2014: The Year Our Trust in Information Protection Collapsed

Between setting up Security Architects Partners as a new consulting business and working two big contracts, I wasn’t sure I’d have time for a New Year’s review. Happily, my colleague Dr. Fred Cohen has made it easy for me by inviting me to edit a draft of his monthly all.net article. Let’s review his gem among year-end cybersecurity commentaries.

In “The Year of the Trojans (and their unintended consequences)” Cohen pens a withering indictment of the world’s foremost information protection authorities. No one – not governments, online mega-companies, corporate executives or many of the security folks that advise them – are spared. Each authority is roundly criticized for duplicity, irresponsibility and incompetence of one kind or another. The U.S. government, for example “has demonstrated its lack of trustworthiness to other nation states, not [just] because of their spying activities, but by their inability to keep them secret.”

In so saying, Cohen actually conflates the “summer of Snowden” from 2013 with 2014. But that’s ok. What we’ve seen these last three years is the death of secrets that at least two of my former colleagues predicted long ago. We’re seeing unrelenting encroachment on our privacy and confidentiality as people and organizations. To some, transparency is a virtue. To others, transparency is the weapon that laid the likes of Sony Corporation and HBGary low.

Without naming names, Cohen refers to the ongoing Snowden and related revelations from 2013 and 2014 as the “Trojans” of our time. He makes veiled references (I conjecture) to the hacking of Huawei, Heartbleed, exploits on the telecommunications backbone signaling system (SS7) and much more. No layer has been spared, not hardware, not encryption, not applications nor networks which “…with all of their interdependencies were subjected to attacks at all points, from the drivers to the hardware, to the switches and routers, to the supporting infrastructure, the cable and wireless service providers, the radios, wifi hot spots, cellular towers, and bluetooth connections, all hacked at the end points and in the middle…The software stack, from microcode to operating systems to libraries to applications to recursive languages and programs, all demonstrably not only hackable, but hacked.”

And so the word “Metadata” passed from the techie to the intelligent layman’s vocabulary. No vertical industry has been spared either. Yet “Governments responded by increasing surveillance of their citizens and others… Intentional weaknesses were put into systems by police, governments, and the companies that cooperate with them under color of authority or for financial gain. Fear, uncertainty, and doubt (FUD) has been goaded to extremes…The hyperbole surrounding APTly named Advanced Persistent Threats understates…the reality of the situation.”

Just One Way Forward: Security as Science

For all Cohen’s well-informed cynicism and discontent, he ends on an optimistic note. That as blind trust in authority collapses, we may yet replace it with trust in science. That’s right, information protection can be science-based rather than FUD-based. During 2015, I’ll share with you much more of what we (Security Architects Partners) are doing in partnership with Cohen’s company called Fearless Security – assessments based on the Standard of Practice, for example. 

Cohen notes that the damages of 2014 hold some silver linings, or social gains, as well:

• Improved security knowledge and awareness of cyber-insurance, security data sharing and deception techniques in addition to more conventional protection practices.
• More “logical” forms of conflict: “Instead of blowing things up and killing people, we are seeing [miscreants conduct] public relations attacks, embarrassing leaks, and minor service denials.”
• Perhaps ultimately an awareness that in the immortal words of FDR “the only thing we have to fear is fear itself.”

I hope that Cohen’s right in saying 2015 will be a better year than the last one. Or that at least 2014 and 2015 will look better when seen in a broader historical context of how we hit the bottom of cyber-(in)security and stabilized (at least a little bit :-)) our life online.

Happy New Year!