So, the NSA is spying on us without warrants, the Chinese are spying on us without consequences, criminals are spying on us without liability, and everybody is in an uproar over Edward Snowden leaking data. 2013 was a watershed year for information security and privacy. The leaks, the spying, and the breeches all point to a simple reality, security and privacy are eroding. So, the question is, how do we stop this erosion?
First, let’s admit that deep down, we all secretly like spying. We love it when the police raid some dinghy home and cart away a bunch of unshaven guys. We love the headlines that titillate our sense of righteousness. “Another terrorist plot foiled!” Hurray, for the good guys. Now, pump your fist in the air and chant “U.S.A! U.S.A!” We love this stuff.
However, we also love our privacy. When there is a big Target style data breach, we howl about our private data being taken. Mention China in a room full of people, and within minutes you will become spittle flecked from the various people ranting about how they are hacking, stealing, and cheating their way to being a global superpower. Even the mere mention of Snowden will elicit high emotion, both supporting and attacking his actions.
Likewise, we also love security. We adore firearms, alarms, and big slobbering dogs as well as their electronic equivalents of firewalls, hacking kits, and encryption products. We love to empower police to get the bad guys with gobs of new weapons and big armored cars. Similarly, IT departments cannot throw money at dubious “Next-Generation” technologies fast enough.
Whether it is personal, local, national or cyber – we adore security, privacy, and spying in all its forms…until it affects us personally…then we hate it with the burring hot passion of 10,000 suns. We have become completely selfish about privacy and security. We want our own privacy and security, but do not think anybody else deserves it.
We are privacy and security hypocrites.
This hypocrisy is borne out of many factors. Some of them are disturbingly racist. Mostly, this hypocrisy is borne from tension between self-interest and community interest (or national interest). This hypocrisy also has devastating consequences, which are worse than dozen Edward Snowdens or a thousand Target-sized breaches. This hypocrisy is decimating trust.
Recent statistics show that American’s overall trust of their political leaders is at an all-time low. Interestingly enough, statistics also show that international trust in the USA is also at an all-time low, thanks in part to the NSA spying. Trust among corporate leaders is not much better. The data shows that people, both here and around the world, are losing trust in the ability of government and corporations to behave in a responsible manner.
The information security industry is not immune from this hypocrisy. Recently, the security company RSA was caught, at the behest of the NSA, purposefully weakening encryption standards. This set off a firestorm of controversy, which RSA did little to quell. Their precisely worded denial felt disingenuous, leading security professionals to begin boycotting RSA’s eponymous conference at the end of February. Apparently, this is what passes for leadership in the security industry today.
Target also showed a disturbing lack of leadership in their latest breach. When news leaked of their big breach, they were absolutely silent for almost a week. Eventually, the company released a tepid apology and promised to get everybody identity theft monitoring. Suddenly, everybody was interested in Target’s information security program. The real question is: why wasn’t Target interested in Target’s information security program? Their response to the breach was a rather milquetoast “meh, we will get over this.” Like it was just a 24-hour bug that would soon past. As the details of the breach emerged, it is remarkable that a company with the resources and size of Target would be so clueless about such a large scale attack.
Without trust, our political, financial and commercial engines break down and stop functioning as they were intended. Trust is a pre-requisite for any modern society. If nobody trusts anybody, then we cannot function. Banking, education, manufacturing, science all depend on trust between individuals, communities, systems and organizations.
The question therefore becomes, how do we balance what appears to be opposing desires? How do we make security and privacy tangible things, while still giving people the comfort and reassurance they need to build trust.
First we must accept that security, privacy and trust are not opposing concepts. We can have all three and they can be real, tangible things. However, this means accepting that it will never be a perfect balance.
The way to make this balance work is to embrace three simple concepts:
Transparency is an overused word but an underused concept. Behaving in a transparent way begins with honesty. It includes being transparent about when you cannot be transparent, which the NSA needs to learn in a big way. If you need to hide stuff, just say it. Do not beat around the bush and act like its Area 51.
Government and corporate leaders need to stop with the cloak and dagger nonsense and start being honest about what and why they are doing things. Deception is the leading cause of mistrust. In the information security realm, this means being completely open about what you monitor and why. The NSA should do the same. Every large data carrier should have a clear, open, transparent statement about exactly what they keep, how they keep it, and why they keep it. And it needs to be written in language that normal human beings can read.
Accountability is an equally overused word, but we could all stand more of it. Leadership needs to be held accountable to elevating security and privacy to a real, tangible, and valuable concept inside their organizations. That means no more babble and blather about privacy, but real action. No more useless theories, frameworks, and roadmaps to success. Leadership needs to develop roadmaps to better security and privacy and then actually drive down all those roads they mapped out. I have personally watched hundreds of companies and government agencies plot out grandiose plans to security, and then never actually do any of their great ideas.
When security and privacy are ignored, these leaders need to be held accountable. We, the consumers and the voters, must hold them accountable. We must demand they follow their own rules and statements. When there is a breach, we need to demand a plan to see how they are going to fix the problems.
Responsibility is the last leg of the privacy/security plan. This is the part where everybody needs to grow up and be an adult about security and privacy. That means accepting things like, TSA is there to help us and quit throwing a tantrum over every tiny little injustice that occurs; NSA does have a mission to protect the nation, and like it or not, they need to see data; government must respect the needs of individuals and implement reasonable checks and balances that are free from the corrupting influence of politics and lobbying.
Responsibility is the part where we all need to stop crying and whining, and start accepting that security and privacy is a complex trade-off and no matter what we do, it will never be perfect. However, we cannot let perfection become the enemy of good.
If we want to stop the erosion of privacy and security, we need to change the conversation. Rather than expressing everything in terms of what is wrong, we need to start talking in terms of who and what we can trust. Moreover, we need to remember that those who lie, deceive, and/or mislead cannot be trusted. Those with an agenda need to be honest about that agenda. Those who would have us hunker down in a bunker and wait for Armageddon, need to grow up.
Lastly, we need to stop blaming Edward Snowden. His actions are forcing us to face this hypocrisy head on. History is filled with such people who had the courage to stand up to the system with a mirror and force us to look at the ugly creature we have become. Does it really matter if he broke a law, if it reforms a whole society?
We could all learn a valuable lesson here, that you do not just keep accepting the status quo of mistrust because it is easier than changing. We need to trust. All security depends on trust. Trust is strength. Our future depends on our ability to trust.
Anitian – Intelligent Information Security. For more information please visit www.anitian.com