From practitioners to politicians, we lack the infosec clue needed
Given that technology vendors and analysts spent most of 2014 telling us that IoT is both huge and inevitable, it's only natural that security vendors told us it's also scary -- and that we'll need their protection.
But as I wrote in All aboard the internet of things infosec hype train, we've been hearing about the threat of attacks via our internet-connected devices for years, yet they've never really materialised. Why? Because the bad guys are too busy making good money using their current methods. Why would they waste their time developing new attacks when the old ones still work so well?
IoT is really just another incremental increase in the complexity of the task facing information security professionals -- more devices, more kinds of devices, more connections for different purposes -- albeit a big increment. It's just one of many incremental increases in the challenge, from the steady increase in the number and intensity of distributed denial-of-service (DDoS) attacks to the increasingly severe damage to the reputation of companies caused by hacktivists and random vandals.
No, the real infosec challenges for 2015 are about politics and people.
Politics
A year ago, I wrote that 2014 would be the year that infosec became political. Edward Snowden's revelations about surveillance by the US National Security Agency (NSA) and its Five Eyes allies would take centre stage, of course. But some of the other political issues that had been sitting on the back burner would come into sharper focus, too -- from mandatory data retention to mandatory data breach notification, to the public's increasing awareness that they were giving away their privacy for "free" internet services, to the increasing awareness that attacks from teenagers against nation states were still getting through their defences despite all the money they were spending.
And so it came to pass. With the hacks getting more political, the politicians came out to play. The hack on Sony Pictures, attributed to North Korea in what was supposedly a politically motivated attack, triggered a political response from the US administration. British Prime Minister David Cameron came out against strong encryption. And US President Barack Obama dedicated a chunk of his State of the Union address to some grand rhetoric about the threat of "cyber attacks".
"No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. So we're making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism," Obama said.
"If we don't act, we'll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe."
What Obama's words mean in practice remains to be seen, of course, as do those of other political leaders. But it's clear that the politicians will act, or try to act, and the big question is whether they'll get it right.
"The internet's going to get increasingly political, because it is life," said James Turner, security advisor with consultancy firm IBRS and chair of advocacy group the Australian Information Security Association (AISA).
"It's what makes me laugh when I hear people talk about Internet of Things and all that kind of stuff, because that's what it was always going to be," Turner told ZDNet.
"Politicians get re-elected if they make us feel safe, and that we've been taken care of. And so what are the big things? Terrorism, obviously. And then there's the cyber threat. So politicians are naturally invested in that, because that's a way for them to look like they're actually doing something."
But the problem is that the politicians don't have a real understanding of the issues, and that their solutions are often little more than knee-jerk reactions. Turner described Cameron's thought bubble about banning strong encryption in one word: "Dumb." He's equally scathing of the Australian government giving telcos just days to respond to their proposals for mandatory data retention.
"Come on, what the hell? That's crazy," he said.
"In many regards, the stuff that we've got now, like the pushes for mandatory data breach notification, the data retention, insane stuff like 'Let's ban encryption' and so on, it's like suddenly the politicians have woken up and gone, 'My God, we're 20 years into the internet thing, we need to start clawing back some control.' It really is a very, very sad indictment of the complete negligence which has been happening at a political level up until this point," Turner said.
One issue which politicians may well choose to tackle in 2015 is anonymity and online identity.
Financial services organisations are already familiar with the Know Your Customer (KYC) banking regulations, and the regulations that are variously called anti-money laundering (AML), anti-terrorism financing (ATF), and counter-terrorism financing (CTF), such as Australia's Anti-Money Laundering and Counter-Terrorism Financing Act 2006. With the government's increased focus on counter-terrorism measures, the focus could well widen to more than just the money flow. And even without considering the threat of terrorism, as more business is conducted online, more fraud and other crime will also move online -- and sooner or later, governments will need to be seen to act.
"Governments around the world are recognising that there is an urgent need to be more structured, to provide reliable information for the verification of identity," said Rodolfe Belin, co-founder of My Verified ID, a Sydney-based company that provides systems for identity verification as a service.
"You see more and more countries coming to the area of identity verification online every month. It's evolving very quickly... This is why what we call Know Your Customer policies and compliance is something that everyone should be concerned about," Belin told ZDNet.
While Belin's business would obviously benefit from more widespread use of identity verification, he sees both commercial and moral obligations involved. The problem that Belin has observed over the past six months or so is that some private sector businesses are concerned about the cost of implementing KYC policies -- not the direct cost of implementing the technology itself, which Belin describes as "small", but rather the indirect cost of the impact on their revenues.
"We face scenarios where online business owners are making money from criminal people creating fake accounts, or trading under all kinds of false identities," Belin said. "As long as they've got in their terms and conditions a clause which says, 'Well, we're not liable for it', they still make money from people using their services. So it's a question of moral compliance."
