Security is rarely static. Technology changes the capabilities of both security systems and attackers.
But there’s something else that changes security’s cost benefit analysis’ (CBAs): how the underlying systems being secured are used.
Far too often we build security for one purpose, only to find it being used for another purpose — one it wasn’t suited for in the first place. And then the security system has to play catch-up.
Take driver’s licences, for example.
Back in the late 1990s, as a project engineer with Telecom Fiji, I worked on a project with the Fijian Land Transport Authority (then the Dept of Road Transport) – upgrading the entire system with the assistance of the Victorian State of Australia’s Transport authority.
Originally designed to demonstrate a credential – the ability to drive a vehicle – drivers’ licenses look like most other credentials.
They are wallet-sized, of course, but they didn’t have much security associated with them.
Then, slowly, driver’s licenses took on a second application overseas: they became age-verification IDs.
Of course the security wasn’t up to the task and over the decades driver’s licenses got photographs and technologies that made counterfeiting harder.
There was little value in counterfeiting a driver’s license, but a lot of value in counterfeiting an Personal IDs.
Today, national identification cards are taking on yet another function: security against terrorists.
National FNPF/TIN dual cards, Voters Registrations or drivers licenses have nothing to do with driving and everything to do with trying to make that ID an effective way to verify that someone is not on the criminal or terrorist watch list or just general surveillance.
Whether this is a good idea, or actually improves security, is another matter entirely.
You can see this kind of function creep everywhere.
Internet security systems designed for informational Web sites are suddenly expected to provide security for banking Web sites.
Security systems that are good enough to protect cheap items from being stolen are suddenly ineffective once the price of those items rises high enough.
The explosive trade in cheap items on Facebook is an example with our tax department trying to monitor these tax-free transactions.
Application security systems, designed for locally owned networks, are expected to work even when the application is moved to a cloud computing environment.
And cloud computing security, designed for the needs of corporations, is expected to be suitable for government applications as well – maybe even military applications.
Sometimes it’s obvious that security systems designed for one environment won’t work in another.
We don’t arm our soldiers the same way we arm our policemen (which we don’t in Fiji), and we can’t take commercial vehicles and easily turn them into ones outfitted for the military.
Military grade security was designed for tactical and field deployments in extreme environments.
We understand that we might need to upgrade our home security system if we suddenly come into possession of a bag of diamonds.
Yet many think the same security that protects our home computers will also protect voting machines, and the same operating systems that run our businesses are suitable for military uses.
Personal information protection is an economic problem, not a security problem.
And the problem can be easily explained: The organisations we trust to protect our personal information do not suffer when information gets exposed.
On the other hand, individuals who suffer when personal information is exposed don’t have the capability to protect that information.
There are actually two problems here: Personal information is easy to steal, and it’s valuable once stolen.
We can’t solve one problem without solving the other.
The solutions aren’t easy, and you’re not going to like them.
First, fix the economic problem. Credit card companies and banks won’t improve their security as long as you (and not they) are the one who suffers from identity theft.
It’s similar for other financial institutions: As long as you’re the one who suffers when your account is hacked, they don’t have any incentive to fix the problem.
Make the party in the best position to mitigate the risk responsible for the risk.
What this will do is enable the capitalist innovation engine. Once it’s in the financial interest of financial institutions to protect us from identity theft, they will.
Second, stop using personal information to authenticate people. Watch how credit cards work. Notice that the store clerk barely looks at your signature, or how you can use credit cards remotely where no one can check your signature.
The credit card industry learned decades ago that authenticating people has only limited value.
Instead, they put most of their effort into authenticating the transaction, and they’re much more secure
because of it.
This won’t solve the problem of securing our personal information, but it will greatly reduce the threat.
Once the information is no longer of value, you only have to worry about securing the information
from voyeurs rather than the more common – and more financially motivated – conmen (or women).
Finally, fix the other economic problem: Organisations that expose our personal information aren’t hurt by that exposure.
We need a comprehensive privacy law that gives individuals ownership of their personal information and allows them to take action against organisations that don’t care for it properly.
“Passwords” like credit card numbers and mother’s maiden name used to work, but we’ve forever left the world where our privacy comes from the obscurity of our personal information and the difficulty others have in accessing it.
We need to abandon security systems that are based on obscurity and difficulty, and build legal protections to take over where technological advances have left us exposed.
But these are all conscious decisions, and we cybersecurity professionals often know better.
The real problems arise when the changes happen in the background, without any conscious thought.
We build a network security system that’s perfectly adequate for the threatand – like a driver’s license becoming a basic ID – the network accrues more and more functions.
But because it has already been pronounced “secure,” we can’t get any budget to re-evaluate and improve the security until after hackers have figured out the vulnerabilities and exploited them.
I don’t like having to play catch-up in cybersecurity, but we seem doomed to keep doing so. As a wiser man then I once remarked – ‘those who do not learn from the past are doomed to repeat it’, so have
a blessed safe weekend you all.
- Ilaitia B. Tuisawau is a private cybersecurity consultant. The views expressed in this article are his and not necessarily shared by this newspaper. Mr Tuisawau can be contacted on ilaitia@cyberbati.com
