We need to speed up security

I’m finally back blogging after a delightful summer break. Surprisingly, not a lot has changed in the cyber security world. Big security breaches have been surprisingly thin on the ground. And most have resulted from predictable human failings or greed, rather than technical weaknesses. There have been few recent reports of dangerous APTs, except perhaps for an inevitable attack on Apple users, many of whom may have naively assumed they were immune from such threats.

Anyone that understands the motives of attackers and the vulnerability of our critical infrastructure will know that professional attacks have not gone away. They are just much harder to detect. There is clearly much more to come, especially given with a steeply increasing terrorist threat.

I sense however that we are some years from a major disaster, though I expect it will occur well before we are able to implement effective countermeasures. That’s because the most significant failing of the security community is in responding quickly to new threats. There are one or two exceptions of course, generally in areas where business sets stretch targets for security developers.

The mobile world is one such area. A few days ago I attended the excellent, annual exhibition at the Royal Holloway University Smart Card Centre. There were some first-class presentations, especially the talk by Dr. Klaus Vedder, a real expert in this field, who convinced me that mobile devices are the focus of the fastest-moving developments in cyber security. Product developers race to bring new technologies to market in record time. And they need to be sufficiently secure for the marketplace.

In sharp contrast the presentations on government cryptographic development reflected a legacy of lethargy, underpinned by outrageous demands from a bygone age. New products require a minimum, five-year time scale, and must be designed to be secure for 20 years and to protect data for 30 years. Such assumptions reflect an absence of business pressure for stretch targets.

Security processes are slow because nobody in business cares sufficiently to whip them into shape. Society should demand better than this to safeguard our critical intellectual assets.