Given governments' natural aversion to anonymity, and given that My Verified ID and other vendors will doubtless be lobbying hard -- Belin is already calling for government "encouragement" in this regard -- more widespread deployment of KYC could well be inevitable.
People
Underlying all of this, however, regardless of the details of how the political landscape might unfold, is the continuing shortage of information security professionals, something that Turner said keeps him awake at night.
"Where my mind's at is the phenomenal skills shortage that Australia has now, that people have kind of given lip service to but no one's really thinking about, and how that's going to scale out over the next five years," he told ZDNet.
Turner has considered three key requirements for a coherent information security stance. One, are there enough people to effectively execute on the basics of patching and maintaining access controls that make up core mitigation strategies such as the Australian Signals Directorate's Top Four? Two, when those secure controls fail, as they inevitably will, are there enough people to actually do incident response? Three, are there enough people in the security industry, across all organisations, who can accurately translate technical risk to business outcomes?
"I don't believe Australia's got enough people that are good at their jobs in each of those three areas right now, and I don't see how it's going to change in our advantage in the coming years," Turner said. "The challenge is going to be that the government's probably going to try to help mitigate some of these issues with legislation, and of course that's not going to help.
"For starters, to man just a basic 24/7 operation, you need eight people instantly. So we don't have the capabilities to do that, and we know that we're going to have a security incident at some point, so we need the phone numbers of people that we can call, and have a pre-existing arrangement, so that when we call them, we've got an SLA for when they're going to have boots on the ground."
Turner has been researching the companies in Australia that can work to those SLAs and provide those boots on the ground. What he's discovered is disturbing.
"I tell you what, if a couple of organisations got hit simultaneously, and all of your security consultancies out there all got the phone calls at once, there would not be enough people to go around," Turner told ZDNet.
"I've been told over in America that the big consulting firms over there have told their large organisations there's a three-month waiting list for incident response teams. That's not an incident response, that's an autopsy."
How does this pan out in Australia? We don't even know yet, because there's no mandatory data breach reporting. Financial services and national security organisations would presumably know what's happening in their sectors, but there's no transparency or visibility.
"No one's got a full picture of the scale of the issue that we're actually dealing with right now, never mind what we're going to be dealing with in five years' time," Turner said. But word is, chief information security officers (CISOs) are already having to have difficult conversations with their human resources departments, trying to explain that they'll need to offer even more money to attract qualified and experienced infosec staff.
According to Swedish information security professional Andreas Lindh, part of the problem is that we made the mistake of putting all our trust in machines -- firewalls, antivirus, IPS/IDS, and so on -- while neglecting to invest in people and skills. We seem set to make the same mistake again.
"Security products [have] been marketed and sold as 'solutions' rather than tools; heavily automated and not really much to work with. Because of this, they have been considered as infrastructure components rather than applications; you just install and configure them, and then let them do their magic," Lindh wrote at the blog 3vildata.
"The thing about buying automated solutions is that it removes the incentive to invest in knowledge of the problem the solution was supposed to solve. Why pay money so that someone can learn how to solve a problem that has already been solved, right? For an enterprise, this makes perfect sense, and for a while it worked."
The result, however, has been that organisations are populated by information security staff members who may know how to operate the dashboards, but may not understand the underlying cause of the problems they display.
"Some vendors are still doing the 'here's our latest product that will solve all your problems' song and dance, and people are still buying it. This means that the very industry that is suffering from the skills shortage is actually contributing to it. And yeah, you could argue that it is the buyers themselves that are responsible for understanding the need for skills as well as products, but that's not really how the world works. Unless security people tell organisations that you actually need to understand endpoint security to do good endpoint security, that's just not going to happen," Lindh wrote.
"[I]t is kind of dangerous to rely on products that you have no idea what they are doing. In 2015, the option of letting a product solve your security problems on its own doesn't exist. Maybe it never did."
Turner is concerned that in trying to fix the problems, governments will make matters worse through a lack of consultation.
"There's a whole host of things that the internet's just going to be impacting massively -- every single aspect of it. So for politicians not to be across it, and to just go, 'Yeah, yeah, we'll let it all self-regulate and pan out in the end'? No, they're never going to do that," Turner said.
"[The government] is then going to want to be seen to be doing something, and doing something constructive. And if it's not being adequately informed, then it runs the risk of responding to either the wrong requests, or trying to put in legislation which actually doesn't help anybody at all."
From this writer's perspective, it seems that in 2015, organisations will need to make sure that governments are getting good advice, including their own viewpoints. Businesses will need to start building the skills of their information security teams. That will all take time.
So until then? Cross your fingers, and hope that the bad guys hit your competitors first.