There’s no security without trust
Trust. It’s a small word but it conveys a lot. To many it is the cornerstone of security, because without trust there can be no security.
To operate securely in the online world, businesses need to trust the technology they use. These same organizations need to trust their partners and suppliers, especially when they have access to the organization’s data and systems. They need to trust their staff to follow policies, to apply what they learn from security awareness sessions, and to use the tools provided to them to keep their activities secure.
As individuals, we trust that the online systems, services and companies we use will keep our data secure and that the technology we employ will protect us.
Companies and citizens trust their governments to provide a safe and secure environment for them to carry out their business and personal lives, whether that is online or in the real world. Governments are trusted to protect the citizens’ data that must be entrusted to them as part of our normal lives. We trust our governments to implement and enforce laws to ensure that companies, individuals, and agencies acting on behalf of the government will adhere to the laws of the land and respect our human rights, among them our right to privacy. We also trust them to react strongly to protect us citizens and bring to justice those who abuse their trusted positions.
However, over the past number of months we are seeing a slow but steady undermining of the trust we all rely on. The allegations and revelations by Edward Snowden have highlighted how spy agencies of many western governments have undermined the trust we have in the technology we employ to protect ourselves and our businesses. Those same government agencies have also undermined the privacy of many innocent citizens of other countries and of their own countries. Indeed, the NSA has been found to have broken the law in their mass surveillance efforts.
Allegations from Edward Snowden have focused on how some technology companies such as RSA, Cisco, Google, Facebook (to name but a few) have either willingly colludied with or, due to poor security practices, accidentaly allowed these agencies to carry out mass surveillance of our personal lives.
Recent hacks have also revealed how our trust in the technology we use to protect our systems has been misplaced. A number of successful attacks against Certificate Authorities illustrate how the very foundations of secure online transactions can be quickly undermined. Major security breaches and spying campaigns were carried out with computer malware that many anti-virus products failed to detect.
In the past number of weeks we have seen how some security companies – the very companies that we need to be able to trust – have stooped to low levels to gain some marketing advantage, at the expense of their integrity.
Two Chinese anti-virus companies have recently been found to be cheating on antivirus lab tests. Lenovo bundled the Superfish adware, which undermined the privacy of its customers, into some of their product lines, and in the last week security flaws were found in its update service. A US security firm, Tiversa, has also been accused of allegedly creating fake security breaches in order to drum up business from new clients. A recent report by a threat intelligence firm on how Iran is allegedly actively attacking ICS systems in the US has been criticized by many experts in the fields as being badly researched and causing unnecessary fear mongering. Heartbleed, Shellshock, and the abandonment of the TrueCrypt project have demonstrated that even the open source tools that we depended on have been found wanting.
I have been involved in the information security field in various guises for over 25 years, and there has always been a healthy level of skepticism and a touch of paranoia held by many of us, especially when dealing with vendor claims and government intentions. But it always seemed that those involved in the industry had a common goal: to protect our systems and data. The bad actors were relatively well known and we knew who we could trust.
Perhaps I am getting older and looking back at those early days of infosec with rose-tinted glasses, but the amount of distrust and doubt that I am witnessing today are at levels I have not experienced before. As an industry we cannot allow this to continue, because without trust we will have to face our adversaries alone and with tools that we will have no confidence in.
We need to rebuild trust not just in the technology and security tools we use, not just in our governments and their agencies, but also in ourselves. Each of us can contribute in many ways to help achieve this. If you see inaccurate or fear driven marketing material from vendors call them out on it. If you see lobbyists or politicians looking to undermine our fundamental rights then challenge them on it, either directly or by supporting pro-privacy groups. When selecting services and technologies actively choose vendors who can demonstrate they do not collude with governments to undermine our trust. Ensure that you independently verify all security claims from vendors and service providers. Share your knowledge with others so they can learn on how better to secure their environments, and be open to learning from others, as well.
Trust is a very fragile thing. It can take years to build it, and only seconds for it to be destroyed. Rebuilding trust in our industry will not be quick or easy. It will take a long time, and we’ll undoubtedly experience many setbacks on the way, but rebuild we must.