There was an interesting talk at DLD and a post by Rod Beckstrom back in Jan 2014. The good thing is that there is at least one influential person in the world who could generalize and formulate recent information security and privacy issues at the right abstraction level.
Yes, Internet, IoT, social networks, new “innovative” approaches to defining privacy by big Internet companies made everything very complicated. In this regard I could not agree more with a common and wide spread opinion that privacy doesn’t exist in the era of Internet. I would not even rule out more extreme opinions stating that it was intentionally created this way to facilitate information collection by governments. The recent revelations coming from NSA/RSA/BSafe scandals or Heartbleed vulnerability exploited by NSA for years can only add more food to feed these suspicions.
I think, everyone who follows the news in this domain would not and could not argue much about all of the above. The bigger question and the problem is in the area of finding remediation solutions for these dangerous global trends.
After looking at Rod’s high level plan, I’ve realized that I simply could not agree or understand how some action items can be implemented, while others make perfect sense to me. Let us take a stab at each of them:
1. “First, we must develop global definitions, norms and standards for cybersecurity”.
Yes, but it’ll require involvement of the international community, so the task will be extremely difficult if you consider how that “international community” usually works.
2. “Second, we must build global trust”
That one is absolutely naive, unrealistic and the most problematic in my view. I think, we live in a world of crumbling trust where people, states and governments do not trust to each other more than ever in the past.
When it comes to spying and collecting information a difference between friends and foes gets blurred. I’m not sure whom NSA spies more on noways – their best friend and ally German Chancellor Merkel, worst foe Russian President Putin or their own citizens. There is a reason why Europeans (and Putin) started talking about their own “independent” and isolated Internets.
That “we do not trust them” paradigm becomes a mentality and I don’t see any willingness on any side to change it somehow. It’s definitely not an issue that can be resolved by a security community or even by a bigger “international community”. I don’t know what can be done to change this. Maybe WW3 with massive use of deadly nuclear weapons would help? (It was a black humor joke just in case if somebody didn’t understand).
Yet another confusing thing here is “we”. Who are “we”? As mentioned above NSA/RSA scandal has demonstrated, there is no such a thing as “security community” speaking with a single, strong and influential voice. Single, stand alone, dispersed voices coming from people who were trying to boycott RSA 2014 conference or few well known security professionals such as Bruce Schneier were not able to make a significant impact. It’s hardly a surprise, since the area of expertise of these few decent folks has nothing to do with politics or politicians. Will latter ever listen to professionals? I have serious doubts about that.
“International community”? No, I would not put too much trust in them either – very bureaucratic, anemic, incapable and torn apart by their internal conflicts of interests.
3. “Third, we need to use transparency and economic incentives to drive to a higher level of security”
I would strongly support any kind of incentives to achieve a better security. See my comments to #4 as well.
4. “ We must build better security into the Internet itself”
Bingo! That actually should be number one on the list and it will also address a “trust” issue in the most efficient and practical manner, in the very same manner as in the case of building a very high fence to improve your relationships with a neighbor.
So my call to everyone working in the security domain (not to abstract and amorphic “we”) at this moment would be – build the fence, the higher, the better, but don’t forget about ordinary users, usability and all other “ilities” that good software architects would normally consider.