fifty pieces of silver. So the real problem is that we have ignorantly given up what is dearest to us to somebody else’s keeping. Worse, we gave it to someone or something that is acquiring similarly valuable information from many others and keeping the whole lot in a single place. That creates a treasure trove of value for a thief and a wicked temptation to any other amoral entity.
Is it really any wonder not that there are privacy breaches at all but rather that there aren’t more?
Whether you are reading this as an individual whose information is so entrusted or as an organizational leader in possession of that information, perhaps you’re thinking about information wrong. Chances are that you imagine all this personal information is ones and zeros. Less of a nerd, perhaps in your imagination it is benign sets of discrete data. In any case, “information” is almost certainly an abstraction. Even when rendered as reams of paper (Who else does that anymore?) it has no substance. That makes it very easy to minimize and marginalize.
Try a little thought experiment with me. Contrast and then equate this personal data with cash. Yes, now your (customers’) information is money! Now it has meaning and substance. Doesn’t that change things a bit?
If it’s your information/cash, don’t you take more care with it? Won’t you be a bit more circumspect about where you pull it out, where you put it, and with whom you entrust it—and why? The problem with information (and where this metaphor breaks down, actually) is that it is not a diminishing asset: when you give it up, you still have it. So, perceptually, there is no fine point on losing possession of it.
On the other hand, if you are entrusted with money (information), you now have a fiduciary responsibility for it. Financial institutions (except certain S+Ls, derivatives houses, and mortgage lenders) tend to take their responsibility for their customers’ money seriously. To start with, their customers take it seriously. Then, of course, so does society in the form of strict regulations and governance.
Moral, legal, and economic incentives seem to have the necessary impact. So you don’t often hear about frivolous or cavalier disregard for how a financial institution tends to and uses its customers’ money. And, we don’t hear about too many thefts arising from the interception of bits and bytes that represent real money. When there is such a theft, there are again many incentives to pursue and recover the money, and prejudicially prosecute the crime.
Only a fool expects complete safety and everyone wants some control and means to exert control to get (what’s left of) their money back from those to whom they have entrusted it. The entire system of “tangible” fiat money makes everyone care more about the exchange.
We could do a lot worse than think about our allegedly valuable personal information with the same concern that we give dirty old cash.

Social Share Buttons and Icons powered by Ultimatelysocial
error

Enjoy this? Tell a friend. Thx