Last year, Tanium Inc. ran a series of full-page ads in the Wall Street Journal with headlines such as “We Are Spending $160B This Year on Security Solutions That Are Failing To Protect Us” and “Why Is Cybersecurity Getting Worse?”
We’ll answer Tanium’s question shortly, but first let’s update that spending to nearly $200 billion this year. Yes, spending on that which doesn’t work is increasing rapidly. That’s because security is what I call a WTI. Here’s how I define a WTI in my additions to Ambrose Bierce’s Devil’s Dictionary:
WTI: (Acronym for Wrinkle Treatment Industry) An industry that thrives only as long as its products don’t work.
A dysfunctional part
Now, the failing security industry is not as nefarious as that may make seem. Its participants were set on their dysfunctional path years ago and, well… you know, inertia. I think I have a good perspective on the origin of the problem. And here I must admit to some culpability. In 1967 the Air Force sent me to school to learn how to program the Burroughs B263 computer in its assembly language.
By the time I got out of the Air Force and into industry, experts were warning management to start thinking about security. Around that time, a truly brilliant system called PKI was being invented. PKI would provide both security and manageability.
However, the inventors of PKI were mathematicians and cryptographers. Even if by some coincidence they happened to cross paths with business people, they spoke the language of advanced math and cryptography. They might as well have been speaking Urdu.
So, management looked elsewhere for people who could talk to them about security in language they understood. They found young programmers like me. Security? Sure, I can tell you about that. It’s like Power Rangers. You identify the bad guys and capture ’em because that’s what people our age understood. You know, from cop shows and cartoons and war games. I was not a security developer myself, but I knew the culture.
Now, management surely knew that security in their physical building called for ID badges, establishing who’s accountable for what happens while they’re in the building. Security is about designing spaces and systems to establish accountability. It’s not about capturing bad guys. How do you tell just by looking at a stream of bits who’s a bad guy anyway? Might as well ask the lobby receptionist in your building to identify who’s bad and who’s good as they walkin the door!
Instead, of course, we ask the receptionist to get some ID to establish accountability while they’re in the building.
So, management understood real security in a way that we young geeks did not. But… management was completely baffled by computers. We, on the other hand, were clearly comfortable with the newfangled things. Management decided that they’d better follow our lead when it comes to security. BIG mistake.
But cultural assumptions do tend to persist, even past their prime. And so today, many decades later, that’s what we still have. Security based upon a twenty-year-old’s view of a world of power rangers, World of Warcraft, and NCIS. Meanwhile, those PKI folks – who really DID understand security based upon spaces and systems of accountability – never got to work with business people to apply PKI in the real world. If PKI is deployed correctly, it brings new effectiveness and efficiencies to all aspects of an organization’s information infrastructure. Real, robust, effective security is just a byproduct, a bonus.
“Deployed correctly” is the key. PKI deployments have been typically planned and managed by PKI experts, who still tend to speak the language of mathematics and cryptography – and who frankly tend to have much less understanding of how organizations work than is necessary for the job. To go way out on a limb here, they also tend not to understand the main value of PKI, which is personal accountability.
It’s accountability, stupid
My team has compiled a list of ten reasons why PKI has had such difficulty being deployed properly, but let’s cut to the chase. PKI, when done right, is about personal accountability. It’s not about tunnels between machines and browsers – or at least it shouldn’t be. Look at it this way: protecting an organization’s information infrastructure has a lot in common with protecting its physical premises. That job has two parts. First, there is the person in the basement watching monitors showing the building’s entry points, and watching for anomalies. Second, there is the lobby receptionist, watching to ensure that everyone entering the building has a badge, or else stops by his or her desk to present a form of ID and get a visitor badge.
Guess which one is the more important part of physical security. It’s the receptionist of course. That’s because real security is about accountability. It’s not about catching bad guys. Can you imagine a building manager instructing the lobby receptionist to determine the intentions and character of everyone who walks through the door? Of course that would never work!
And yet the assumption behind almost all digital security is that it’s possible to determine the intentions and character of the sender of a stream of bits. If you think about it, besides providing a pleasant working indoor climate, isn’t a building just a set of accountability spaces? You tend to know who’s in a room with you. Rooms in buildings are designated for certain purposes, to be used by certain people who have business being in that room to accomplish those purposes.
A properly deployed PKI is built on personal identity certificates. Not server certificates, not departmental code signing certificates, not certificates of any type that do not require a signature from the private key of a personal identity certificate. Result: pervasive accountability. Who has access to what, who did what when, who is getting the decryption key for that encrypted file, etc? We talk a lot these days about eliminating passwords, but how do we do that while assuring that people are who they claim to be?
The answer, once again, is personal digital identity certificates – deployed properly.
Wes was the sole founder in 1981 of Delphi Internet Services Corporation, "The Company That Popularized The Internet" according to Michael Woolf, and was the creator of the world’s first online encyclopedia. At the time it was sold to Rupert Murdoch's News Corporation in 1993, Delphi had been profitable for years and was among the four largest social networks, along with AOL, CompuServe and Prodigy. In 1986, while CEO of Delphi, Wes launched a spinoff, Global Villages, Inc. to serve magazine publishers and business clients with their own private-label social networks.
Wes focused the attention of his new team on the need for reliable identities of individuals on the Internet, starting with the development of the VIVOS Enrollment Workstation. While developing VIVOS, Wes began collecting source material for a book about a hypothetical world public key infrastructure, built upon digital certificates representing measurably reliable identities, which would bring authenticity to online interactions and privacy to individuals. As the book began to take shape Wes was introduced to a group at the International Telecommunication Union that was attempting to implement a world PKI that was similar to the one he envisioned. Wes was subsequently appointed to the High Level Experts Group at the ITU's Global Cybersecurity Agenda. In an address in 2008 to the United Nations World Summit on Information Society in Geneva, Wes introduced the City of Osmio, a new certification authority. Wes’s book, entitled Quiet Enjoyment, published in 2004 with a second edition in 2014, was followed by Wes’s other titles including Don’t Get Norteled in 2013 and Escape The Plantation in 2014.