In recent years, the buzz phrase in the law enforcement/intelligence community has been ’’collect everything”. Today this has morphed into ’’encrypt everything”. According to a recent article in Wired, this approach – that of protecting the ’’perimeter” or ’’perimeter security” is outdated and just plain wrong. The thinking was that if you just keep the bad guys out, you will be secure. That’s no longer the case, and at a time when nearly one of every two Americans have experienced a breach (about 10 million people were hacked last year), it is an alarming development.
The notion of protecting the perimeter or endpoints worked in the early days, but that time has passed. Today, there are just too many endpoints to police, let alone to protect. Network security seeking to protect those endpoints with firewalls, certificates, passwords, is patently obsolete now. As a result, cars, planes, medical devices, and even voting booths have been the target of attacks.. as well as virtually every major corporation!
Because of the cloud, remote access, and the Internet of Things, the landscape has changed, and there are too many targets to exploit. And as long as the security community plays the game of “perimeter defense”, poor results and increased hacks will be the norm, and, indeed, likely intensify. Not surprisingly, relief may be at hand thanks to a three-pronged approach by none other than the super sleuths at the CIA.
The CIA has broken the problem into three categories: Confidentiality, Availability, and Integrity. Confidentiality means protecting and keeping your secrets. Therefore, espionage and data theft are the greatest threats in this category. For too long now this has been the focal point of cyber security. But this approach is misguided. We’ve gone beyond worrying whether someone might discern your driving habits, and now must shift our concern to their ability to take over the complete control of the vehicle. Denial of service and data theft threats, while annoying, are not of paramount importance in the new normal in the category of Availability.
When considering Integrity, we navigate to more dangerous threats. Here we’re talking about whether the software and critical data within your networks and systems are compromised with malicious or unauthorized code, and this category poses the greatest menace to businesses and governments. In other words, in a power grid, a confidentiality breach exposes a system’s operating information. But an integrity breach would compromise critical systems, risking failure or shutdown. Put in the parlance of the military, now the peril lies in a bad actor taking over control of the weapons system, not just obtaining raw data about the circuitry.
National Security chief, James Clapper underscored the point before Congress this fall by stating that the biggest emerging threat to national security is “cyber operations that will change or manipulate electronic information to compromise its integrity instead of deleting or disrupting access to it.” So, in the post-perimeter security world we’re in, just how do we take our eyes off Confidentiality encryption focus, to the more pro-active Availability and Integrity? Going from concentrating on locks to addressing where the real danger lies for this is where the security community should focus its efforts-with Integrity.
Not to get too technical here, but the old scheme of Public Key Infrastructure (PKI) is playing defense, trying to keep out the bad guys. Well, hello… they’re already in! Therefore, the emphasis must shift to Scalable Proven Data Possession (SPDT) and Dynamic Provable Data Possession (DPDP), where intelligent prioritization of threats and subsequent breaches is employed. Since we no longer can keep the criminals out, we might be better able to catch them and stop them once they’ve broken in.