"Insanity: doing the same thing over and over again and expecting different results."
- Albert Einstein
If you've watched the Matrix trilogy of movies, then you might recall one of the themes from the movie. In the second installment, Neo meets the Architect, who tells him that the current Matrix was not the first, but was in fact a later revision. The problem, it seems, was that the original version was too perfect (a perfectly balanced equation), which could not be accepted by the human mind, and which then led to the entire system collapsing. The solution was to create an unbalanced equation, and then a method for managing the remainder as necessary.
In the security industry, we've reached a point where the equation is balanced, at least as far as the business is concerned, and bad things are starting to happen. Over the past 15 years, technology has been able to evolve to match most threats, but the simple truth is that we're still not winning the battle. Businesses are still not properly incentivized to invest more into security countermeasures, but instead do the minimum necessary to keep their shareholders from sacking the lot. Ladies and gentlemen, I submit to you that it is now time to unbalance the equation.
The solution to this problem - that is, the way to unbalance the equation - may, regrettably, be dependent on government regulations. Clearly, the industry is not policing itself, but is instead slipping by. The regulatory solution is to change the liabilities associated with security problems, changing the tradeoff analysis that companies are performing. The current analyses equate to organizations (including the federal government) gambling with our personal, private data, rather than treating it like we would (putting aside stories of passwords and chocolate).
Defining "Data"
Before going into my ideas on how to unbalance the equation, it's first important to understand what I'm talking about. By my estimation, all data falls into one (or more) of the following three buckets:
* Functional: Functional data is information about the operations of the business, such as AP/AR/GL and related performance type records. It may include general compensation data, partnership agreements, and the like. Some of this data has the potential to be more damaging than other parts, but much of it is subject to various regulations, such as tax codes or SOX. Organizations are generally given proper incentive to handle this data responsibly, and in generally a loss would not have a tremendous material impact.
* Intellectual Capital: The information generated by an organization that is creative and/or innovative in nature would fall into this category. It may have functional purposes, such as toward solving a problem, but it is also distinguished by its creation. Given the potential impact of losing proprietary knowledge, organizations also have generally strong incentive to protect it. It's likely that existing laws, such as pertain to corporate espionage, would also provide a legal framework regarding compromise of this data.
* Personal/Private: This class of data is frequently used by organizations, allegedly to help them make our lives better, but in reality to help them make their lives better. The problem, however, is that this type of data probably belongs to the individual. It certainly isn't owned by the organizations collecting it. As such, organizations in the US today are not properly incentivized to provide more protection than is absolutely necessary. We now hear about these types of disclosures, thanks in part to regulations like California's SB-1386 (and similar laws in other states) and the PCI DSS, but the organizations making the mistakes with our data do not seem to be suffering much in the way of consequences. More on this later...
The Base Case for Change
Undoubtedly, some people are going to question why this degree of change is believed to be necessary. Hopefully they've read this far into the post in order to find out.
First and foremost, as noted here and here, I believe that the security industry has become stagnated. Playing catch-up with the bad guys never worked very well, and seems to be working if less well now. It's important to recognize a plateau in the growth and evolution of an industry, and if possible identify the next left and try making the jump to it ("jump the curve" to quote Guy Kawasaki).
To give you an example of why change is needed within the security industry in general, consider this quote from 0x000000.com's post "Why Hacking Changed."
"Old school hacking is dead, network hacking is dead, firewalls are useless and AV software is a mere redundant software package that underlines your frustration and ignorance about contemporary hacking. Defense in depth is deceased since the nineties and it will never come back. The Internet is operated with knowledge that stems from the late eighties and nineties. All you learned about the Internet from the seventies 'till the late two thousandths is dead. It is no longer the landscape we work on. It is no longer the Internet of today, it is certainly not the Internet of tomorrow. It belongs into history books and nothing more. It is crucial to understand this. If we do not agree, the security field stays behind the facts of today."
The author makes very good points about the increasing obscurity of our current technology practices, and stresses the need for a changed approach. However, in order to spur that change, organizations need to be properly incentivized to do so. Those incentives ultimately come down to financial and legal risk, and today, as it pertains to personal/private data, that incentive does not favor the individual.
If you're still not convinced, then consider the words of a famed security guru Dan Geer from the recent SOURCE conference in Boston:
"Paleobiologists see evolution as "punctuated equilibria"[EG] which is to say long periods of stability interrupted by short periods of rapid change. Evolution, as they describe it, is not some steady upslope at 8% grade, but rather the unexpected when least expected, and a flurry of change that will eventually damp itself out enough to be called progress, as if anything that brought us to where we are must have been progress since this is the best world that we have yet made."
(...)
"The risk management we need is therefore the ability to maximize the damping effects of stable periods of risk and to be prepared to handle the punctuating events of the definitively unpredictable..."
I call it stagnation, he calls it a "stable period," in either case we're not in a period of growth or marked innovation, but rather marking time. Unfortunately, the criminals are not marking time, but are enhancing and evolving their attacks, finding new ways to steal personal/private data (and maybe functional and intellection capital data). Something needs to change in order to properly spur organizations to respond.
The Proposed Solution
"Things do not change; we change."
- Henry David Thoreau, Journal
"I heartily accept the motto, "That government is best which governs least"; and I should like to see it acted up to more rapidly and systematically."
- Henry David Thoreau, Civil Disobedience
The approach that I current view as the most favorable reminds me of the European approach to data and privacy (Germany, in particular). The end-user should be the rightful owner of the data, and the organization (corporate, NPO, government) should merely be the custodian. In such a framework, the end-user can then determine the value of the data, as well as stipulate how they will allow that data to be used. In essence, personal/private data should be viewed as an extension of the person, and thus any loss equated to the loss of life or limb.
While such an approach, if codified into federal law, would not necessarily provide for valuation of the data uniformly, such as may be needed in a civil suit for determining damages, it does create the first hurdle, which is that if data is used in a manner in which the data owner did not authorize, then a violation has occurred, for which compensation must be rendered. It then becomes an exercise in estimating the damages that stemmed from the misuse/exposure of the data.
This approach has appeal because the loss of a credit card number would likely not outweigh the cost of losing a more long-lived bit, such as a Social Security Number. Using this definition, one could then also define criminal code around the misuse or inadequate protection of data by custodians, which could help provide the impetus for change. Set the penalties to be quite steep, and investing in proper security practices may not seem quite so expensive.
Final Thoughts
Obviously this isn't a complete solution, nor is it even a complete thought. However, the scales need to be tipped in the favor of the consumer, providing proper incentive for organizations to handle personal/private data more securely. My personal/private data should be given the same level of protection that is afforded the most closely held secrets of an organization, such as intellectual capital. Yet, because the legal liability for managing data is not tilted in favor of the data source (you), organizations are not generally inclined to take such measures.
Some might argue that this approach puts an undue burden on business. My counter to that is this: today, that burden is on the individual. Which entity - individual or organization - is better suited to bear that burden? Moreover, we need to get to the concept of custodianship within our corporate culture, so as to then provide the groundwork for better corporate citizenship going forward.
There will inevitably be other reasons raised as to why this idea is infeasible, but I challenge you to the challenge them. Change is good, change is necessary, and change is now due.
More Thoreau quotes are available from the following site:
http://www.transcendentalists.com/thoreau_quotes.htm