Contributing to the cyber security conversation

 Business, Canada, IT Security, politics  Comments Off on Contributing to the cyber security conversation
Oct 162016
 

My firm, Institute X, responded and provided a paper to the Canadian Government’s Consultation on Cyber Security. It’s a considered white paper that assumes government should do what it’s supposed to do (public safety and security; and support Canadian industry). We suggest that an “unreasonably” high standard for cyber security and directed support toward the Canadian cyber security industry (e.g., national security-protected procurement) will benefit Canada on multiple fronts.

Download it here: institute-x-cyber-security-consultation-submission-oct-2016.

The unbearable lightness of being… Snowden

 Uncategorized  Comments Off on The unbearable lightness of being… Snowden
Sep 302014
 

I read the news today (well, on the weekend, actually), oh boy. It seems that the Internet is coming under attack in the East. It made me wonder about the poster child for Internet utopianism: Mr. Snowden, in his lavish or maybe squalid Moscow apartment.

China has, of course, been a strong “administrator” of Chinese Internet for a long time now. Everyone there and here expects the regime to nose in on and strong arm service providers, search engines, portals, and users in their age-old quest to control everything about that society. But we all had such high hopes for Russia after the fall of the Wall in ’89. Democracy and capitalism would roll through the former Soviet Union like Siberia-bound train. It seemed to start pretty well, and then members of the billionaire oligarchy ended up in jail, their assets nationalized. Punk rock girls went to jail. People disappeared. The president, despite following constitutional rules slowly and steadily became an imperial government of one. Flash forward and the old bear is annexing Ukrainian sovereign territory and fomenting insurrection with some soldiers that they lent to (or “allowed” to go fight with) rebels in eastern Ukraine.

During this period, as everyone knows, Edward Velcro-hands absconded with classified secrets of the US and other governments, secured while he was a trusted contractor to the National Security Agency. Instantaneously, in the heady days of Wikileaks and Julian Assange’s 15-minutes of fame, Snowden became a hero to patriotic freedom lovers the world over, not least within the civil rights and other such communities in the US. So roundly loved and lauded was he, that he immediately fled the country first for Hong Kong and then for the loving embrace of Mother Russia. This, of course, so that he would not be tried as a thief and traitor.

The secrets about “Five Eyes” and US/other government surveillance of its own citizens showed clearly that the Western governments about whom he had discomforting information to reveal were not doing very good things–to their own citizens. To make a long story short, the whole episode and Snowden himself always speaking from Russia via video catalyzed and crystalized popular awareness of the dangers of the Internet. That is, it revealed that the Internet is not a utopian garden where there is peace, love, and understanding (except for the Nigerian scammers…), somehow removed from the rest of the world. It also showed that governments were bringing the rest of the world–all that bad stuff–to this electronic Eden.

What was revealed but did not obviously trouble those who were troubled by the trouble that Snowden found himself in was, in fact, that the world is a nasty place. The kind of ugliness that we see on television drama and in movies actually happens someplace in the murkiness of the shadows and behind closed doors. Moreover, it happens because while civil rights and protection from government encroachment on one’s privacy, to pick a popular theme in this situation, is important, national security might trump it. That is, its a judgment call: your privacy or your safety? It is arguable that we elect our governments to fall on the side of our safety when things get rough. But that is not the point here.

What Western governments were exposed as doing was in and of itself bad. But what Snowden exposed was tactical information that eliminated any kind of advantage in a bigger forum–like international affairs. In any case, the point is that although he is a wanted man, he is alive. He propagated navel gazing and pontificating about these subjects to the point that one has to wonder whether the safety issue has been sufficiently, artificially, and probably disastrously poisoned. But that’s enough back story and evangelizing.

Why I thought about Snowden this weekend is because of the laws that Tsar Putin is intending to have enacted. Specifically, Putin intends to extend the state’s right to control the Internet in Russia. The details can be found elsewhere, but the broad strokes are that any individual with a blog read by more than 2000 people will be considered a media outlet and subject to the laws governing media organizations. Portals, search engines, and other service providers online must operate specifically off of servers located in Russia which would be firewalled at the Russian border AND fully subject to the state having unfettered access to all logs and records. There’s more.

