How can we manage security in a world built on Open Source and Cloud?
Innovation is the death of cybersecurity.
Consider the rise of IOT and wearables. These technologies have developed rapidly over the last few years, gaining traction not just within the business and technology sectors, but also creating a buzz within the general public who can’t wait to get their hands on the latest exciting technology trend. Trends such as these present a significant challenge to cybersecurity professionals and white hat hackers. Why? Because they develop at an impossible pace, leaving their niches and entering the public sphere way ahead of any security solutions to the hazards that they present.
But this goes beyond the isolated incident of someone hacking your Fitbit to gain access to your data. As we bridge the gap between hardware and software, and as software becomes more and more embedded in everyday life, the lines between cybersecurity and surveillance become blurred, and the thirst for innovation becomes a thirst for danger.
But I’m not saying we should all become Luddites. Contradictorily, and somewhat confusingly, stagnation is also the death of cybersecurity.
May’s worldwide WannaCry ransomware attack proves just this – the majority of businesses and NHS Trusts that were affected by the attack were shown to be running outdated Windows systems, leaving them vulnerable to hacking. At the same time, however, the infamous celebrity iCloud hack three years ago showed that even the largest systems built and maintained by tech giants can be attacked. It seems like a lose-lose situation – invest in the latest big technologies and find yourself vulnerable to little known kinks in the armour, or refuse to partake and find yourself vulnerable anyway.
How can we manage security in a world built on Open Source and Cloud?
The paradoxes of cybersecurity mirror those of the wider software world. On the one hand we’ve never felt more powerful. When it comes to technology, change feels inevitable and exhilarating. Yet the more powerful we feel – as both consumers and programmers, the more we remember the tools that build these products, that help us manage huge projects and infrastructures, are largely built and maintained by communities. It is precisely because those tools of apparent progress seem democratic and open that they can be undone, used against the very things they build.
Open Source is undoubtedly one of the reasons that cybersecurity has become an increasingly challenging issue, but what about how we use software? In particular, the role of the cloud in managing software and delivering services has had an impact. Our devices – and consequently our digital lives – are no longer intermittently connected to the ‘world wide web’. Instead, we are continuously in communication with ‘the cloud’, meaning that information and services are always available. Much like the innovation-hungry enthusiasts who buy into wearable tech as soon as it’s available, frictionless user experiences seem like a great development, giving users the freedom to access the world beyond wherever they may be. But they’re also pretty useful for cybercriminals too. We’re powerful in that the cloud gives us the ability to do anything, anywhere, but it is this very fact that makes us feel powerless in the event of a cyberattack.
This catch-22 is wedded to our contemporary experience of control and connectivity – we want software that is built around our lifestyles, but it comes at a price. 10 years ago, the most essential step to being ‘safe’ online was to make sure your firewall was active and your antivirus was up to date. Today that’s easier said than done. When our multiple devices access a range of networks, from airport Wi-Fi to mobile data, in the space of a few hours, it’s hard – or even impossible –to keep up.
And this issue isn’t just one for everyday consumers; it’s a problem for cybersecurity teams developing the products we need. Security is built on the notion of stability. But this is antithetical to today’s lifestyle and technological demands. So what can we do to keep our systems, our data, our information, and our infrastructure, safe?
How we learned to stop worrying and love hackers
The emerging phenomenon of the cybersecurity hackathon might just be the solution we’re looking for. Hackathons see individuals, from seasoned security experts to friendly neighbourhood amateur hackers, testing and exposing network vulnerabilities, finding ways in and around a huge range of software infrastructures. Last year’s ‘Hack the Pentagon’ program, the U.S. Government’s ‘bug bounty’, saw thousands of security experts uncovering hundreds of vulnerabilities in the Pentagon’s software infrastructure – the first being uncovered in just 13 minutes. The most reported story from the event was arguably the one of 18-year old high school student David Dworken finding six bugs in the US Defense Department websites.
Similar events are happening all around the world, proving that developing security skills (pentesting in particular) can be invaluable – and maybe even the best way to learn more about how software works.
In 2015, UK broadband company TalkTalk fell victim to a huge cyberattack that put 157,000 customers’ data at risk. Shortly after, 2 teenage boys, not dissimilar in age to Dworken, were later arrested for the incident. In short, gone are the days when you could guarantee security with your software package and you could rely on your contact at Oracle for support. Most security risks are always external to a system or an organisation. And with the GDPR just over the horizon, businesses can’t afford to not take an external approach to their security. If, in 2017, 18-year-old boys can be responsible both for your breaches and maybe even your security (just take a look at the guy who stopped WannaCry in its tracks, at home, in his bedroom), it makes sense to replicate those external threats when trying to identify vulnerabilities and protect yourself. It’s also important to acknowledge that you can’t cover everything internally. It’s easy to be hubristic, but hubris is very often the first sign of weakness.
The way forward
But are hackathons enough? Should we take greater consideration when it comes to our cybersecurity, both as individuals and organisations? Instead of a problem to consider at the end of a development process, we should focus on the questions of accessibility and security as design. We should think of them as user experience issues. By doing so, we can begin to use software in a smarter and safer way. As individuals, that might mean thinking more carefully about your digital footprint, and the data we allow organisations to access. And yes, that includes managing our passwords a bit better, even if I have to say so in 2017. For businesses, it may mean aligning cybersecurity with UX and Information Architecture questions.
Yes, cybersecurity is definitely a software problem, but it’s also much more than that. It’s a design problem. It’s an issue about complex software systems interacting with the real world in all its chaos. It’s about how we view security and technology, and our thirst for one and our disregard for the other. It’s about how we need to view these things not as separate entities, but as one issue.
Innovation is the death of cybersecurity, but an innovative view on how we consider it might just be its saviour.