There is an unspoken assumption that pervades the information security industry. It is a vestige from the days when system administrators were the security staff, and the ways in which customers and organizations interacted with the Internet were markedly different from how they are now. This assumption is that the boundary that separates our network from the rest of the Internet is a boundary between the trustworthy and the untrustworthy. In here, the thinking goes, it is safe but fragile, and so we only allow those whom we trust, or those whom we cannot afford to exclude. This mentality has become a problem, though not in the way that you might think.
This is, obviously, not to say that we should trust all users on the Internet and invite them onto our networks with no caveats. In fact, the growing trend is the reverse, the zero-trust model, and it makes sense, particularly in light of the increasingly fragmented and convoluted understanding of what a perimeter even is. We do not need to reverse our assessment of the public's trustworthiness. As a result of the behavior of a small proportion, the public has been proven to be untrustworthy. The problem is, so have we, and the public is increasingly aware of it.
We Are the Medium of Data Exfiltration
In the last few years, a malicious actor is far more likely to exfiltrate a given individual's PII from a large enterprise than from that individual's home devices. This is not to say that a home network is any more secure, because it is not, but it also houses data of minimal value. Cyberwarfare and digital propaganda aside, hacking has become a business, and like most businesses, it seeks increased profits through economies of scale. This means that the bigger the org, the more global its footprint, the more data, the richer the payoff. Since the difficulty of managing risk at large enterprises tends to rise more quickly than their security budgets, over time, the probability that an individual's data will be leaked by one of the big enterprises that they patronize approaches one. For more than half of the population of the United States, it has already happened, between the Facebook and Equifax breaches of the last two years.
In other words, right or wrong, we—the enterprises—are not worthy of trust. Even though we are not the malicious actors, our networks have become the vehicle, the medium, of data exfiltration. In lieu of finding the perpetrators, the public is increasingly doing the same thing that we do when we find something dodgy on our networks: they are managing risk and cutting us out. As security practitioners and network architects, we need to realize that the public is coming to distrust our organizations as much as we distrust the public.
This distrust has, so far, manifested in two linked phenomena: one is the advent, after many false starts, of privacy legislation with real teeth, in the form of GDPR and the California Consumer Privacy Act of 2018.1 While there is obviously much discussion within the information security world about the efficacy and burden of these laws, there is no question that they have changed the landscape with regard to responsibility and enforcement.
The other phenomenon is that reputational risk has finally come of age. Reputational risk is something that risk-oriented security practitioners have been discussing for years, but it always felt intangible because it is even more difficult to quantify than other kinds of risk. After all, who can say whether a drop in sales is attributable to bad press when it seems like the public is not that interested in privacy anyway?
Reputational risk is still difficult to quantify in terms of dollars, but it seems to have cost Mark Zuckerberg quite a lot. In 2016 he was being discussed as a future presidential candidate. By the end of 2018, he had lost the goodwill of at least a billion people, his legitimacy as a leader,2 and potentially, the legal footing on which his business is partially based.3
In other words, the public is increasingly aware that we represent a greater threat to them than they represent to us. The fact that the actual malicious actors come in through the same door as the customers is immaterial to them. The upshot is that security practitioners and network architects need to rethink our trust model to reflect the emerging shift in power. This has two aspects.
The Public Will Become the Ultimate Auditor
One aspect is to not merely assess risk and emplace controls, not merely do our jobs, but to work more to display the performance of our jobs. This is akin to the difference between security and compliance. If compliance is based on producing evidence to document the consistent and thorough performance of security over time, then we must begin to think of the public as the ultimate auditor. The cost of an audit failure will be to lose customers, and for organizations whose customer base is all of society, the costs of a failure will become critical in magnitude. For publicly traded companies, for which even a small dip in revenue can produce enormous changes in the value of the company, even small breaches will eventually bring down powerful leaders.
Security Must Lighten Its UX Burden
The other aspect is to reduce the burden of security on the public from a user experience perspective. Over the last eight years or so, we have gradually come to ask more and more of the public in terms of managing their own security. Our password requirements have become more and more stringent. We implement onerous multi-factor authentication on more and more systems. We demand that the user prove that they aren't a robot. Some of us also use that demonstration of humanity as labor to build future products for free.4 For a while, people put up with it, even kind of enjoyed it, in a sort of dystopian prepper kind of way. That time is rapidly coming to an end. Security must stop placing the burden of trust on the user.
While it might appear that these two tactics (publicly demonstrating security and lightening security UX) are in opposition, the question really boils down to who is doing the work. This in turn boils down to the outdated assumption that the burden of proof of trust is still on the public. When the Internet was a glitchy system on the fringes that needed a special kind of sorcery to run, and both threats and assets had a different character, the old trust boundary made sense. Now, the Internet has become a critical component of all business (and military) operations and a putative human right.5 (F5 Labs’ Sara Boddy has echoed the US government in referring to it as the “Fifth Dimension.”)6 The novelty has started to wear off, and we need to change our thinking to adapt. 2018 showed that the public (and the lawmakers who ostensibly represent it) has had enough of the distrust. Those of us who can update our trust models will thrive, and those of us who cannot will struggle to survive.