(Excerpt of a speech I saw in person by Dan Geer, a wizard who inspired me greatly when I saw him present at a conference. This post is meant as a tribute to his supreme wisdom as he perfectly captures the essence of the battle we face ahead. It is not my own content.)
Our society’s infrastructure can no longer function without computers and networks. The sum of the world’s networked computers is a rapidly increasing force multiplier. Today’s businesses are becoming heavily dependent on technology for integration, productivity, and organizational scalability.
Data is an increasing fraction of total corporate wealth and needs to remain secure while ensuring confidentiality, availability, and integrity.
Increasingly, organizations require communications to provide rapid and agile collaboration, information sharing, and connectivity to data sources. Technology enables employees and partners to work and access systems anywhere, anytime – also placing systems at an increased risk by the same token of availability. The protection of digital assets during transport, and at rest on storage devices is essential to the life cycle of information, as it transcends the border of physical and logical controls.
The world of security is becoming more complex and threatening every day. This increasing complexity embeds dependencies in a manner that may diminish the frequency of surprises; however, the surprises will be all the more unexpected when they inevitably occur.
Security is becoming a means and not an end; modern protection strategies are quickly shifting toward risk absorption rather than risk avoidance. Service orientated architectures and Web 2.0 technologies are fueling the internet revolution while at the same time rapidly deteriorating the security situation. That deterioration compounds when nearly all individuals and businesses are establishing dependencies on computer and communications systems. It is thus obvious that increasing dependence means ever more difficulty in crafting protections against known and unknown threats to systems.
The traditional network barriers that separated trusted from untrusted and “inside” from “outside” are now disappearing. As more applications become directly accessible to remote users and systems, the concept of the network perimeter becomes increasingly vague and more difficult to protect. Attacks are no longer confined to lower areas of the network stack and target widely adopted systems and software programs, having major implications globally, in all sectors.
Threats and risk are chiefly growing amongst the poorly coded applications, and unsophisticated end-users. Modern day security has become architecture of devices, people and software that work towards providing the best possible layered defense against attacks.
We now know that protections need to work together in a concerted effort to reduce risk, and mitigate known these unknown threats to our infrastructure.
Those with either an engineering or management background are aware that one cannot optimize everything at once, and that requirements are balanced by constraints. In engineering, this is said as “Fast, Cheap, Reliable: Choose Two.”. In the public policy arena, we must first remember that the definition of a free country: a place where that which is not forbidden is permitted.
No society needs rules against impossibilities and I believe that we are now faced with “Freedom, Security, Convenience: Choose Two.”
For me, I will take freedom over security and I will take security over convenience, and I will do so because I know that a world without failure is a world without freedom. A world without the possibility of sin is a world without the possibility of righteousness. A world without the possibility of crime is a world where you cannot prove you are not a criminal. A technology that can give you everything you want is a technology that can take away everything that you have.
After 15 years of analyzing the playing field, I am convinced that at some point, in the near future, one of us security geeks will have to say that there comes a point at which safety is not safe.
–Dan Geer / In-Q-Tel / Infragard
Key drivers of Hacking/Security:
The emergence of internet-based criminal black market
The sophistication of attack tools and methods used by hackers
Markets for Cybercrime Tools and Stolen Data Software
Monocultures facilitating mass hacking and botnet control
A proud member of: The InfraGard program is a public/private cooperative effort dedicated to improving our national security. InfraGard consists of Chapters throughout the United States. The FBI leads the U.S. Government side of InfraGard. Infragard provides a trusted forum for the exchange and channeling of information and subject matter expertise related to the protection of our nation’s critical infrastrcuture from physical and cyber threats.