Cybersecurity Awareness Month comes to a close with a two-part posting. Today, “Are We Winning?”, and tomorrow “Can We Win?”
Are we winning the cybersecurity war? No.
Well, ok, maybe that deserves a little more exploration. The closest analogy that comes to mind, unfortunately, is the situation on the ground in Syria. Combatants show up from all over the world. Who they are, their allegiances, what they are fighting for is murky at best. Their rapid unchecked progress taking over one objective after another has caught everyone by surprise. And our belated focus and ongoing campaign has perhaps slowed their progress in some places, averted a disaster or two in others, but has not yet been effective either in halting further gains or retaking lost ground. Just like in Syria.
So what would it look like to “win” the cybersecurity war? Well certainly not a return to the halcyon days of 1994 when the World Wide Web had just been invented and AOL kept us secure by limiting the sites we could access at 14.4 kbps (booop, wheeet, staticccccc…). Nor even 2004 when we were just trying to decide if online shopping was secure (as we now know, the answer is no).
Instead it looks more like a relativistic answer, compared to today’s shoddy state of affairs. Three specific areas highlight what this means: personal data, transactional data, and Intellectual Property. Personal data will require a reasonable expectation of privacy, meaning that the platforms you use to generate and share personal data (whatever you declare that to be) have no right to access the private content, no right to store data/metadata about you and your usage beyond what is minimally required to provide service, a positive requirement to protect any information they do store with attendant liability if it is breached, and prohibitions against sharing any of that data with any third parties. These are legal issues, not technical.
Transactional data, such as online shopping data. This is a similar situation to personal data, but with the added twist that sharing among third parties (such as banks or health care providers) is necessary for completion of the transactions. We actually do reasonably well on this front today. Although there are certainly plenty of breaches, the financial and health care systems are paying attention and looking for answers (as opposed to the private data platforms who are fighting every step of the way), the questions of liability and remedy are pretty well established and followed, and the incentive structures are well aligned. Better technical answers will likely evolve over time.
Finally, Intellectual Property. Why is it that we cannot get to the point where all data on all storage media is strongly encrypted, all transmissions of data are strongly encrypted, good key management is in place everywhere, and there are no back door keys so that only authorized users can unlock the data? Routinely, as a part of every device shipped? Here in addition to the technical issues, we have a societal debate to resolve over how much access can be made available for Law Enforcement or the Intelligence Community to protected data, and at what cost. Currently, with little or at best only modest usefulness to those communities, we are engaged in what former NSA Director Gen. Keith Alexander called “the greatest transfer of wealth in history”. This is nuts!
So what would the cybersecurity war look like if we instituted these changes? There would still be cybercrime, there would still be data breaches, the occasional embarrassing photo would still find its way to the public at large. But all of these would be substantially reduced, and reduced to tolerable levels. Some people have used the biological analogy…we are not trying to kill every bacterium and every virus in our bodies; instead, the goal is to maintain a healthy, resilient ecosystem, so when something bad does emerge to prominence we have the tools to react to it and overcome it. Now THAT would be a win.