Blog

The Key to Security's Heart...

...is no key at all. Yes, it's Valentine's Day, so I wanted to at least get a tie-in. Thanks to encryption, it wasn't hard. What am I talking about, you ask? Well, let me back up a little.

...is no key at all. Yes, it's Valentine's Day, so I wanted to at least get a tie-in. Thanks to encryption, it wasn't hard. What am I talking about, you ask? Well, let me back up a little. During his State of the Union address Tuesday night, Obama spoke about his executive order that gives federal agencies the ability to share "cyber threat" information with the public sector. Yesterday everyone throughout the IT security industry was a-buzz about what it all means. Jack Whittaker put together an analysis on ZDNet. The section I want to talk about in particular: Will the US be sharing classified material with those in the private sector? There is still a lot of work to be done on the "framework" in order to ensure that US classified material remains classified, and that threats can be unclassified if need be. Sometimes, threats come in that relate to a certain country, group, or person, and this remains US classified material. One of the ways that this information could get passed on to private industries is if certain classified bits are blacked out — or "redacted" — but sometimes the most important parts are actually in the redacted zone. From the text, reports that need to be passed on to owners of critical infrastructure will likely remain classified. The way to pass this on outside of the government is to someone, or a handful of people, at that private sector firm who already has, or is suitable to obtain, US national security clearance. Homeland Security and the attorney general, along with the director of national intelligence, will establish "a process that rapidly disseminates the reports produced pursuant to section 4(a) of this order to the targeted entity" to ensure that the classified or sensitive material will go to those who need it, when they need it, without violating the privacy of others. Again, there's still no word from the White House on exactly how citizens' privacy will be protected. In a "fact sheet" released by the Obama administration earlier today, there was not a single mention of privacy or civil liberties. These files will likely be heavily audited to ensure that any unauthorized access will be logged so that appropriate action can take place, just as it is on the inner walls of the government and law enforcement. These classified materials will only be given to those who possess US national security clearance while in the private sector, and will likely be limited to just one or a few people in each organization. To make sure that these designated people — likely chief security officers and other security personnel — have the correct clearance, the process in which they are vetted will be sped up. The appropriate authorities will: Expedite the processing of security clearances to appropriate personnel employed by critical infrastructure owners and operators, prioritizing the critical infrastructure identified in section 9 of this order. What will private companies share with the government? The order has laid out the plans for the information "exchange", in which private companies can share information about their networks, security, and infrastructure with the government. But because companies like Microsoft, Google, Facebook, and so on are not part of this framework consultation yet, your personal data is safe. At least, for now. It appears, from this order, that only data relating to their networks and infrastructure — rather than information relating to you, which CISPA would have allowed private firms to share with the government — will be passed on. By submitting information about their systems, it can allow the government to issue specific warnings based on the information they have, such as vulnerabilities in networking hardware or about third-party suppliers of technology equipment. From the text: Information submitted voluntarily ... by private entities under this order shall be protected from disclosure to the fullest extent permitted by law. The framework will be technology neutral, and aimed at addressing security gaps in the computer networks of critical infrastructure, such as the electric grid, water plants, and transportation networks. That said, the fact that some items, such as emails, what's contained in storage, IP records, and suchlike, were not defined or even mentioned may open the order to misinterpretation or abuse. It also leaves room for Congress to fill these gaps with proposed legislation — and history tells us that Congress is not a place where many technologists reside. The order will be implemented in various government departments in the next 120 to 150 days. A draft version of the framework is due in 240 days, and the final version will be published within a year. While the executive order lays out a framework for secure data sharing, there is a lot of concern for how exactly the data wil be protected. It's pretty clear that redaction and data masking are key technologies that can allow this to happen. Encryption is another one, however, it is expensive in labor and risky if the key is lost. The issue that it does not address is the safety of private citizen's data, or what data is shared with who. It just says they can share data to protect from threats. I would say that secure and safe data sharing should include clear rules for the masking of private citizens data unless approval from the appropriate authorities is obtained (a judge). But overall, as I said in the beginning, the key to keeping private data secure is to have no key at all- mask the data. Or as we say with DMsuite: set it and forget it.