First you have to understand that information security simply is not a priority in American society. I think this is not a technical or ideological issue. It is a question of assumption of resources and risks. Using Gartners numbers you’re looking at a few percentage points at MOST being applied of revenue at companies or governments towards information security. Considering the thousand fold increase in productivity that various information technologies may give over manual human processes that is a huge gap in risk avoidance associated cost. If you invest a fifth to quarter your revenue into technologies that make you thousands of times more competitive than manual human processes you’d think you’d invest an equal share in maintaining that competitive advantage. Unfortunately in the corpotacracy the balance is your competitor and if they don’t invest in security techniques or tools neither will you. There is no downside to getting hacked from the corporate viewpoint. All the spin of embarrassment and “fines” aside the reality is that nothing will happen. Most corporations will bounce back and even exceed expectations within four quarters.
Legislation is not an answer. With the recent “To big to fail” public holding up the financial institutions as a pattern for future bail outs any pending legislation will be morally and ethically bankrupt on delivery. In fact most of the legislation suggested in the past decade (plus a few) has only had negative impacts on the citizen and consumer. Whether CIPA, PIPA, SOPA, DMCA, COPA, CALEA, or PATRIOT the acts have created autocracy and decreased security by increasing surveillance. Though no proof that I know exists. I still say the Google Aurora incident was possibly created by the CALEA hooks in the Google servers being used by the Chinese for what they would term was same-same domestic law enforcement as United States law enforcement would use it for.
Just jumping to an executive order will produce another “voluntary” set of standards that will become a paper tiger used for political purpose and useless towards security. Increased bureaucracy and government “oversight” with no teeth is just another waste of corporate and government dollars. I still think that FISMA is one of the biggest jokes in government as audit and compliance tells you absolutely nothing about being secure. Kind of like red team engagements only tell you that sophisticated adversaries can enter your systems and all the FISMA model gives you is knowledge people know how to type. in fact things like the IAVA process inherently and significantly decrease security on the way to FISMA compliance (90 to 180 day patch cycles?)
There is no such thing as an absolute secure system. The current technology when evaluated within the variations of use cases does not support a secure model of computing. There are inherently only levels of non-secure systems with acceptable risks towards those systems. Any perturbation in the technology plane such as upgrades, or provisional changes for efficiency will have deleterious consequences on security. As such any imposed legislation or requirement for standardization will only impact that entirety of the efficiency cycle of why we have information technology. Forcing a particular audit, analysis or standardization will erode security not enhance it.
We don’t tell people to audit their gun to insure their neighbors safety. We tell them if you shoot your neighbor you will end up in jail or the gas chamber for what will be the rest of your life. That should and will never be the pattern of cyber security legislation into the future. A future post will delve into why we will never see a nation-state level cyber attack.
So, how do we solve this kind of problem? My wild hair on fire ideas is that we consider personal data as personal avatar and apply civil rights to the data as an adjunct of people. Yes that would kill the entire data warehousing industry but I’m alright with that. The assertion of companies that they OWN my data is tantamount and absolutely a form of data slavery. When companies hold data it is in loco parentis type rights and divulging it would be associated to a civil rights or human rights violation. My data as avatar for me would change the landscape of information technology. It would hurt companies, but then again since they have no pain when something goes wrong and I do have pain. I’m kind of OK with that.
Executive orders or cyber security legislation as apparently written are an answer to the wrong question. A focus on infrastructures is a focus on surveillance, audit, compliance, and ignores the basic tenets of information security. The cyber security legislation and executive order as suggested answers the question of how insecure we might be through information sharing, audit and compliance tracking. It does not answer the question of how to secure those same infrastructures. I would rather we tell industry secure yourselves or be prosecuted and let the companies figure out how to get the job done or risk heavy fines for failure to accomplish the task.