Data Security: The (Dismal) State of the Art
The technology industry is broken and, under the guise of providing value, is actually polluting our future by releasing and profiting from inherently insecure tech. While the underlying causes of this failure might be debatable, the results are not. Pick up any newspaper, any online tech journal, and the evidence is there, in plain sight. There can be no denying it by now.
With an increasing tempo fast approaching a fever pitch, on any given day one can find fresh reports of yet another hack, exploit or breach of some kind against big data, and the companies and governments that have become dependent on technology to do business. In most cases, the victims of these attacks that end up suffering the most are the customers and citizens, not the businesses or government. It is our data that is stolen, our data that is exploited, and our data that is sold day in and day out on the dark web.
It’s not just the bad guys that are after our data. Corporations that we willingly and in some cases enthusiastically do business with also covet our data. And why not? An average user has a value ranging from about $15 to more than $40 for the purpose of determining the value of a stock. A full composite, including identity and financial history, is worth considerably more. Information about us has become an asset, and like any other asset is tracked and pursued by big business.
So they are collecting it at every opportunity, and storing it for later use. Even our televisions have turned the tables and are now watching us instead of the other way around. And once they have this data — once they store it — the current technology paradigm ensures that the bad guys now have it too. It also ensures that a government at war with its own population has access too.
Here too, we see a recent spike in the intensity with which governments have been attacking the notion that members of the population have a right to privacy — in our homes and with our data. We are told that the modern equivalent of our personal papers cannot be kept under lock and key. We are told that we must surrender all privacy when traveling, and submit to invasive searches of our person and property.
What has been the answer of the technology industry to all of these signs? What is the state of the art in protection for our data, and can the answers being offered even make a difference?
One thing we are told to do is to run anti-virus software on our computers. This helps to protect personal computers against individual exploits and vulnerabilities that allow a virus to take control of the system. This was a godsend in the early days of computing, when the industry was young, but what about now? What good is anti-virus protection in an age when most hacks are not against individuals, but the corporations holding their data on remote servers? Not much, especially considering that most hacks are now accomplished using social engineering and not technology.
The fact is that anti-virus protection does not address the attack surface any longer. While still not fully obsolete, it is nonetheless woefully insufficient in a world where most software runs on devices and not computers, and where most of our vital data is being held on remote computers.
Another technological solution offered is encryption. Encrypt your data, this way no one can read it without a key. Encryption is a vital component of any data security strategy, but again we have reached the point where it is not enough. It is also usually bolted on to an existing product, not set up by default, and usually cumbersome to deploy successfully. But most damning is that it is entirely useless when a company or agency is holding our data, and they are not using encryption to do it.
Advocating for a complete reboot of the industry means just that — assumptions about how inventors, innovators and businesses design and deploy technology must be examined, and radically altered. This means that while we may be inclined to cheer when an influential company like Apple announces unbreakable encryption by default, we should stop and take a sober look instead. The fact is that they are, at the same time, collecting and storing our data and data about us and no amount of encryption on our personal phones will protect this data.
But there are some glimmers of hope.
One technology, still in its infancy, offers the possibility of turning the entire paradigm on its head in favor of the user. This technology is the blockchain, an implementation of the concept of distributed data. By being anonymous, decentralized and redundant this amazing technology offers the very real potential of real security for our data.
There are some large companies that are making headway towards realizing some of this potential. Some of the most interesting and visible of these are Microsoft, Bitgo and MGT.
Microsoft now offers blockchain as a service, an exciting development that allows companies to reap the benefits of the blockchain without the obstacles associated with bootstrapping a new technology. Bitgo has billed itself as the leader in blockchain security, and is working towards even more secure implementations of blockchain based technologies.
But the most promising signs are coming from MGT, now under the direction of John McAfee. The recent acquisition of nearly 2PT of cheap blockchain processing in Washington is important because it lends credence to the rest of the vision. Existing in an intersection between technology and activism, McAfee has determined to bring blockchain technology to bear on the many, many threats to our security and privacy. And as of this writing, they are the only company I could find with plans to do so.
Their success, combined with the success of other endeavors like the Microsoft blockchain service and BitGo’s work to harden the blockchain, is critical to all of us. Cryptocurrency is a wonderful use for the blockchain. However, considering what is possible and necessary, stopping at Bitcoin is akin to using a particle accelerator to heat your home. You could probably do it, but imagine what else you could do.
Originally published at LoggiaOnFire.