Wednesday, January 01, 2014

My #4 personal privacy and security prediction for 2014: A BIG year for good/bad news

As we enter 2014 it is clear that two events in 2013 have rocketed data privacy and information security to the highest level of public awareness that these the complex topics have ever attained. I'm talking about the Snowden revelations and the Target breach.

For me, this surge in public awareness of the importance of data privacy and cybersecurity is both exciting and frightening.Why? Because 2014 is obviously going to be a big year for those of us who work in these closely intertwined fields, a year when more people than ever before will be concerned about securing their data, yet more distrustful than ever of the folks who are trying to help them do that (among whom I count myself).

Consider that I have spent the better part of 20 years writing and speaking about these issues, starting with computer security, then network security, system security, information assurance, data privacy, and now "cybersecurity." You could say that I have wanted nothing more than to make the world aware of the importance of these things, for the simple reason that, without such awareness, the true potential of digital technology will never be realized.

Let me put it a different way: Are you wondering where the flying cars are? Are you disappointed that in 2014 we don't yet have them, or transoceanic high speed rail service, or the handheld medical scanner that can diagnose the top 100 medical conditions in a single swipe? I believe we would have achieved these or similar technological marvels by now if it were not for the massive distraction of information insecurity.

I don't want to wander off into too many examples, but consider one: Towards the end of the last century email was poised to become a universal tool for managing transactions cheaply and easily. Then came the spam-plosion, a massive surge in unsolicited commercial email that rose to become 80% or more of all email and had Internet service providers (ISP's) buying new servers once a fortnight just to maintain legitimate service. Combine that with the inability of the major email providers to agree on improvements to email protocols, and you have the death of transactional email that is still hampering large slices of our economy, like banking, healthcare, government, and retail.

So the good news / bad news in 2014 goes like this:
  • Are most consumers now aware that cybercrime is a serious problem? Yes. Can a young working mother buy diapers at a discount store without fear of losing her identity, and all the money in her back account, despite the billions that have been spent on cybersecurity? No, because we have grossly under-funded the vital work of catching the cyber-scum at the root of that fear. 
  • Are most companies now aware that cybercrime is a serious problem? Yes. Can a company develop new products without fear of them leaking from their computers to a nation state agency and/or its clients? No, because it is possible that every piece of hardware and software you buy to build your dreams has already been hacked, back-doored, or otherwise compromised, thanks in part to your own tax dollars at work (see this article or the pictures here if you are not clear on this).
Now this next bit may sound self-serving, but I assure you it is not. I am employed by a company that sells security software, some of which requires root access in order to protect systems. However, the company doesn't pay me to sell this software, they pay me to think about security and privacy and explain of much of this stuff as I can to as many people as possible. The company has, in my considered opinion as a 20-year industry veteran, the very highest ethical standards. All of the people that I work with, in this company and in many of our leading competitors, are dedicated to eliminating the scourge of malware and other threats perpetrated by the world's cyber-scum. A fair number of us have been at this for 10 or 20 years or more. Yet today, in 2014, we are being asked: Are you helping the government spy on its people?"

The answer is no, but although part of me feels hurt and even insulted by this line of questioning, objectively-speaking I cannot object, particularly when I see these pages from a catalog of hardware and software crippled by the NSA, in other words, produced by my own government. I am sure that the people who developed these things thought they were doing the right thing, and only intended them to be used for righteous purposes like defending our nation. But the people in charge clearly failed to consider what would happen to the nation when the world found out about them.

I bet you a box of donuts that in 2014 at least one person will ask me where they can get a USB cable that is certified uncompromised. The fact that I don't have a good answer really bothers me. More people than ever before are going to be asking security professionals for help in creating secure systems, even as those professionals try to deal with NSA-fueled doubts about the very building blocks of such systems. One way or another, or both, it's going to be a BIG year.

No comments: