By Aesh M. Daeva
Can you guess what that word might be? We've learned from recent events with Sony that spending top budget on top talent to apply best practices in cyber security are simply not enough. It will never be enough.Watching Sony bend over for North Korea at the end of 2014 was... difficult; it never should have happened. How did one of the biggest technology companies let Communists hack their production data? Why was production data even on a machine connected to the internet?
From my earliest professional programming days I have used a server technology I developed called Azreal. I called this technology Azreal because that's the name of an archangel whose black wings compose the material from which God made the universe. I liked that idea, so I named my software to remind me of it's purpose... to act as the material for all my projects. 20 years later it's still my most consistent money maker.
The implications of a god complex are entirely intentional, I swear!
Angels and demons are great metaphors when we personify forces beyond us. I've learned the hard way that IT is a humbling industry bursting with opportunity to take us beyond our limits but littered with far more failure than success. It's both unforgiving and yet fiercely loyal to those who are worthy. A hard lesson for Sony that we should all take seriously.
Sometimes we forget the inherent difficulty of technology when we take for granted its application in a business cycle. The increased risk and consequence of not just malfunction but also criminal intent. Both the power and the vulnerability of the internet is rooted in this simple fact. No one can ever control it all, not all the time. Not even the largest businesses.
The entire world has embraced ecommerce, which is a great thing for everyone, but with that has come a security obsession that I have always found ironic in its ineffectiveness. At times bordering on absurdity as I watched from the inside clients and colleagues alike spend enormous amounts of money hunting shadows and building digital locks stronger than the real locks protecting their own children. I have benefited from this perspective and learned what I could from working with the security operations of many organizations over the years.
Believe it or not, most are very secure. Don't believe the hype about wide open servers and ignorant managers. These people care, and they do more work than most realize to protect our information. The sad reality is that in spite of the effort of these good people there will always be technical and legal limitations, budgetary realities, and the "new method no one has seen before but is just around the corner" problem won't ever go away.
The composition of players have changed. The good guys(white hats) are easier targets for authorities. So they find themselves fighting both sides while the bad guys(black hats) are paid big bucks to risk profitable invasions on a daily basis. If it's not Bitcoin hacks then it's ransomware.
Any modern cyber security team, including the multitude of highly paid players at Sony are quite comfortable saying their network is secure to the general public, or even a sustained attack from thousands of machines. But thousands of highly trained, highly paid, coordinated specialists targeting every level of the business to infiltrate and infect. Well now that's something else entirely.
What have we learned from almost 15 years of web security? What we always knew. Encryption works extremely well and is cheap. People managed intelligence systems work pretty well but cost a lot. Password protection works ok, but humans error. And none of it works well enough. The same forces of the universe that grant victory to one army over another govern the outcome of cyber warfare which is not a metaphor but instead an apt description of the current state of affairs.
All network software must have a heavy focus on performance under encrypted circumstances as that is where we see the future of cloud applications. This is expensive and hinders development, but so long as there is only one internet carrying all data it's the best anyone can do. The benefits of a completely encrypted system are too many to list in this short article, but it still sucks extra resources just for the privilege of functioning.
Food for thought: How many non-encrypted emails have you sent with a password in it, anyway?
As to Sony, the cowardly company that wouldn't distribute "The Interview" because of North Korean digital extortion...
I think I'll skip buying that next game console. Had hackers stolen my personal info I would have still gotten the next console as I have owned all the PS's so far. I hope this makes it clear where my priorities are and what values I think Sony failed to protect.
Today's Reader List >> | Referral Links