About Edward Zhivago, I wonder if he’s at all disheartened by this turn of events? It’s not like he can complain much about it. Perhaps he’s morally OK with the situation because the Russian snooping and surveillance would follow the rule of law, such as it is? Let’s admire the fact that Putin has no intent of spying on his people from the shadows: he’s fully up front about it. In any case, I prophesy that if he is as smart as alleged, he won’t be making any video appearances at SXSW castigating this unfortunately imposition on the privacy, rights, and freedoms of Russian Internet users. Or, if we do, it will only happen once.

IT Security and the rise of the Data Chemists

 Uncategorized  Comments Off on IT Security and the rise of the Data Chemists
Sep 072014
 

The days of perimeter protection for online security and privacy are dwindling. Those tried-and-true approaches for safeguarding data and ensuring organizational and individual data security are destined to the quaintness of punch cards. Relying on them as the paradigm of security for extensive or elaborate IT implementations that have a future is not wise. There is a better way.

The concept of perimeter security is inspired by the notion that if you put all your eggs in one basket then you have but one basket to guard and protect. It is a castle, high on a hill with thick stone walls and drawbridges over impassable moats. The stuff inside is safe because the bad guys are kept at bay. Until it’s not.

One problem with perimeter security is that it depends on meeting force with force. So attempts to breach firewalls and ports are met with clever shields and redundant blocks. That is not a bad thing; it’s just a recursive cycle that probabilities suggest will always end in breaches. Moreover, it hardly matters how strong the perimeter is: once there is a crack, everything is in jeopardy. Since things have to move across the perimeter to function properly, the perimeter is porous by design, raising the odds of compromise.

To deal with the hole-y perimeter and make it reasonable for individuals to pass we take cues from the Old Testament. The Gileadites augmented their perimeter, keeping out the Ephraimites by demanding everyone crossing the border say the word “Shibboleth.” To make an old story short, those that could not were obviously trespassers and were dealt with in a decidedly Old Testamentary way. The concept introduces the demand for secret password identification.

In prevailing IT security, a previously established password presented at the perimeter gets compared to the one held behind the perimeter walls. This system can be compromised on the outside by capturing the password or matchable token from the individual to whom it belongs. Alternatively, the store of passwords/comparables inside the perimeter is, in fact, a geometrically more valuable treasure.
This approach is ever-less effective. In fact, it is practically a law that the value of perimeter protection is inversely proportional to participant sophistication.

So, what is the viable alternative? In Introductory Financial Management many years ago, I was introduced to the concept of diversification. It refers to investing in assets of varying risk profiles so that the aggregate risk would be more readily predictable. There is a lot of calculus and probabilities math behind this, so it must be scientific. Those who avoid scientific language might be inclined to describe diversification as spreading the risk or not putting all your eggs in one basket.

Critically, the risk is inherent in the value of the asset itself. If data is the valuable asset and the risk is that its acquisition by unauthorized parties can result in privacy or confidentiality breach which could have significant financial impact, that sounds a bit more like securities. In which case, managing risk more like a financial wizard becomes sound policy.

This challenges a core assumption of today’s IT security, being that one can prevent breach from happening. In other words, we presume and measure from zero, trying to keep the needle there (like airline safety). After all, if there is a lot of valuable data in one spot AND breach will affect lots of data and people, ANY breach is catastrophic and must be prevented. This base notion results in a course of action that takes us along the path that IT security has followed thus far.

What if that presumption were inverted? Instead, accept that there will always be (many) breaches. Then the goal cannot reasonably be to prevent them all, but rather to make them small, unprofitable, and essentially meaningless. In other words, diversify the risk away. This different starting point will result in a different approach. (That is the intent of encryption, but it should be quite evident that encryption alone is necessary but not sufficient in the cyber-security arms race.)

Take this idea further. What if there were no stores of meaningful aggregated data? It would not be worthwhile to penetrate the challenging security of an online service if there were nothing useful to acquire. Nobody would bother to break into a bank vault for one bar of gold. The crime doesn’t pay. Such a circumstance would require CIOs and security specialists to become “data chemists.” It is nothing less than alchemy—in reverse. Take gold and turn it into lead (or its elemental components). The real magic is in the owner being the only one able to reconstitute it into gold—when needed.

So, where does this leave us? Unfortunately, without specific answers; but with an idea for alternatives in the post-perimeter IT security world. The next wizards of security and privacy will succeed when they courageously change the metaphor and the starting point for their practice.
Start soon though: Our privacy and confidentiality depends on it.

Social Share Buttons and Icons powered by Ultimatelysocial
error

Enjoy this? Tell a friend. Thx