By Katherine Teitler
December 22, 2016
Many uncertainties await the world when the new United States administration takes office on January 20, 2017. The President-elect, while extremely vocal on the campaign trail, has been disconcertingly cagey in the weeks leading up to inauguration. As it pertains to technology and cybersecurity, Donald Trump held closed-door meetings with some of the tech industry’s top executives last week, but the Electronic Frontier Foundation (EFF) wasn’t satiated. Spurred on by Trump’s previous promises of increased surveillance, his condemnation of Apple during the encryption debate with the FBI, and his late-night Twitter rants challenging certain individuals’ rights to free speech, the EFF bought a full-page ad in Wired that urges technology companies to “unite with the Electronic Frontier Foundation in securing our networks against this threat.”
Over the past few years technology companies have found themselves in a quandary. Information security is top-of-mind for leading organizations; decision makers understand that protecting organizational, partner, and customer data is of utmost importance, and they know that cyber crime is just as much a threat to efficiency, productivity, and profitability as financial market fluctuation or sociopolitical instability. On the other hand, many companies and their respective executives feel a responsibility to assist law enforcement when information relating to a crime may be contained in the company’s systems. Ironically, at times these two goals, admittedly both honorable, are at odds.
Nice to meet you, where’ve you been?
The reality is, no one wants to see actual terrorists or criminals roam free AND companies cannot be exposing proprietary networks and data to preventable risks. (It’s like one of those bad 6th grade English comprehension quizzes where both statements are true but seemingly disparate.) Providing the government with backdoors or easy entry is, unfortunately, also offering exploitable vulnerabilities to threat actors of many genres. Handing over bulk data to anyone puts users at risk and sets terrible precedents about who can get his or her hands on what. And the world knows, in large part thanks to Edward Snowden, that the U.S. government operates surveillance programs. Sure enough, U.S. companies have lost billions of dollars in revenue to overseas companies not subject to the same laws or practices. What’s more, the U.S. is not alone; as standard practice, other world powers very publicly and proudly censor and inspect internet users and associated information.
This is not to advocate that companies (U.S. based or otherwise) should refuse to cooperate with law enforcement when legally and appropriately (e.g., not developing a “master key” for all “X” devices) compelled to do so. In fact, many major enterprises including Apple, Microsoft, Facebook, and Google—all currently professing to be working towards more secure and tamper-resistant technologies—have obliged government requests for user data fairly regularly and without contest. In the same vein, these identical companies have been quite vocal about their obligations towards user privacy, which just so happens to go hand in hand with data security. Removing politics from the equation, so as to eliminate squabbles between the left and the right, red vs. blue, donkey versus elephant, more effective and reliable security solutions are needed. Cybersecurity is mainstream media; what does that say?
I could show you incredible things
The EFF’s entreaty, regardless of which side of the privacy debate you’re on, could be considered just as much about hardened security practices as it is protecting users and companies from unlawful or merely shady government pressure. Yes, of course the gist of the EFF ad is about defending civil liberties in the digital world—it’s clearly stated. Picking apart the pieces, though, and examining the advice, one could very easily look at the ad as a “best practices guide for cybersecurity in 2017.” Taken directly from the ad’s text, the EFF advises the technology community to:
“Encrypt: Use HTTPS and end-to-end encryption for every user transaction, community, and activity by default.
Delete: Scrub your logs. You cannot be made to surrender data you do not have.
Reveal: If you get a government request to monitor users or censor speech, tell the world.
Resist: Fight for user rights in court, on Capitol Hill, and beyond.”
Magic, madness, heaven, sin
The first two points are the same ones recommended by security practitioners worldwide. Some might argue that “encryption by default” shouldn’t even be a topic of conversation anymore: Just do it already!
As for scrubbing logs, the more data a company keeps, the more data that is put at risk. Most companies admittedly hold onto data for too long or can’t be confident about the data stored because they’re not certain what or where it is. When a breach occurs, all of that superfluous log data goes out the door with the (most likely unencrypted) active logs.
The final two points are more subjective, but major tech companies have already vowed to uphold these principles. In the U.S. speech censorship and privacy invasions are unconstitutional, and attempts by any entity to overstep these boundaries should be brought to light.
In reference to the advertisement and campaign, Cory Doctorow, EFF Special Advisor, co-editor of Boing Boing, and activist, said, “We are appealing to [the tech industry’s] sense of duty and stewardship, because the incoming administration has made many public pledges that could weaponize the systems we built with mostly good intentions, turn them into tools by which the people we love and the people we live among could be targeted for mass deportation; suspcionless, warrantless profiling and surveillance; censorship; and worse.”
The concerns are real, and security practitioners uniquely have bona fide power to both stop injustices and protect end users who entrust the companies with which they do business to secure personal data, keeping it from snoopers, no matter who is doing the snooping.
I’m dying to see how this one ends
The incoming administration may spread fear, uncertainty, and doubt (FUD) which helps convince citizens that the only way to stop terrorism and brutal crime is to take liberties with civil liberties. However, consider this: Isn’t spreading FUD the exact same thing security pros have been saying we need to halt immediately? Haven’t we already determined that FUD is neither a good motivating factor nor an effective way to accomplish goals? If so, by paying particular attention to the first two recommendations (plus adding in other healthy security practices like asset inventory, continuous monitoring and vulnerability assessments, controlled use of administrative privileges, etc.), tech companies can focus on good, clean, effective security practices plus uphold moral/ethical principles of protecting end users and their personal information, all without too much politicking.
To illustrate the point, Doctorow adds, “Since the earliest days of networked communications, there has always been a strong strain of tolerance and stewardship for the systems we build and maintain, a belief in a duty of care for the users who depend on us.” In other words: Let’s not let anyone—government, cyber criminal, script kiddie, or otherwise—be allowed to affect our companies’ systems and manipulate the data we maintain.
At the end of the day, secure data is good for everyone.
More Infosec Articles