Tuesday, June 14, 2011

Is Digital Security Possible?

"Africa is not a continent which is any longer isolated. It is not a place where people are uninformed. It is the fastest growing market for cellular phones. Information, whether it is in the townships or wherever, now passes very quickly... And this is not an issue which is going to go away. Nor is it an issue that is trivial for those of us that live here as we do here."
 JAMES WOLFENSOHN ex-President of the World Bank 

Below is a philosophical comment I  posted on Dark Reading today:
"It has occurred to me lately (because of the advances and volume increase in penetration and ex-filtration) that the digital industry has falsely assumed that data can be kept private in a networked world; that perhaps the concept of "data security" or "network security" is not achievable or (at best) not achievable at current levels of technology, internet reach, network topology.
If this is the case, we will have to rethink our current goals. Is data security possible? If so, at what costs? Can commercial interests or individual privacy be protected on the internet? If so, what would be the true costs for such protection?
Social and economic inequality, the true driver behind nation state and organized criminal penetration and ex-filtration, may not be an affordable reality in a networked world. Conversely, a secure, networked world may be not an achievable reality in a world of social and economic inequality. Either conclusion has gross implications for the global economy as it now exists."
For some long time, in the moments between burying my head in code or research, this rather somber thought has occurred to me. If digital security is not truly possible, would the current world of security architects be able to recognize the futility of their own profession?  Probably not, I would answer. Good engineers that we are (in a profit hungry market capitalism), we simply just keep chasing the next big thing or fixing the last defect.  But what if it were the case that digital security is  not an existential possibility? What if it were the case that the next abstraction, the next algorithm always begat the next penetration or ex-filtration? What if digital security was never truly achievable for any moment but  a single point in time?

Such a realization might change the very nature of system and network architecture.   First, we would have to assume that in a networked world there will always be data. The old Unix administrators motto ("There are two types of computer users: those who have lost data and those who will."), would be the starting point for developing the integrity of information systems. How would this effect privacy, commerce, and secrecy? It would tend to devalue the importance of all three.  In effect, it would mean we would live in a very public world where the emphasis of commerce and nation building would have to be the equality of social and economic justice.  The competitive battles of nation state hackers, spies, and terrorists would have to be devalued.  In their place something non-private, non-commercial, and very public would have to come to assume world wide importance.

I will avoid (as much as possible) tendencies to describe a utopian socialist reality that co-opts the urges of the very bright and nationalistic to commit computer crime. But I will concentrate instead on what the costs of extended information warfare could become in the future to nation states and its peoples. Clearly, we are not going to feed, house,clothe or co-exist very well with the nine billion people the World Bank says will inhabit the Earth by 2050 without evolutionary advances in world health, resource sharing, energy production, climate control or food production.

Clearly technology and information sharing will be critical to prevent perpetual regional wars and oppression. And yet we cannot continue to possess  a much higher standard of living here in the West because of more substantive and efficient network technologies without incurring the jealousy and wrath of those who struggle with much less.  If an American corporation invented a 10x improvement in photo-voltaic efficiency tomorrow, could we really keep China, Brazil or Russia or India from ex-filtrating, copying, or co-opting that technology? Recent history would say no and (for better or worse) the concept that a great idea should remain private for the profit of singular developers may be a concept that is now obsolete. (Suddenly, I hear Richard Stallman cheering in the background.)

Perhaps the networked world of commerce and thought now forces us to deal with a not so surprising conclusion: that there is no way to not know the thoughts and need of our brothers and sisters in this world, no matter how far away. But if our thoughts and needs are now ubiquitous, of what use is digital security anyway?   We don't maintain security in our families and communities by arming ourselves or walling off our lives from interaction with others.  We maintain our prosperity locally by allying and befriending those we know the most. In short, as a species, we function as a pack, tribe, or herd; we take care of the people that are closest to us. How will this ethic function in a world where a rapidly expanding global internet erases those boundaries?

We are not thinking about this as security professionals. We just keep thinking about the next fix, the newest hack, the next market opportunity, the next solution.  At this rate, we are going to code ourselves into irrelevance.  We will no more solve "network security" with our current approach than medical technology can "cure cancer". At some point we will have to deal with the reality that our current security paradigms don't work and that the improvement we see in our fixes provides only temporary solutions to a very intransigent and structural set of problems. 

No comments:

Post a Comment