Truth not trust – the importance of data integrity in the Networked Society
For the first time, we are hearing Tom Wheeler, head of the Federal Communications Commission in the US, start to discuss changes to regulation if cybersecurity is not adequately addressed by network providers. This is just a beginning. There is both need and opportunity to re-think what it takes to be safe in the Networked Society.
Every day another breach in online security is reported. On a macro level, companies are spending USD 46 billion per year to secure their operations with 46 percent of them saying they will increase spending going forward. When breaches do happen, the average payout and cost of insurance averages about USD 950,000 and tops out at around USD 3.5 million when you factor in pending claims and self-insured retentions.
On a micro level, individuals are losing control of their personal information, companies are losing control of their core assets, IPR, and some employees are even losing their jobs (for example, the CEO of Target). The larger cost to the economy is that trust in the digital society goes down.
Business and the economy need a predictable and deterministic environment to grow, where risk can be managed alongside investment and return. The World Economic Forum believes the lack of functioning cybersecurity threatens as much as USD 3 trillion of non-realized potential growth during this decade. If we are investing more but performing worse, something must be fundamentally wrong with the approach we are taking.
The problem we have today
Security today is over reliant on encryption and access, both of which are proving to be false safe harbors. Both depend on the integrity of the underlying systems and the need to trust the people operating them. Both dependencies are not reliable. It is predicted 95 percent of networks are already compromised and between 30-50 percent of security breaches are caused by people working inside the organizations. Put is raw terms, the CEOs who feel lucky right have simply not discovered the cancer yet. Trust is proving not to be enough of a safeguard.
We need a new lens
We need to take a step back. We need to rethink the paradigm. Perhaps the sun does not revolve around the earth but rather the other way around. As computer networks have grown, securing their operation has focused on primarily on managed access with trusted credentials and encryption via the same. But that is not why we use networks. We use networks to share and access information. Information such as intellectual property, trade secrets, customer pricing, sales funnels, technical differentiation, etc. And as the value of information explodes, and becomes more real-time and mobile, our exposure to compromise only increases.
Our sole purpose for using networks is to share information, yet we do not secure information, we only secure access.
The counter-intuitive paradigm shift
We need to assume networks are already compromised. This does not mean we stop investing in access control or encryption, etc. We do stop over-investing though. It does not matter how many walls you build if an intruder can enter through your front door, undetected.
There is a need to wrap data assets with a signature that is not dependent on secrets (like PKI – public key infrastructure), non-reputable and valid forever (unlike PKI). Fortunately, the mechanisms for this exist and using the mathematical model known as the ‘Merkle tree’. Any proof based on mathematics is independently verifiable by definition. The government of Estonia created such technology to safeguard their national digital systems. This infrastructure is known as Keyless Signature Infrastructure (KSI) and is now becoming available in other countries.
The information derived from a KSI signature means the asset’s chain-of-custody information, creation time, and authenticity information remains undisputable and can be subsequently trusted and verified without trusting or solely relying upon an administrator or a secret (such as a key or PKI credential). Instead, KSI uses a ‘proof-based’ method to accomplish authentication. Our forensic evidence then becomes portable across any cloud service provider or enterprise network.
Forensically, KSI signatures are based on mathematical proofs and keyless cryptographic functions approved by the EU and the US National Institute of Standards (NIST). These proofs and functions will withstand exploitation even with advances in quantum computing – meaning that assets signed by KSI will have proof information retained over the lifetime of the asset. The forensic evidence of the signatures makes legal indemnification issues easy to resolve – highlighting who, what, where, and when a digital asset was touched, modified, created, or transmitted. This evidence holds up in a court of law.
With the right instrumentation, nefarious behavior is immediately known and can be actioned upon. You cannot be perfect at preventing crime, but you can be perfect at detecting it.
Three types of data integrity can be instrumented:
1.System-level instrumentation: All systems, switches, routers, servers, consist of software and logs. The software, configuration and logs can be signed and verified. If any unplanned changes happen then notifications can be immediately raised. This is a problem encryption can never solve. This destroys the first major weapon of any hacker – the hiding of changes and presence once they have compromised a system. The most expensive element of any breach is not knowing what has been changed, but where.
2. Data in motion: Critical information that transits through the legal domain of the operating entity. Is the data when it was used or up exit as it was when received? If Target had such instrumentation they would have known not to upgrade their point of sale terminals. If the verification had passed they would have automatically been able to indemnify themselves and their CEO would still have a job.
3. Data at rest: When storing and receiving, is the data all the same? Immediately after storing? 10 minutes after storing? 10 years after storing? Can it be proven that the data is the same? This approach has been used to ensure non-hackable drone systems.
Securing data integrity is the only way to remove trust and replace it with truth. And since the proof is based on well-known and public mathematics, it is independently verifiable. There is no need to ever trust any messenger again, especially a messenger that may have another vested interest.
This becomes increasingly important as the world moves towards using shared infrastructure such as the cloud. The economics of the cloud are driving companies to use such approaches but those that do so without data integrity instrumentation will enter a world more similar to the Wild West than Wall Street. At a fundamental governance level there is a need for such instrumentation to be required as a basic component of business operation. This will enable society to reap the benefits of sharing while at the same time enduring a secure environment.
The World Economic Forum describes three possible future scenarios:
1. Continue muddling into the future where attackers are increasingly more effective against under-tooled and less agile target organizations.
2. There is a backlash against digitization causing fragmentation and stunted growth.
3. There is accelerated digitization thanks to robust cyber resilience.
Option 3 is preferred. Option 3 requires a new approach and paradigm. Option 3 enables truth to replace trust. Welcome to a Networked Society we all want to live in.
Keep an eye out for subsequent posts where we continue to explore different aspects of cybersecurity in the Networked Society.