Today’s headlines remind us that safety matters, in all its forms. The most important thing for those of us in the cybersecurity community is whether critical infrastructure works, whether defense forces can communicate, whether citizens have access to truthful information, and whether the technological foundation of national and economic security can be trusted and if available.
The last 30 years in cybersecurity have been characterized by two opposing forces. On the one hand, there is a desire to drive security and innovation in the information infrastructure. On the other, there is the hunt to find vulnerabilities and exploit them for criminal activities or activities of national interest.
Along the way, we’ve developed principles, some rules, and we’ve tried to push people to adopt best practices. These include: We must build security into the product from the start; security is about people, processes and technology; the advantage is with the offense; defense of the architect in depth; use a systems engineering approach to security; and companies must compete on security and privacy.
Fortunately, we have made progress in addressing many of these. Each of these is animated by several facts: the information infrastructure is global; commercial products are built once and sold globally; the same commercial product is used by consumers, critical infrastructure, governments and the military; and cyber laws, regulations, and public-private partnerships have real, global effects.
In addition to the now-usual plethora of proposals to improve the state of cybersecurity, several policy proposals involving competition and affecting security are under consideration. As a former cybersecurity executive and former chief of staff of the Justice Department’s Antitrust Division, these competition policy proposals have caught my eye.
As an antitrust, I am pleased to see a focus on competition, which is critical to the economy. As a security professional, I am concerned about the unintended consequences of some parts of these legislative policy proposals. a number of competence politics proposals it would force mobile phone manufacturers to allow unvetted mobile phone applications to be downloaded onto a device. That could include malware-ridden apps designed to obtain and use information about you without your permission, designed to spy on you, steal your banking information, or turn your phone into a brick.
Allowing apps that have not been vetted by the phone’s official app stores would circumvent the app store’s effective technical and human security and privacy controls that now exist to keep consumers, critical infrastructure, and governments safe. Official app stores reject finished one million applications per year and have significant security and privacy controls and requirements. Since 85% of Americans use smartphones, the documented security benefits of only downloading from an official app store (as indicated by the DHS, NSA, NIST, GSAY cyber agencies globally), and the rising tide of device exploits that enable this “sideloading” of applications, the unintended adverse security consequence of this policy, if enacted, is predictable, critical, and avoidable. Whatever competition policy goals one may be trying to achieve, they must be achieved without undermining global security.
Things shouldn’t be so hard
I’ve long said that you shouldn’t have to be a chief information security officer to use technology; it just has to be safe. These days, over 75% of security incidents stem from social engineering or a human factor: tricking us into clicking a link we shouldn’t, or sending information we shouldn’t, or changing a setting to let the bad guy in. Since we are human, we deny untrustworthy apps the right to live. on our devices in the first place makes sense. Because of today’s bad actors, you can’t just turn security on and off; experience shows us that bad guys will find a way to trick you into disabling security (for example, in the recent FluBot and Fake Spy criminal campaigns). Companies should not be forced to lower the level of their security.
Given the government’s interest in a secure information infrastructure, it is incumbent upon national security agencies to share their expertise with legislators on these issues. This is particularly true in this situation, where companies are doing what we’ve all asked them to do: compete on security and privacy. These are not trivial problems, and since these products are used in military, critical infrastructure, and consumer networks, they affect both the economy and national security.
So, in times like these, I hope we take the time to apply the required “safety screen” to all policy proposals. Delve into the real, practical and technical effects of the market and security, and make sure you avoid any unintended consequences – vital security is at stake.