Apparently it’s better to live in interesting times. It’s certainly an interesting time in security (or “cybersecurity” if you’re operating in the more fashionable end of the industry). The recent revelations by Snowden mean that we now know that a variety of national security intelligence agencies are intercepting our network traffic, implanting weaknesses in cryptographic primitives and products and working with selected vendor partners to build in backdoors. All of which leads to a fairly fundamental re-visiting of what is actually meant by “security”. Are we really saying that we can keep such well-resourced and motivated attackers like the NSA away from data of interest? Even forgetting the technical threats, there’s always the threat of the rubber hose or the stuffed wallet with which to contend. I believe we need to be a bit more realistic about what the goals of security actually are:
- To identify the assets we care about and to provide adequate protection of those assets from relevant threats
- To identify when our protection of those assets fails and to then limit, and recover from, the overall impact of such a compromise.
There’s a lot of window dressing and expenditure in terms of process (compliance, governance, architecture etc) and technology to deliver those goals but, fundamentally, that’s what I believe our security goals to be. Froth aside, how are those goals affected by Snowden’s revelations? Not greatly in my opinion. Realistically, for most of the data out there what is the *real* impact of the NSA (or other national security intelligence agency) accessing that data on the data owners? Commercial espionage may be a genuine concern in some industries but I’d contend not in all, or even most. Am I saying that I agree that the intelligence agencies should have carte blanche access to all data? No. I’m just saying that the impact of such access on most data owners is minimal and so there is little point in investing time, effort or cash in trying to prevent such access. Of course, this is based on the assumption that only the Agencies planting the back-doors are capable of gaining access through them – this assumption is likely to be tested going forwards.
If there is a genuine impact on the way that we “do security” from the Snowden revelations then I believe it is that goal (ii) will require even greater focus in terms of ensuring that we can identify when a compromise occurs and managing the outcome(s) effectively. I’d also suggest that organisations (particularly those in the Fort Meade area) may like to look at their staff vetting, enforcement of need to know and employee monitoring solutions…”