Last year, my personal credit cards and banks were breached five times. Each time, I was informed by email and snail mail, a new credit card or bank account was issued, and I bought more monitoring for my credit or, in the case of one of the breaches, the company that was breached bought additional monitoring. About the fourth time, I started wondering why our industry doesn’t do something else. The traditional IT security model is dead, but we just keep propping up the body. Hope has become our strategy in the cyber security war.
Certainly, it’s not for lack of trying. Indeed, our toolkit is overflowing (PCI, ISO, and hundreds of acronyms). We pen test and code review and hack in and hack out to try to save our precious information. New security startups are being funded in staggering proportions. President Obama has promised more openness of information to try to win this war.
Yet, headlines are made almost daily by the likes of Chase, Sony, Anthem, Target and YouNameTheLargeCompany. I would put down cold hard cash that all of these companies had security programs that followed best practices. I bet they passed all their audits and pen tests. Some of them may even be using these innovative new companies that are making millions from our fear of being in the news. And, when I talk to Chief Information Security Officers (CISO’s), they tell me each of the breaches was unique and if the company had just followed the best practices, none of them would have happened.
Okay, I’ll buy that. But, then why are these Fortune 500 / Global 2000 companies being hacked into? Are they just careless? Are the bad guys really smarter than we are? I don’t believe either scenario. I think the model is broken and needs to be radically changed.
There are two primary drivers around security: Financial and Geopolitical. You could argue there are more, but these two areas cover 90% of the security industry. And with rare exception (Stuxnet comes to mind), almost all breaches have sensitive information as the driver. And that sensitive information is often a replacement for your identity. With it, the bad guys can pretend to be you and buy big TV’s and video games.
So, let’s change the model. What if we…
…make information public. That’s right. Let’s post our credit card numbers and even those pesky CSV codes on the back. (Better yet, let’s just do away with credit cards altogether because at the end of that day, it’s just a bank taking on risk that you’ll pay back a loan.) Let’s post our social security numbers and our driver’s licenses. Let’s post everything. Overnight, the incentives to steal your data are wiped off the face of the earth. The dark databases are worth zero.
But, that’s insane! Well, we have to do the following if we’re going to open the kimono, if you will.
…ensure identity through physical attributes, not digital ones. Facial recognition, fingerprint recognition and two factor authentication would be great candidates to use to ensure that your transactions are really you and are being adopted by banks. Certainly, the bad guys can steal your picture off Facebook, but it won’t matter if we also use geolocation to check that your phone is actually sending the picture.
…embrace new algorithms and processes. The block chain algorithm looks promising to verify transactions as well as asset management, perhaps your medical records. Apple Pay is using a good model, except they did forget to authenticate the card to the user and so their fraud rate is high. But, if they solve that, it’s got potential.
Of course, some data is precious such as Intellectual Property and Government Secrets. But, that becomes a smaller problem to solve and isolate. Concentrate 100% on this data and forget the rest.
There are holes in all my scenarios. But, we need to begin dreaming of other ways to secure ourselves, since the likelihood that our personal information is already in the wrong hands is astronomically high.
Let’s reimagine security from the ground up and make the bad guys get a real job.