WITHOUT STRONG PRIVACY, CYBER SECURITY IS A COMPLETE FARSE
It’s 2017, Defcon and BlackHat conferences just took place this summer, in Las Vegas, NV. BlackHat had over 15,000 attendees and some of the most innovative cyber security companies the world has ever seen. So far. Meanwhile, just down the road at DefCon, hosted in Caesar’s Palace, their team recommended you bring 6 Terrabytes of Hard Drives for them to fill with all the best of DefCon over the years – presentations, hacking tools and so much more. You’re hearing on one hand from infosec vendors that they all have a solution to ‘secure your network’ or ‘protect confidential data’ and on the other, you’re watching hackers play ‘capture the flag’ and break into very secure networks and equipment, exploiting known and barely known vulnerabilities. You are living in an illusion that any of these cyber security products will actually protect the data. Most of the infosec vendors you’ll meet won’t talk with you at all about strong privacy. Read on and I’ll prove to you why without it, cyber security is a complete farse.
It’s 1949, George Orwell just published his dystopian novel “1984,” he warned of a future world in which “Big Brother is Watching You”…Back to today – as the Snowden scandal and other CIA, NSA and FBI revelations have revealed government surveillance is omnipresent, covert and practiced on a global scale that Orwell might never have imagined.
It’s 1984, Apple Computer aired its historic TV commercial concluding that with the introduction of the Macintosh “you’ll see why 1984 won’t be like “1984”. Ironically, 33 years later, while Macs and other personal computers gave birth to the knowledge revolution that transformed how information is created and shared worldwide, in many ways…if you don’t understand why 2017 is “1984” you will never be able to understand why governments and hackers continue to have access to private information, nearly whenever they want it.
When we think about strong privacy, as infosec professionals, we usually think about best practices in key management, encrypting customer records and complying with government regulations to guard this private information under HIPAA/HITECH or GLBA or the EU GDPR, for example. But have we stopped to think about and even cross correlate how strong privacy should permeate more than just customer records? What about your personal privacy? What about your telephone conversations, your emails, what you had for lunch today, where you travel each day, what web sites you visit, who your close friends are and even what you chose to do in your own home, even your bedroom?
We have to start talking about strong privacy and why it is good through the entire product lifecycle and inherently needed in the sourcing of hardware and software that make the internet work, in our PCs, smartphones, IoT gear – in everything we use.
On top of this we have the ongoing battle between Apple and the FBI in the name of National Security, which I’ve frequently talked and written about.
“National Security and safety for its citizens in any nation state, especially the US, is greater, when products from these countries are hardened, not weakened, containing no back-doors.”
– Gary Miliefsky, Cyber Security Expert
If you could afford any car for your family safety, you probably would choose a Volvo because it’s hardened to protect you and your family in a crash. It’s the opposite of the 1976 Ford Pinto that had a major weakness where when you hit the rear bumper the car would catch fire and possibly explode. It’s hard to wake up folks in the US government to understand that GDP, revenues, taxes and overall citizen happiness increase, when productivity and export sales increase but who would want to buy a vulnerable phone or a weakened firewall or router because FBI, CIA, NSA or some other three letter agency asked for back-doors, keys and weakness in the encryption.
Could it be that national security, corporate security and consumer privacy actually go hand in hand? Does the British exit from the EU even hint to this fact? Think about it – they wanted less red tape, less paperwork, they wanted to build better products, control their borders and increase their jobs. Their national security in the UK will get stronger, not weaker, as a result. The same holds true with encryption – encryption is a strong border. Should you remove the border, remove the encryption and go “borderless” what do you get? We all lose our privacy, corporations continue to hemorrhage data at a cost of billions and national security remains at risk because it’s easier for the ‘bad guys’ to cross the removed borders and steal the data, mangle the data and worst case cause a horrific cyber terrorism event such as shutting down a weak and unencrypted power grid or cause unencrypted airline control systems to crash airplanes.
It’s time to reconsider our approach to national security. If our own government were to defend its networks with strong encryption, we wouldn’t see breaches like OPM.gov losing 22m personally identifiable information (PII) records to other nation states such as China. Our government should start leading the charge believing that strong encryption is good for the country. It requires more trust of corporations and citizens – because they too deserve to reclaim their privacy and not be victimized by the bad guys, in the name of a false sense of security.
And remember, every time someone offers you extra convenient features for free, such as Google’s search engine or Facebook’s social media products or Microsoft switching their business model – to make Windows 10 a free upgrade for everyone, they aren’t doing these things to be nice to you. These companies make money by selling your data to anyone from governments to advertisers. They have made billions doing so – they monetize you – you become the product. When you use their products and services at work, you can’t assume the corporate firewall will ever protect your organization from massive data leakage. When you use their services on your devices – like your smartphones – you increase the risk that the Bring Your Own Device (BYOD) offering by your company for convenience has opened the back door to data leakage and data theft by way of their eavesdropping, tracking technologies and purposefully built back-doors.
Many years ago the US Navy had posters out there saying that ‘loose lips sink ships’ which means data leakage and data theft is a bad thing. Which actually means that strong encryption is a good thing. Build a strong ship so it won’t sink. Don’t purposefully make or share weaknesses so the ship doesn’t sink. Encryption strengthens national security – it also strengthens privacy.
I implore you to join us at Cyber Defense Magazine (CDM) in this philosophy by joining https://www.savecrypto.org/ and stand up for no backdoors. Stand up for strong privacy. Look for products and services from vendors who believe in strong privacy. They will be the guiding light in helping you reclaim your personal sovereignty – something many don’t yet realize is priceless, until they lose it. Expect more from us on this subject matter here in Cyber Defense Magazine’s monthly edition of Cyber Warnings.
About The Author
Image Credits: Gary Miliefsky as seen on CNN discussing a major cyber attack against Russian banks
Gary Miliefsky is a globally recognized cybersecurity expert, inventor and founder of numerous cybersecurity companies including Netwave, QuickBuy, NetClarity and SnoopWall. He is a frequent invited guest on national and international media commenting on mobile privacy, cyber security, cyber crime and cyber terrorism, also covered in both Forbes and Fortune Magazines. He has been extremely active in the infosec arena, he is an active member of Phi Beta Cyber Society (http://cybersecurityventures.com/phi-beta-cyber/), an organization dedicated to helping high school students become cyber security professionals and ethical hackers. He founded and remains the Executive Producer of Cyber Defense Magazine. Miliefsky is a Founding Member of the US Department of Homeland Security (http://www.DHS.gov), the National Information Security Group (http://www.NAISG.org) and the OVAL advisory board of MITRE responsible for the CVE Program (http://CVE.mitre.org). He also assisted the National Infrastructure Advisory Council (NIAC), which operates within the U.S. Department of Homeland Security, in their development of The National Strategy to Secure Cyberspace as well as the Center for the Study of Counter-Terrorism and Cyber Crime at Norwich University. Previously, Gary has been founder and/or inventor for technologies and corporations sold and licensed to Hexis Cyber, Intel/McAfee, IBM, Computer Associates and BlackBox Corporation. Gary is a member of ISC2.org and is a CISSP®. Learn more about him at http://www.garymiliefsky.com/