“The Editor’s Letter,” in the May 2017 issue of the Communications of the ACM (CACM) by Moshe Y Vardi is about “Cyber Insecurity and Cyber Libertarianism.” The column is available at https://cacm.acm.org/magazines/2017/5/216316-cyber-insecurity-and-cyber-libertarianism/fulltext#
Vardi’s column recognizes the deficiencies in cybersecurity that I’ve been harping on for years. He writes the following:
“So here we are, 70 years into the computer age and after three ACM [Association for Computing Machinery] Turing Awards in the area of cryptography (but none in cybersecurity), and we still don’t seem to know how to build secure information systems.”
Actually, we do know how to build secure systems but, in general, we just don’t socialize the methods nor insist that stringent standards be created and followed.
Be that as it may, as Vardi implies, many computing professionals appear to believe that cybersecurity begins and ends with encryption. This fantasy may eventually be destroyed, especially as quantum computing threatens to provide the ability to break any and all existing encrypted files.
It’s really not clear whether encryption is at all effective in protecting sensitive data. After all, many hacks involve compromise of the application layer and, once into an application, hackers can readily access formerly-encrypted data since the application will decrypt the data in order to operate. We must determine how to secure applications throughout their lifecycles and encourage—or, better, force—developers to comply with security standards that can be enforced globally across all aspects of systems including application software, system software, firmware and hardware for systems and networks.
We are far from recognizing such a goal, but perhaps columns such as Vardi’s will elicit movements towards that goal. Certainly, readers of the CACM are among the most likely to be able to make this happen, if anyone can But first you must create the awareness, as Vardi is trying to do. The it is a matter of finding an international group that will flesh out the requirements, attract funding, and get the ball rolling. Perhaps the ACM is such a group. If it is, then the membership must be mobilized. I think that it will take more than Vardi’s column to make it happen, but at least it’s a start.
Interestingly, Vardi concludes his letter with the following somewhat surprising statement:
“The tech community has not been able to address the cybersecurity situation on its own; it is time to get governments involved, via laws and regulations. Numerous issues will have to be debated and resolved, but we must accept, I believe, that the cybersecurity problem will not be resolved by the market.”
I happen to agree that there must be enforceable policies and that government initiatives are perhaps the only mechanisms that could create such rules and effect compliance. But, in my experience, having testified on cybersecurity before Congress almost 16 years ago, many legislators do not have even a rudimentary grasp of technology-related security issues, much less the complex world of cybersecurity, as is evident form their recent responses (or lack thereof) to reports of hacking by the governments of Russia, North Korea, China, Iran, and other countries.
So, while Vardi makes a good point of involving legislators and regulators in the process, there is a prerequisite … namely, bringing policy makers up to speed so that they can make knowledgeable decisions as to what constitutes secure and safe systems and what must be done to accomplish this enormous goal.
*** This is a Security Bloggers Network syndicated blog from BlogInfoSec.com authored by C. Warren Axelrod. Read the original post at: http://www.bloginfosec.com/2017/09/11/global-cybersecurity-standards-another-plea/