In 2009, I wrote a book published by Wiley. It was a collaborative effort with colleagues from the then famous Bell Labs, where I was working at the time. We called it Security in a Web 2.0+ World, A Standards Based Approach. The book starts out by posing a few fanciful questions:
- What if we could jump ahead ten years to 2019 and look back in hindsight to 2009?
- What would we learn if we were standing here, as we are now in 2019, a decade into the future with the chance to look back in time?
- If we could see ahead into the future, what would the landscape of IT look like, good and bad, and where would we be with regards to protecting the IT and the business it supports, what we now call cybersecurity?
One outcome would be that nothing really changed, and the problems we had in 2009 remained basically the same, just grew bigger along with our IT dependency. The other outcome would be that we learned lessons of of our time by taking appropriate action to chart a safer, more secure IT operation, one where security and privacy were designed in, not bolted on.
What has time taught us?
The purpose of these fanciful thoughts when writing the book was to ask another question: Do we know in 2009 what we need to do in order to get in front of the cyber challenges that will face us in ten years? The answer is yes, we did know. The basic tenets of defense-in-depth, the techniques, tools, processes were all available then. We proposed systems should first consider the likely threat, and then security design—including privacy—should follow in a systematic way fit to the threat analysis. We proposed a specific systematic way, initially called the “Bell Labs Security Framework,” that later became adopted as the ITU T X.805 Security Recommendation. We stated that it’s not just the end-user data—but also the system data, meta-data, and control / signaling that needs protection, as does the management of the systems.
The absence of these actions is also known—it’s been a mess. We know this in hindsight, as the examples are numerous. Social networks have traded our privacy for application access. Then they monetized that privacy. And now we are seeing how this loss of privacy can be weaponized, another interesting word—especially when thinking about how the Office of Personnel Management (OPM) lost the background reports on over 20 million people who once held or currently hold security clearances. We are just starting to understand the real cost of these privacy issues and how they manifest is other ways, like the integrity of our elections. Chipsets are part of the IT infrastructure. Can they be trusted when they come from a distant global supplier? Can the management of the systems be trusted when they are sold and provisioned by companies beholden to foreign governments?
How did these lessons align with our predictions?
The predictions we made in 2009 were borne out in many ways. We could play the same game today looking ten years ahead—and also answer it the same way. We do know. Maybe not with the perfect hindsight type of visibility, but with enough of an understanding of the problems and the solutions that we could take the appropriate action.
Taken to its extreme, the loss of privacy is the surveillance state that can play to different degrees. A good-citizenship-score based on extreme surveillance of everything we do is one extreme. Developed countries are in various stages of this surveillance state and are approaching it in different ways—a work in progress, with some countries further ahead than others. Insecure IT systems are another part of the problem. The Internet of Things (IoT) makes the current problem far larger. The drive to expand the internet, to get everything connected, has its price. With regards to privacy, this price is the loss of what remains of our personal liberties, the kind that is needed to keep governments serving the people. It is the Faustian bargain of our day. This dependency becomes a weapon of political warfare, and the day may soon come when our dependency is also used in kinetic wars. Don’t believe this? Just wait around for another decade.
How do I know?
Problems don’t just grow—they reach a crisis point. I know this by looking back at my home town in Columbia. Once a a sleepy backwater place—where life carried itself peacefully on the local commerce of plantains, oranges, and cacao—its port now caters to the shipment of cocaine shipped off in locally-made submarines. Peace has been replaced with violence and fear. And here we can see the first important lesson— security is important. It is our first order of business, to create a secure place where people and their institutions can blossom successfully. I have seen firsthand what happens when security fails, in Colombia, in the FBI, at the White House, and what the world looks like when trust has no root or consequence. The result is violence and fear.