High Time to Act Against Information Catastrophe: Time to Strengthen Cyber Security
We need stronger cyber security to protect against massive consumer data breaches.
- Don’t worry so much about identity theft. We need to be preparing for information catastrophe.
- The biggest risk is the low-security character of the information systems and networks we are using.
- In our information infrastructure, vulnerability is tolerated as a trade for lower cost and convenient accessibility.
- It is time for us all to trade-up to “highly secure computing.”
- In China, the Snowden leaks have led to decisions by the government to accelerate its cyber security efforts.
- We are many years from a consistent effort by any government to adopt highly secure standards for its IT market.
If you are a leader in business or government, or even just a private citizen, there is an emerging phenomenon that you need to know more about. It’s called “information catastrophe.”
This is the event where the marvelous technologies of the cyber age combine with the actions of a person (accidental or malicious) to dump the larger share of your confidential database into the public domain, to criminals or to hostile governments.
It just happened in Korea, as announced this week. The event in question involved the theft and illegal sale of the credit card information of most of the country’s consumer population.
Don’t worry so much about identity theft, though that is happening. You need to be preparing for information catastrophe.
There are important defensive measures, such as reviewing security procedures, vetting your staff or associates better, or establishing strong relations with law enforcement or national intelligence agencies. Those approaches, however, are only band-aid solutions and temporary fixes.
Market pressure + policy failures = low security
The biggest source of the problem is the low-security character of the information systems and networks you are using.
A series of market pressures over half a century as well as regulatory policy failures have somehow convinced most of us to entrust our life savings of information and our inner-most feelings and secrets to data “banks” somewhere in the ether.
Only gradually are people becoming aware that these data banks are highly insecure and more regularly being breached in the bright glare of unwanted publicity.
The data banks comprise software and hardware products in which high vulnerability to attack has been tolerated as a trade-off for lower cost and more convenient accessibility.
When the initial choices for lower cost and lower security were made in many technical sub-fields decades ago, we did not quite foresee the combined effect of those choices.
A paradigm shift in cyber security
Now that we fear NSA can hack anything and anyone, and we know some other, more sinister governments are mining all of our personal information with malicious intent, it is time for us all to trade-up to “highly secure computing.”
In a recent paper released by the East West Institute, called “Resetting the System,” German researcher Sandro Gaycken and I make the case for this paradigm shift in cyber security.
We note that the U.S. Department of Homeland Security (DHS) has identified highly secure computing as one of the highest priorities for research in this field. U.S. scientists are reserving the right to legally develop NSA-resistant encryption.
And the Defense Advanced Research Projects Agency (DARPA), where key elements of Internet technology were developed, is now running new projects in highly secure computing.
We understand that term to mean information technology with security that is unlikely to be breached — except in unusual and rare circumstances (or at high cost and risk to the perpetrator).
Highly security computing is a gigantic investment
This is not some unachievable holy grail. As John Dobson and Brian Randell argued in 1986, while being critical of those who believed it possible to build totally secure systems, “highly secure computing” is a worthwhile goal for scientific research and public policy.
As the DHS’s research plan mentioned above has noted, the more highly secure technologies cannot be bolted on top of the existing ones.
By and large, a move to less vulnerable IT would require a gigantic initial investment by manufacturers and consumers. It could be more expensive to operate and perhaps less convenient and less functional. So consumers — firms and individuals — will not rush to adopt it voluntarily.
The roles of governments and the private sector
Typically, a market failure — where private markets do not provide goods or services needed by customers or do not provide them in adequate quantities at an affordable price — triggers the question of government intervention.
In most market economies, considerable care is taken to craft policies that address the national interest (or public interest) without unduly constraining innovation and competitiveness in the private sector.
But once a government chooses to intervene, the inevitable result — absent a complete course reversal by the private sector — must be some compromise with and by private sector interests. Just how this might play out in particular economies demands detailed study. The policy outcome would inevitably be imperfect.
At the very least, this cyber security dilemma probably demands a price signal of some sort by government and a transition plan with clear benchmarks and standards to provide for phasing out of low security equipment and software.
With or against markets: the EU and China
While this may seem anathema within a U.S. free market environment, the pace of change may be forced on the global market by the European Union or its individual member states with considerable influence.
China is definitely acting against the market, as we have known it. The Snowden leaks about NSA successes against it have led to decisions by the government to accelerate its indigenous cyber security efforts, including new design standards. China is also reviewing its exposure to commercially available products that fall into the low-security and highly vulnerable category.
Today, it seems like we are many years from a consistent effort by any government to adopt highly secure standards for its IT market.
But as the information catastrophes start to affect more and more politicians or significant national economic or security actors, the rush to new products will intensify.
As we move closer to adoption of cloud computing, where confidentiality expectations will be paramount, we can expect that to drive a more rapid move to maximum security in cyber space. The companies that judge this moment well may ride the crest of a new wave of IT wealth.