Saturday, February 15, 2014

Thoughts on Computer Network Defense

AFP: US launches voluntary cybersecurity plan
The US administration on Wednesday launched a cybersecurity plan which aims to use voluntary collaboration from the private sector to protect critical infrastructure from computer hackers.

The initiative stems from an executive order issued last year by President Barack Obama after repeated failures in Congress of a cybersecurity law.
I could wax eloquent (and not-so-eloquent) on this topic for quite a while, but I want to identify a few key points (while endeavouring to avoid politics). For the sake of clarity, I'm blockquoting the individual points to set them apart.

1) People don't understand the risks, and/or they're only willing to mitigate them as much as they think they have to.
The reason why many businesses, and even government agencies, have failed to get up to speed on the issue of network security is twofold: they don't understand it, and the risk of damage isn't seen as commensurate to the reward of robust security. To some degree, that's starting to change, as the potential liability costs of the recent Target data breach and similar incidents are beginning to show. In that way, network security is similar to other types of security: organizations will spend precisely what they think they must, and not a penny more, because security is an overhead item that cuts into their bottom line. That's the cost/benefit analysis and/or risk management piece.

Beyond that, the leaders of many organizations simply don't understand the threat. At the risk of over-generalizing, there's a very narrow demographic that's young enough to understand en masse how modern technology works, while simultaneously remembering conditions prior to its proliferation in the last couple of decades. Outside of that portion of the demographic spectrum, you two groups. Most of those who are older than the aforementioned group are, in essence, "immigrants" to modern technology and; at best, these folks "speak" technology with a pronounced accent. Meanwhile, those younger than the aforementioned group are so accustomed to modern technology (such as social media, which conditions them to share every aspect of their lives), that they often fail to comprehend the need for confidentiality. (I've written about a couple of aspects of this challenge before, here and here.) The result is that it's very difficult for organizations to instill a culture of security awareness, either in the boardroom or in cubeville.
2) Convenience is part of the problem.
Everyone's heard the phrase "the path of least resistance". Technology has blazed its own superhighway of least resistance. We've all seen it on the micro level: people would rather use their debit card than worry about cash, or follow their GPS in lieu of learning a route. In many cases, we as a culture have largely lost the corresponding low-tech skills that most people had only a few years ago.

On the macro level, network security experts love the example of hackers being able take down a power grid, or a water or sewage system, or a variety of other public works elements that are potentially more devastating than the threat of identity theft or credit card fraud that could stem from the aforementioned Target data breach. While I'm sympathetic to the potential benefits and efficiencies afforded by networking, these examples always cause me to wonder, "Who's the genius who thought it was a good idea to hook control of a power grid up to the Internet?" In popular media, I was always intrigued by this theme in the 2003 to 2008 Battlestar Galactica TV series, in which the eponymous warship's computers were not networked in order to prevent the sort of security issues we agonize over today.
3) We need to start applying more common sense to the problem.
The problem is getting worse. For example, Comcast is now offering XFINITY® Home, which allows subscribers to wire numerous aspects of their home into their Internet for management from their mobile devices. Am I the only one who remembers this scene from Skyfall?
Now, do I think that a product like XFINITY® Home is going to lead to an epidemic of exploding homes? No, but I'm also not confident enough in home security systems - or, rather, in your average customer. A guy I used to work with was fond of saying "there's no patch for User 1.0". Between technical vectors like phone cloning or mobile phone spyware, and social media vectors like vishing and weak passwords, do we really think that the average person's phone ought to be connected to their security system? The potential for malicious and accidental catastrophes, both from user error and attacker sophistication, brings real questions regarding the cost/benefit analysis of these innovations.
None of this is to say that I'm some sort of luddite - far from it. However, many conveniences that we take for granted open vectors for unsavory elements to attack.

The DoD has some good resources for network security, but they're highly militarized. Some more user-friendly resources are available at the National Institute of Standards and Technology's Computer Security Resource Center. At the risk of getting political, the Obama Administration's approach to most problems involves intensive government efforts. The truth, though, is that we as a country, and we as individuals, rely upon so many individual and networked pieces of technology that government-spearheaded efforts simply won't put a dent in the potential risks. Individuals and organizations will have to be proactive for themselves, with the understanding that the threat to sensitive information and to critical infrastructure is growing. At the same time, we need to start thinking before we automate and wire up any and every aspect of our lives. To quote Ian Malcolm:


I realize that that's three pop culture references in one post, and I can only apologize and promise to try harder next time.

No comments:

Post a Comment