It has been interesting to follow the recent spate of attacks on the systems of large companies including Apple and Facebook. The latest theory is that employees of the companies visited a site that used a zero-day Java exploit to gain access to computers. The site itself was apparently not aware of the malicious code being hosted there. At least some of this malicious activity seems to be connected to the Chinese military which has not surprisingly denied any involvement.
All of this has happened after I had posted recently about the increased interest in Cyber Defense, which in turn was before President Obama mentioned it in his State of the Union speech and issued a Cyber Security Executive Order. All the while a renewed version of CISPA is making its way through Congress.
With all of this going on, here are some ideas for things that we should be working on:
First, we should not forget that we already have laws that are, if anything, too draconian. Let’s remember Aaron Swartz’s suicide and push to revise the CFAA to discriminate more clearly between actual malicious attacks and potentially legitimate activity such as site scraping.
Second, we need to move away from using supposedly private numbers as a form of security. I should be able to publish my social security number, my credit card number and my bank account number without any negative consequences. These numbers should only ever be used to establish a route (or identity) but not in and of themselves provide authentication and authorization. Authentication should be based ideally on some multi factor scheme (involving something I know and something I have) and authorization can and should happen in real time.
Third, as individuals we should not assume that our information is safe or that its privacy can be assure. For instance, you cannot use the same password across all sites. There are still sites out there that store passwords in clear text. Systems that try to give us a semblance of private control over information, such as SnapChat, are likely to be providing a false sense of security.
Fourth, government and investors should encourage the formation of private companies that deal with security. Solutions that are distributed among several competitive commercial players I believe are preferable over handing more data to government agencies.
Fifth, we should all evaluate how much we are contributing to the existence of mono cultures or highly centralized services. On the one hand companies such as Google and Facebook can invest a lot in security, on the other they represent incredibly juicy attack targets. I am definitely personally guilty of having a lot of my information in such places.
I am sure there are more sensible ideas that we should be pursuing. I think it is critical at this time to enumerate these and double down on everything that does not require giving the government more power. I welcome any and all additions to the list above.