In a recent Harvard University paper titled DON'T PANIC. Making Progress on the "Going Dark" Debate, a group of...
tech and security experts refuted many of the government's claims about encrypted data. As with the recent Apple-FBI standoff, government officials are concerned because, without access to communications, they fear they may not be able to investigate and prosecute criminal activity and, of course, prevent terrorist attacks. The authors of the paper called attention to something else that gave them concern: network sensors. Specifically, the paper claims that a "plethora of network sensors" have been embedded in technology systems, consumer electronics and wireless-enabled appliances, and these sensors could be used by the government for surveillance -- essentially negating any concerns about networks "going dark."
In terms of network security, what does the presence of these network sensors mean for the enterprise. Who else can use them, and what business risks do they create? First off, we have to look at what exactly these network sensors are. The sensors fall under the growing category known as the Internet of Things (IoT), which includes certain televisions, videoconferencing systems and appliances often found in businesses, as well as consumer-centric gadgets. These devices are chock-full of microphones, cameras, fingerprint readers and various sensors that gather, store and analyze everyone's every move, including inside today's connected automobiles. It might not seem so bad to have such technology ingrained in the typical business environment -- after all, in a legitimate business where people are on the up and up, what's there to hide? That's a dangerous, yet prevalent, mindset throughout society which has facilitated government spying up to this point and it's not likely to get better.
Network sensors post significant risk for the enterprises. Think of all the private corporate information, trade secrets and know-how that can be collected by government agencies. That's bad enough. But turn it around and think about criminal hackers accessing that same information via the same means and using it against your enterprise. Then there are questions about IoT and cloud vendors themselves. What do they have access to? How are they going to use that information for their own gain -- and potentially your loss? Even if certain systems cannot be monitored in real time, which is something the paper touches on, what information is being captured and sent off the cloud or otherwise made accessible to third parties at a later time? Will government agencies go beyond what they've already done and further compel IoT and cloud service providers to facilitate backdoor access and monitoring? Will the vendors self-regulate or capitalize? The reality is, no one really knows.
If enterprise IT and security teams are going to keep third parties from exploiting information from such network sensors, it's going to require some work. How will you know where your weaknesses are? What needs to be addressed from a security policy perspective? What can you do technically to minimize the risks? It all goes back to knowing your network. Having control of what's installed by your team -- and others outside of IT and information security, including corporate security and other shadow IT entities. It's also about being savvy in understanding what your devices are sending out to the Internet. Most environments allow all traffic out of the network. Therein lies the problem. Can that traffic be blocked? How? What will break as a result? Is it all worth the efforts required? What's needed is a cloud access security broker for IoT-enabled devices.
SearchSecurity talks with Tenable co-founder Ron Gula about the Internet of Things and how enterprises can secure all these connected devices and IT assets.
Will government bureaucrats and the spies they support eventually get their way? It's highly possible, seeing how the federal government operates as of late. Perhaps networks will become as open as the World Wide Web in terms of business intelligence and revenue streams -- sort of like the next generation big data analytics that tracks network behaviors. It's clear that the proliferation of network sensors, individual privacy and enterprise security will evolve. The question is how they will evolve; I'm confident that savvy security researchers and the professionals that utilize their technologies will do what they can to keep things in check. Still, what looms ahead is an even Bigger Brother in the making that ultimately impacts the corporate world.
If a precedent of not going dark in order to facilitate government spying for the greater good is set among businesses, then we essentially leave our networks open to anyone doing anything anytime. This creates an ironic side-effect of not being able to meet the very privacy and security compliance regulations that these bureaucrats push on most businesses. It's unclear how these issues will play out in the courts. For those who believe IT and information security skills aren't in demand, or their jobs are at risk, I think this issue alone turns any such concerns on their heads.
Read more about whether end-to-end encryption poses a public safety risk
Find out if encryption commission legislation can solve going dark problem
Learn about former CIA and NSA director General Michael Hayden's support for strong encryption