Never mind the NSA, mind your own business
16 July 2014 | 0
Sneaker networking is back. The deeply paranoid, from espionage gooks to digital geeks, have learned to distrust networks. They know that dark forces are lurking to steal their ideas or their plans or the e-keys to their wealth. The dangers are not just in that global internetworking thing, or virtual WANs or email services, and may even be concealed in that apparently cosy and friendly office LAN. The answer, of course, is to avoid all connectivity that is not hardwired and personally supervised.
So once it was floppies and diskettes that an earlier jeans and sneakers generation swapped around to complement their personal networking. Today, a top secret project from advanced weapons design to a new hedge fund investment formula may well be updated between partners on encrypted DVDs travelling by certified courier. High spec workstations or simple PCs might be linked on a simple fibre cable loop, all cabling and power lines in plain sight and with no external data connection whatsoever. All DVD slots will, of course, be lockable and under constant close-up CCTV monitoring. So the dark forces will be forced to resort to the traditional and expensive options — appealing to lust or cupidity.
Today, a top secret project from advanced weapons design to a new hedge fund investment formula may well be updated between partners on encrypted DVDs travelling by certified courier
Most CIOs will not be challenged to design or mandate such extreme security, although some of the principles may be valuable. Not always connected and not always on, for example, is a perfectly sensible option in sensitive collaboration. Like videoconferencing, the participants can always invoke a secure collaboration session as and when required. That means that among other security advantages, the credentials will always be session-based.
But then we have to consider the sheer momentum of the software-defined world we are cascading into. From networking to every form of cloud service to web scale computing, we are busily abstracting the logic and the control from the hardware. The hardware infrastructure may very well have its own control systems, but they are at least nominally being directed towards constant performance monitoring and optimisation. Old fashioned firmware, really.
By and large and as of around now, almost everything we traditionally call computing has become largely software code and is in a virtual state. We will probably see smaller devices retaining a modest level of local functionality for offline tasks so that we would look at ‘apps’ or mobile in the way we used to distinguish between a calculator (even a fancy scientific one) and a computer.
But anyone with even the necessary basic modicum of paranoia, scepticism, risk aversion or whatever you like to call it, will cling to our lingering human distrust of what you cannot see. With soft security, you cannot see it and you cannot verify the verification, certainly not to any satisfactory degree. The US Patriot Act mandates that corporations complying with security agencies under warrant cannot disclose the fact, much less the targets or contents.
Now Germany has given Verizon its P45 because you can no longer trust what US corporates tell you. The NSA revelations spooked liberals and Big Business alike. The splendid irony was of US politicians having a go at Huawei and getting it off the procurement lists only to be followed by the truest of true US-blue Cisco telling the enforcers to keep their mitts off its equipment.
But of course for the vast bulk of business systems around the world, the US is not the enemy. In fact governments and ‘official’ agencies are not usually a significant threat in the first place, at least not business terms. The enemy is unequivocally the criminal.
The CIO is already the de facto chief of digital security, or the C-level person to whom that manager or function reports, based on both the general CIO remit and presumed level of expertise in ICT
So back at the CIO and Circle C ranch (sorry, the executive C-suite), security of all kinds continues its inexorable rise to the top of the corporate ICT agenda. Which brings back that very strange thought: in our wonderful 21st century, always-on and connected world, would there actually be higher value a great deal of the time in being selectively disconnected?
The CIO is already the de facto chief of digital security, or the C-level person to whom that manager or function reports, based on both the general CIO remit and presumed level of expertise in ICT. On the other hand, people with extensive security experience like ex-cops and military are often likely to be far more expert in knowing the tell-tale indicators and suspicious behaviour of attempted fraud, embezzlement and corruption. Their knowledge of ICT may be somewhat limited to their own areas of expertise, but that is not necessarily a bad or a limiting thing. Any team blends lots of areas of specialist expertise.
In a soft, virtual and invisible digital world, security has to be universal. In fact it has to become cultural and automatic, in the way that our physical security awareness is triggered by strange city streets after dark or dodgy areas or just simply being home alone and potentially vulnerable. But in cyberspace, everyone is because every device is.
The Internet of Things is already extending that dark cloud of threat. The dangers from connected fridges are certainly exaggerated. But we should already be very wary of home entertainment control centres and security systems with mobile app control.
Computer security has gone through several generations of threat, from pranks through to ransomware. In the organisation, phishing and APTs and multiple mafias have been joined by the spooks and the possibility of traffic interception tools in your appliance firmware. The salient point is that the enemy is at least as technically advanced and proficient and creative as the protectors and their available systems.
CIOs already have a potentially huge span of responsibility across the organisation. Very few will push security up the agenda with any enthusiasm. But the middle word is still Information. When you are responsible for information, its safekeeping and integrity are essential parts of the job.