Why Cook is the Apple of Privacy Advocates’ Eye

The battle between civil liberty and privacy on the one hand, and the reach of the law enforcement agencies for the (supposed) benefit of public/national security on the other, is taking interesting turns these days, especially in the digital realm. It is happening in the US right now, but something similar could soon reach Indian shores as well.

The case in point is the Federal Bureau of Investigation (FBI) asking Apple to help it force-access data on the locked iPhone of Syed Rizwan Farook, one of the two perpetrators of last December’s San Bernardino attack in which 14 people were killed (Farook and his accomplice wife were shot dead by the police on the same day; the iPhone in question is in FBI’s possession.) A federal magistrate in California is said to have ordered Apple to write a custom version of the iPhone software that disables key security features and install it on Farook's iPhone in order to foil the encryption, as per a Vox.com report.

Apple has decided to contest the order, citing grave concerns about compromising the security and hence personal data of millions of its customers who trust the iPhone with their sensitive information. In fact CEO Tim Cook has taken the issue to its customers, posting an open letter to them on the Apple website.

“This moment calls for public discussion, and we want our customers and people around the country to understand what is at stake,” writes Cook.

From the way the use of smartphones (not just iPhones but devices based on Android and other OSes) is proliferating around the world, including India, Cook might as well have said “people around the world.” And that is why I chose to post it here on dynamicCIO so that technologists, IT leaders, vendors and other stakeholders in the fast-emerging Indian digital ecosystem could ponder over it and keep their own responses and countermeasures ready when the need arises.

Interestingly, this is happening at a politically charged time here, what with the country in the grips of a fierce debate around freedom of speech, notions of nationalism or anti-nationalism and an allegedly authoritarian regime (which is said to be capable of not only breaching individual privacy—of which there is very little in India in the first place—but also bringing the full force of the machinery at its disposal to undermine any dissenting voices; reminiscent of but not equivalent to the Emergency year).

To return to Apple and FBI, both sides are putting their points across emphatically and logically—even causing a sort of schism in the online community on who is right or wrong in this case.

Says Cook in his letter: “For many years, we have used encryption to protect our customers’ personal data because we believe it’s the only way to keep their information safe. We have even put that data out of our own reach, because we believe the contents of your iPhone are none of our business.”

Cook is highly concerned, and rightly according to several security experts quoted on the Internet in various reports, that once Apple complies with the FBI request to break the encryption on one iPhone, anyone can use that “backdoor” facility to gain unauthorized access to millions of these devices out there.

The FBI seems to understand this though it’s pressing on with its demand; FBI Director James Comey is said to have responded: “We simply want the chance, with a search warrant, to try to guess the terrorist's pass code without the phone essentially self-destructing and without it taking a decade to guess correctly. That's it. We don't want to break anyone's encryption or set a master key loose on the land.” [Source: Los Angeles Times article]

It is not fully clear from most reports (at least not to me, a non-expert in encryption) whether it is technically feasible for Apple to create an exception in the case WITHOUT compromising on the general robustness of the iPhone as far as encryption capabilities are concerned.

Not that Apple was not cooperating with the investigating authorities on the San Bernardino case or other government requests of similar nature. According to a New York Times article, enviously headlined (envious for Sundar Pichai, let’s say) “How Tim Cook, in iPhone Battle, Became a Bulwark for Digital Privacy,” Cook has been tediously cooperating with government requests (not just those from the US guv but globally) for unlocking its smartphones.

The Times writes: “Each data-extraction request was carefully vetted by Apple’s lawyers. Of those deemed legitimate, Apple in recent years required that law enforcement officials physically travel with the gadget to the company’s headquarters, where a trusted Apple engineer would work on the phones inside Faraday bags, which block wireless signals, during the process of data extraction.”

Apparently, Cook has been trying to do the fine balancing act of entertaining government requests and keeping its tight grip on the security features of its product intact but—as the latest (still developing) case reveals, a time has come when the envelope on “government overreach” is pushing the boundaries to an unprecedented, treacherous level.

And so the debate rages on.

Do let me know what you make of it.

(Image courtesy: Apple.com. Curiously, I happened to notice that this photo of Tim Cook is uploaded by someone at Apple under the name cook_hero :)

Note: This blog post first appeared on dynamicCIO.com.

Tackling the People Problem in Security

Security is a constantly moving target, all right. But which of these three pillars—people, process and technology—is the most vexatious issue in hitting the bull’s-eye?

Felix Mohan, one of India’s top experts on information security, addressed this question at the Delhi leg of DynamicCISO Regional Security Summit recently. (The summits are held in multiple cities in India.)

To make the point loud and clear, Mohan used a simple but powerful twin-visual. The first part showed a cube with a small hole on the front side. The revelation came in the second part, which showed a much bigger hole on the back surface (Didn’t want to say “back side”).

Now, here’s the crux: the tiny hole, which covered barely 10% of the surface area, represents security breaches because of technology gaps; the Real McCoy is the people angle to security, the 90% hole in the other side of the cube through which most incidents actually occur.

And yet, startling as it may seem, 80% of the security budget in a typical organization goes toward plugging that small, tech-related hole. Only a disproportionately small portion of the budget (20%) is allocated for addressing the people issues.

That is not to say that all those next-gen firewalls, data leak prevention tools and encryption solutions do not deserve your attention and investment. But the alarming rise of socially engineered attacks, password/identity thefts and advanced persistent threats all point to the dire need for putting people at the very core of your security strategy.

