Bruce Schneier’s blog highlights reports of an alleged recent break in by hackers to a Virginia State Web site used by pharmacists to track prescription drug abuse. The hackers were reported to have deleted records on more than 8 million patients and replaced the site’s homepage with a ransom note demanding $10 million for the return of the records. Interestingly, the back-ups were reported to have also gone missing.
We can expect to see more of this type of incident. I’ve been pointing out for some years that security is about to enter a new phase. In fact it’s the third and arguably the most significant phase of information security. I call it the “age of integrity”. If you take a step back and consider those three pillars of information security – confidentiality, integrity and availability – you might notice that at any one time they don’t have equal visibility. Consequently they don’t receive the same degree of attention. In fact, there’s a historical pattern to this, and it affects both the problem space and the solution space.
Availability is the first thing people notice. Fallback and back-up were the focus of most commercial security functions back in the 1970s and 1980s. Only national security and retail banking organisations cared about confidentiality. Business continuity was the big thing when e-Business took off in the late 1990s. By the turn of the century, denial-of-service attacks were the most worrying threat to online services. But availability is easy to address; expensive perhaps, but easy just the same. You can quickly bring services back after an outage. You may have lost some business, but there’s little permanent damage.
Confidentiality is the second strand that security managers address. Ten years ago, you couldn’t sell laptop encryption. Now everyone’s buying it. In fact people have been stealing and losing laptops for years, but we’ve only just become paranoid about it, even though a loss of confidentiality is much, much scarier than a service outage. Even a single data breach can cause massive reputation damage, generating citizen outrage on an unprecedented scale.
Now consider a loss of integrity. It’s the last thing that security managers think about, but by far the scariest. Whether the cause is deliberate or accidental, it undermines business confidence. In the most extreme cases it can permanently reduce the value of the data and business services. But even small amounts of damage can be hard to recover from, especially if you don’t know the extent of the damage. And we’re all vulnerable to this risk.
In fact data integrity is where confidentiality was five years ago. It will take a few more years to emerge as by far the biggest threat to future business. But it will arrive with a vengeance. Just as confidentiality was not taken seriously prior to the TK Maxx and HMRC data breaches, so data integrity will not be addressed until a big incident highlights the danger. It’s a ticking time-bomb waiting to explode.