Security by accident - as opposed to design

I spent yesterday in meetings on Information Governance, including how to get the concepts across to political audiences. The best idea I heard was “Grand Info-Scam” in which journalists,   spooks, fraudsters, blackmailers and terrorists compete to collect personal information, by whatever means, including by eavesdropping on each other.

It is as well to remember that Mulcaire’s information harvesting operation was small beer compared to that of Stephen Whittamore who was supposedly commissioned by over 300 journalists, representing most of the UK’s national press.

I do hope that the DCMS Select Committee will also look into what happened to the recommendations in the Information Commissioner’s excellent report “What Price Privacy“

One of the few national newspapers NOT on Stephen Whittamore’s client list was the Financial Times. Alan Cane’s article in Wednesday’s FT on the scale and nature of the criminal information harvesting industry of today illustrates how the world has moved on in recent years so that it is not not only the rich and famous who are at risk.

Today our e-mails, tweets, infomraiton searches and on-line transactions are just as vulnerable as the messages stored on our answerphones or in our voicemail boxes.

Unfortunately the mobile broadband networks being planned for tomorrow, as in the Digital Britain Report, will be equally vulnerable because, unless action is taken now, they will rely on products and services (including widely used software components) that are already known to be insecure. And the same goes for subsystems being used to support most current search engines and cloud computing services.   

Routines are now available to produce auditable security – but they are rarely used.  

Unless we move rapidly towards the disciplines of security by design, we will be condemned to live with security by accident: secure only because of incompetance on the part of the criminals.

And as Alan Cane’s article should remind us – that is no longer a comfortable assumption.

Hence the importance of the work being undertaken by the EURIM Security by Design group, not only to show that theory of yesterday is now becoming operational but also to secure action at the points of leverage: the planning and procurement of security back-up networks on whose functioning we will have to rely if the Olympics of 2012 comes under serious cyberattack – as is supposedly happening to South Korea this week.