The sensational IT security stories just seem to keep coming. Consider:
- Researchers at antivirus companies decoded a mysterious computer virus named Stuxnet, apparently authored by our own NSA and the Israelli government, designed to attack Iran’s nuclear equipment.
- Army Private Bradley Manning (now Chelsea Manning) stole hundreds of thousands of secret communications and videos and sent them to Wikileaks, which published them.
- Edward Snowden, working as a contractor, stole thousands, maybe millions of documents detailing how the United States gathers intelligence information and fingering pretty much every American IT equipment vendor and large service provider.
- 40 million credit card and PIN numbers are now up for grabs thanks to malware implanted in Target’s POS systems. And personal information stolen from other Target databases on 70 million more people are also now up for grabs.
- Apparently, Target is not the only retailer with a data breach. News reports of another breach at Neiman Marcus now fill the headlines. Others are sure to follow.
- And because of the Snowden revelations, the United States government stands accused of paying and/or coercing a Who’s Who list of American IT equipment vendors and service providers to aid in spying on foreign and American citizens. One breathtaking claim says the US Government paid $10 million to RSA, a leading IT security company and standard setter, to purposely weaken at least one of its encryption standards.
- That same United States government effectively forced a Chinese company out of the US market by accusing it of spying for the Chinese government, while at the same time it coerced and enticed American companies to help the US Government in its spying.
TV news reports paint a picture of the NSA as a group of trustworthy professionals gathering all this data to protect an unsuspecting public. I’m sure top professionals work for the NSA, but if the NSA is so institutionally smart, how did one rogue system administrator steal millions of documents and put the entire United States intelligence gathering capability at risk? What happened to concepts such as least privilege and levels of accountability? And why is the Stuxnet virus now in the public domain? Did the authors really believe it would remain secret as it wormed its way around Iranian computers, looking for targets?
Sensational security stories are not limited to the US Federal Government. The initial reports on the Target breach came on December 15, 2013. See this blog post. On Friday, January 10, 2014, Target disclosed another theft from the same breach involving personal information for 70 million additional people. Let this sink in for a minute – Target and an army of forensic investigators examined Target’s infrastructure in detail for nearly a month before finding evidence of the additional theft. How many other similar thefts have gone undetected?
The predictable result of all these revelations? Erosion of trust, finger pointing, shock, outrage, and hyperbole everywhere.
While government, the courts, and an alphabet soup of secret security agencies and large companies sort all this out, how much of this matters on Main Street and what should businesses and individuals do about it?
The core of all security products and practices depend on trust. That trust has been violated and that makes this critical on Main Street. Main Street companies can no longer trust their infrastructures are safe from government and criminal eavesdropping because the very products put in place to protect against it are tainted.
Great – we can no longer trust our IT infrastructure products. What do we do about it?
Consider replacing critical IT infrastructure components with components built using the open source model. Although this reads like arcane tech jargon, the concept is vital in today’s interconnected and insecure world. Two general methods exist for building the software we use every day for browsing the Internet, processing transactions, connecting phone calls, and everything else. These are:
With the proprietary model, one company controls everything about a product. Microsoft Windows, Microsoft Office, Apple IOS, Cisco routers, and many others use the proprietary model. The good about the proprietary model is, companies (hopefully) stand behind their products and offer support and accountability. The bad is, customers are left at the mercy of these companies and nobody knows what’s inside, which provides an opportunity for meddling by government or other bad guys.
With the open source model, one person or organization acts as a maintainer or lead developer of an ongoing project, and members of a world wide community contribute new features, bug fixes, and peer review. The development process happens in full public view, which means no government agency from any country has an opportunity to introduce secret “back doors.” Why would armies of thousands of unpaid volunteers do this? For the same reason I write articles for this blog – for the recognition, which hopefully leads to service revenue.
The major challenge behind open source is, community developed means community supported, which means nobody is accountable when things go wrong. To meet this challenge, companies such as Red Hat provide commercial support subscriptions for open source products. My company, Infrasupport, is a Red Hat partner. This provides the best of both approaches; accountability from the proprietary model and professional peer review from the open source model.
Enlightened IT departments will seize the opportunity from today’s supercharged security climate to secure their organizations’ IT assets using untainted, open source tools. These organizations will earn back lost trust and the rewards that come with it. The rest will bury their heads in the sand and hope the problem goes away. But the problem will not go away. Sensational stories will keep coming and market power will shift to those organizations with enough guts to take control of their own environments.
(First posted on my Infrasupport website on Jan. 13, 2014. I backdated here to match the original publication date.)