To all those fine folks out there who are interested in computer security, who take care of the secrecy of their passwords and other credentials, who protect their laptops and smartphone adequately with up-to-date operating systems and antivirus software, and who apply due diligence when developing and running their IT services and/or control systems, I would issue just two words:
THANK YOU!
Thank you for reading our articles. Thank you for showing an interest in privacy and security. Thank you for wanting to learn more about this. Thank you, because you are the generation who can get it right. Or better, as my generation of 1971 didn't screw everything up.
What’s gone before
Look, for example, at an ancient telephone – the one with a rotary dial. Back then, fear of being spied on was minimal, and only an issue if you annoyed your country. Today, we all carry small spying devices around that collect all our personal information and pass it on. Maybe not immediately to governments, but to big multinationals that make money from our personal data. The secrecy of the post has become WhatsApp, Threema, Signal and Telegram – each with their own privacy-preserving means (or not). With the cloud came the Wild West. Analogue cameras became Instagram and TikTok. Apple revolutionised our record and tape collection. CDs? Bah. MP3s? Not anymore. Linear television became Netflix, Amazon Prime and Disney+. Amazon and Google know much more about our shopping habits than the old neighbourhood shopkeeper ever did. And workout information now goes to Strava, Fitbit or the like. Mapping out the world. Our nicely cloaked private world has become frighteningly transparent and public. Orwell’s 1984 surveillance state at its best. At least there is a silver lining in the form of the European Union’s General Data Protection Regulation, which the big companies try to aggressively bend and small startups try to creatively circumvent.
Like with privacy, digitalisation over the past decades has tied our lives into symbiosis with technology. Physical security has become cybersecurity. Today, all the amenities of life are technology-supported. Depending where you are, this is the case to varying degrees. Consider electricity. In most of our countries, electricity is the One Ring that rules it all. No electricity, no cold food or (worse) medication. No electricity, no communication. No electricity, no fresh water, as water pumps need electricity. Similarly for fuelling stations. No electricity, no public transport. Going shopping? Erm, how did you pay last time? Of course, you might have some batteries left over, or a diesel generator. But in the long run? We live in symbiosis with a technology backbone. With electricity. With the control systems deployed for running this backbone. In the past, this backbone was threatened only by physical means – by conflicts. By nation states in an increasingly peaceful world. While we thought that those times were gone, our backbone is now much more susceptible to threats. No need for nation states anymore, when a small group of (state-sponsored) criminals can create havoc. Like the attacks on Saudi Aramco. Like Stuxnet against Iranian nuclear centrifuges. Like Russian hackers allegedly attacking Ukrainian infrastructure prior to the invasion of Crimea. Like the ransomware attacks against Maersk. Like the Conti ransomware group against anyone else on this planet. The COVID-19 pandemic and Russia’s war against Ukraine have shown how fragile our technological backbone has become, how inherently insecure it is and how easily it can be brought to a halt. Threats to this backbone won’t disappear.
And the future, the sunny world of clouds, requires even more backbone. More interconnectivity, more technology, more complexity. Ergo more vulnerabilities. And ergo more severe consequences. Self-driving cars talk to each other and to the traffic lights. Cities become smart. Cashless stores RFID your shopping basket and charge your credit card automatically. Your fridge orders missing items automagically, delivered by drone within 10 minutes. In this brave new Wild West, the genie is out of Pandora’s box. Our technological backbone needs reinforcement. The stupid internet of unsecure things needs improvement. The zillions of layers, virtual machines, containers, software interdependencies, agility, DevOps and just-in-time need experts to put the genie back in the bottle. To adapt technology such that it serves but does not burden. To bring security into every single layer by default. Making security an equal among other IT equals: functionality, usability, maintainability, availability and – security. While threats and threat actors will never give up (and will actually become more and more sophisticated), we need to counter the increasing number of vulnerabilities and keep the consequences of successful attacks at bay.
Now, enter you!
We will never have 100% secure systems – and those who promise this to you are either liars or salespeople or both. “Security will always be exactly as bad as it can possibly be while allowing everything to still function” (Nat Howard). Because we’re lazy and ignorant, because security is usually just a cost factor with limited benefits: security, convenience, cost – pick two. This makes security only as good as the weakest link in the chain of technology. This makes security a people problem. But this also makes security a problem that can be solved by people. You are the crucial generation. The first twists and turns towards a more privacy-preserving and secure future have started. Facebook and Google have been restrained from collecting data. WhatsApp becomes Threema or Signal. Security must again move into focus, joining the other —ities and reinforcing the CIA triangle: confidentiality (hush! for your personal life), integrity (your bank statement) and availability (giving you electricity when you need it). Actually, in industry this is instead the AIC triangle (availability: your supermarket; integrity: the soundness of the bridges you cross to get there; and confidentiality: Coca Cola’s secret recipe).
Since my generation failed to consistently, coherently, efficiently and effectively push those triangles through as it should have, the baton is now handed to you. Together, let’s break up the old mantra of “freedom, security, convenience – choose two” (Dan Geer) and see how we can still get all three deployed on an acceptable level. Open your mind to think secure and privacy-preserving. If you haven’t done so yet, learn how to prevent and protect, how to plan, design, develop and build secure and privacy-preserving applications, software and systems. How to operate systems in a secure and privacy-preserving fashion – finding weaknesses and vulnerabilities, detecting abuse and ensuring that sufficient log information is at hand, and using the magic means available to understand what happened if the evil bad has compromised your system: forensics, incident coordination and response.
In addition to the new round of WhiteHat and Zebra training sessions, which are coming up very soon, we’re happy to announce that dedicated online training courses on all security matters are now available to all of you at any time, with our thanks to the HR training team. The SecureFlag training platform provides hands-on courses, exercises and virtual environments for you to improve your skills in secure software development in your favourite programming language (demo video). Learn how to securely configure your systems, virtual machines and containers and how to securely operate your web and computing services. These new, dedicated courses are provided for your benefit and for the benefit of a secure organisation – to clean up the security and privacy mess. THANK YOU!
______
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.