The Key To Security Is Being Open
Attackers bank on companies reinventing the wheel — rather than sharing threats and solutions.
The way the security community is approaching defense is a bigger threat than any single flaw on its own. Too many companies are reluctant to share technical information about threats with each other, and most open platforms and tools don’t see widespread adoption. As a result, lots of us are reinventing the wheel and solving the same problems without realizing that our neighbors have already built great solutions.
Attackers are able to amortize the cost of exploit, malware, and infrastructure development across many targets. Threat sharing platforms like ThreatExchange, now with more than 200 participating companies, are starting to encourage the openness and collaboration that we need for collective defense. Creating technical means to share threats is just the beginning, however, as we still need to directly challenge the traditions that have led most companies to keep their security designs and experiences hidden away.
Attackers have plenty of incentives to reuse the exploits they write against lots of different targets, and recent incidents have proven that attack tools can be reused effectively many times while defenders each struggle in their own little bubble.
We are going to be most effective as an industry if we embrace collaboration and openness to develop the best tools to combat these threats and resist efforts to keep threat information proprietary and hidden.
Looking ahead to the next five to ten years, as potentially billions more people come online for the first time, we will have a whole new set of security challenges on our hands. Developing safe products for people around the world will mean accounting for a much wider variety of devices, networks, infrastructure, and political environments. Right now the proliferation of affordable smartphone technology has both created incredible individual opportunities along with the risks that come with a fragmented ecosystem of unpatchable devices. Ten years of embedding intelligence into every possible manmade object may lead to life-enhancing benefits while also turning today’s irritating security flaws into matters of human safety. The responsibility to design secure systems that are intuitive, fault-tolerant, and flexible enough to meet these shifting circumstances will fall to all of us. I’m personally passionate about working on these big problems that are going to bring so many of us together. If there was ever a reason to encourage young, talented engineers to enter the security field, this one is it.
The Future of Security Roundtable is a Google-sponsored initiative that brings together thought leaders to discuss how we can best protect ourselves from the data breaches and security risks of tomorrow. Panelists are not affiliated with Google, and their opinions are their own. Read the post that kicked off the roundtable here and feel free to join in the conversation.