When engineers work on a new invention, they focus on "getting it to work". This imperative precedes the need to "make it safe".
"Sent from my iPad" That was in the footer of a long email trail sent to a dozen different parties, an email that originated from a barrister who was working on a multi-year, multi-million dollar legal case, sent from the steps outside court…
No one saw anything wrong with this.
In the SME world, where I have spent much of my time, it's not widely known that email is insecure by default. I'd also bet that the barrister didn't understand the potential breaches caused by a lost iPad. I wasn't even aware until a friend of mine, a forensic investigator, told me he regularly cracked iOS passcode security in under an hour.
That was seven years ago, and although iOS security has improved since then, one thing has not: it's hard for an average IT user to see or understand something as intangible as “security”. And therefore it's even harder to see or understand “insecurity”. But “productivity” is so obvious. Every working professional who always has a bigger 'TO DO' list than time available knows one thing – it's extremely convenient to read email “on the go”.
And therein lies the choice: would you like productivity, or security?
Astute readers will recognise that the question itself indicates a fundamental flaw in the fabric of computer systems: why should it be necessary to sacrifice one to have the other?
Perhaps the answer is rooted in history, because clear patterns are apparent. When engineers work on a new invention, they focus on “getting it to work”. This imperative precedes the need to “make it safe”.
An example is the trailblazing computer engineers who created the computer systems and networks we now know as the Internet. Making it safe only came later: Telnet was developed in 1969, but its secure equivalent SSH came in 1995. FTP was invented in 1971, but the first secure variant FTPS came in 1996. HTTP was invented in 1989, but it took three major attempts to create its secure equivalent HTTPS, available in 1996.
The problem is that while some insecure things have been made secure (notably HTTPS, without which e-commerce would not exist), we are nowhere near achieving overall security on the Internet. The sheer volume and severity of recent data breaches has shown how far away we are from a “safety by default” state. The problem we face today is that innovation and technology is developing at such a rapid pace, the catch-up game is becoming more and more difficult.
Email is not a secure medium of information exchange. So if I wanted to send my lawyer some sensitive documents, what are my alternatives to attaching them in an email? Ten years ago, I would've put them on a USB drive and used a courier or hand delivered it myself. But today, it's common and convenient to use a file sharing platform like those offered by Google, Microsoft or Dropbox. Using such a service means that all connections are HTTPS encrypted, so we overcome the email insecurity problem.
But is it actually more secure than email? Yes, absolutely, it's 100 percent more secure - at the start, and remains so until the situation changes so subtly that most people wouldn't even notice. Then it becomes horribly insecure. So much so, the size of the potential data breach is many times greater.
Confusing? How can this be?
My lawyer's cloud storage account details could get phished. If the attack is successful, the hacker responsible would be able to see all documents in the account, including mine.
Due to the design of cloud systems, we are constantly forced to choose between productivity and security.
One huge inhibitor to productivity is having to type in and remember different passwords. So Google solves this problem by having one login for everything: Google Drive, Gmail, Google AdWords, Google Analytics, YouTube and Google Hangouts. This solves a productivity problem, but creates a security problem:
Let's say I share my documents with my lawyer on Google Drive. A few days later, she wants her marketing intern to upload a new video to YouTube to promote her law firm. The fastest way to do that is to write her login details on a Post-it note and give it to the marketing intern. Now, when the intern logs in, he has access to my lawyer's YouTube account, and automatically Google Drive, including the confidential documents I shared.
Chances are, the Post-it note remains stuck on the intern's monitor for the weekend, and the cleaner comes in. Now the cleaner has access to my lawyer's Google accounts, including my documents.
To compound the problem, it's likely that when I share documents with my lawyer, it's not just one or two documents, it's every document relating to every case I opened. It's access to all information, because who actually remembers to unshare specific documents once they are no longer used?
So would I have been better off just emailing the document in the first place? Quite possibly – at least a data leak from one email would be contained to only those attachments, not every other document shared. But we just don't know. And “don't know” is simply not good enough. With GDPR becoming enforceable in a matter of weeks, “don't know” won't help prevent a data breach.
Ironically, the safest way for me to get sensitive documents to my lawyer is to copy it to a USB drive and hand deliver it, but I don't have the time, so I'm forced to take a shortcut and choose a less secure option.
Computer security, and computer insecurity, is a complicated web of dependencies, as shown in the simple example above.
Is it all doom and gloom?
The glimmer of hope is that history tells us things improve over time. The first Model T Ford was made in 1908, but people started having accidents and dying. So seat belts came along in 1959, the air bag in 1968, and anti-lock brakes in 1970. Now, safety is not an afterthought in automotive engineering; it's built-in.
In the digital world, cryptographers have long known that access controls cannot be relied upon, and people make mistakes. The failsafe solution is to encrypt the data using client-side encryption, with strict key access controls. But it has not been adopted because productivity overrides security. Encryption of data at rest is still not available in a form people can use productively. It is too hard to manage the encryption keys correctly (we can't even manage passwords), to access the data from multiple platforms, to move data between storage services and to share data with other users.
There are companies, including my own (focused on encryption), currently working on making sophisticated security systems as easy as putting on a seat belt. Hopefully we'll build the seat belts, air bags and anti-lock brakes for the Internet. The challenge is making safety so painless, so transparent and so easy, that the average user doesn't need to sacrifice productivity for security.