An indication of the people angle’s significance is the new acronym, PCS, coined by Gartner. In a blog post, Gartner analyst Tom Scholtz describes People-Centric Security as “a strategic approach to information security that emphasizes individual accountability and trust, and de-emphasizes restrictive, preventive security controls.”

The growing role of users in InfoSec is also highlighted in several industry studies. For one, according to the recent 2015Black Hat Attendee Survey, 33% of respondents believe that the weakest link in today’s enterprise IT defenses is “end users who violate security policy and are too easily fooled by socially engineered attacks.”

High concern over the people problem in security even prompted one consultant, Peter Thompson, to give this intriguing headline to his article in a newsletter: “Are you patching your people?”! Thompson further quotes the famous US prez Benjamin Franklin as having once remarked: “Three may keep a secret, if two of them are dead.”

The impact of the gallows humor in Franklin’s remark (which was made way back in 1735) should not be lost on today’s CIOs and CISOs.

But far from wishing for grave consequences for people who can’t help sharing passwords with their cats and girlfriends, what today’s IT decision makers require is adoption of constant training and re-training of people in security best practices—beginning with the top management down to the last employee, even if that person is an outsourced “resource” (who, for all you know, could be a good recourse for hackers out there).

The Cisco 2015Annual Security Report makes some interesting observations and raises relevant questions on people-related issues, among other aspects. Let me just pull out an excerpt here:

“With users becoming ever-weaker links in the security chain, enterprises have choices to make when implementing security technologies and policies: As developers try to make applications and software more intuitive and easy to use, do organizations open new loopholes for cybercriminals to exploit? Do enterprises bypass users, assuming they cannot be trusted or taught, and install stricter security controls that impede how users do their jobs? Do they take the time to educate users on why security controls are in place, and clearly explain how users play a vital role in helping the organization achieve dynamic security that supports the business?”

I don’t remember who said it but someone pointed out a very hard-hitting thing about the people problem in security at the DynamicCISO summit. It was about putting an undue burden of remembering multiple passwords, adhering to complex security policies or procedures and doing sundry other things to prevent security breaches on the poor user. As a connected, credit card-wielding (and shielding!) user, I somehow empathize strongly with that comment. And I suspect that a sizable online population would harbor similar sentiments.

The bewildering number of security procedures, the alarming number of online attacks and their ever-rising stakes, and the presence of multiple screens in a user’s life have made it virtually impossible to avoid trouble. If they are asked to do this or that, use this kind of password or that type of key, and comply with a ton of regulation, most of them would soon choose convenience over safety.

So, on the one hand, you have the need to apply multiple layers of security tools and constantly train people; and on the other, there’s the fatigue and unease felt by most users over time. This makes you wonder if there’s some sort of contradiction in terms here. 

On deeper reflection, however, this contradiction gives way to a balancing act. One can perhaps say that the success of a security strategy in today’s increasingly open world would depend on finding the right balance between tools and policies, between people and processes, between training and ease-of-use…in fact, between any two constructs that look diametrically opposite at first but which must be brought together in a continuum of collaborative responsiveness.

[This blog post first appeared on DynamicCISO.com]

How Secure Can You Be?

Security is not a destination but a constantly moving target. And the trick for solution providers and enterprises is to move faster than the 'enemy'

With due apologies to the uber brands of the automobile world, there are only two types of mass-market cars (considered from a certain standpoint): those that have some security products installed and those with just plain vanilla, factory-fitted locks. Then, even among the ‘secured’ ones, there’s an entire cornucopia of fitments – gear locks, ‘hockey sticks’, central locking...the works.

Nevertheless, both types of cars get stolen.

But if I were to ask you, Which cars get stolen more often and in greater numbers? you would promptly answer the question without consulting the stolen-vehicle investigation department.

Just as we try and secure our assets in the physical world (but often end up losing them), so it is in the more subtle realm of information flow. Companies can use the best antivirus on the market, set up advanced firewalls or configure multiple layers of authentication, but they may still not attain foolproof security.

Having said that, organizations have no option but to try as many ways to protect critical information – their life-blood in today’s competitive world – as possible. And keep at it relentlessly, because security is not a destination but a constantly moving target. The growing crop of thieves, hackers and anonymous groups lurking in the darkest corners of cyberspace are always ready to raise the bar for security vendors and solution providers by launching more and more sophisticated attacks (sometimes with alarming success).

Consider the enormity and reach of some recent security attacks. Around a year back, as many as 77 million Sony PlayStation Network accounts were hacked, resulting in loss of millions of dollars to the company as its site went down for a month. Even the top purveyors of security like RSA and VeriSign were not immune: RSA's parent company EMC is said to have spent over $60 million on “remediation” when a series of “spear-phishing attacks” were launched against its employees. In VeriSign's case, there was a debate about the extent of damage resulting from unauthorized access to the company's servers. But the point is, no-one is spared when it comes to security breaches.  

In the future, the problem is only going to get compounded, what with the wider adoption of social media, and trends such as Bring Your Own Device (BYOD) and enterprise mobility. Put this together with the increasing sophistication of Advanced  Persistent Threats (APTs) and organized crime syndicates – and you have a recipe for disastrous breaches.

There are some in the industry who think that adopting measures such as retina scans, fingerprinting and other biometrics will stem the tide of attacks. But there are experts who dismiss such claims. For instance, Professor Steffen Schmidt, co-author of the book The Silent Crime: What You Need to Know About Identity Theft, is of the view that identify theft will only increase with technological advances.

I think we are going to have more security but never enough of it. The only thing to be sure is that, in the fast-moving cavalcade of security, there will be no time for applying brakes.