March 31, 2016 By Rick M Robinson 2 min read

Privacy and Hackable Devices

Controversy over law enforcement unlocking smartphones has the power to capture broad public attention. But for the information security community and anyone interested in data security, the truly interesting story in these cases is the underlying one.

This story is not about individual companies or government agencies, but instead the overall state of play in information security and where we are going. What does it mean to talk about the security of backbone structures such as operating systems when these systems are inherently hackable? Who determines their security? How is it assessed? Does the very process of security assessment introduce vulnerability risks?

However privacy and security disputes are finally resolved, the security community will continue to face some fundamental challenges.

Security Design and the Inside Risks

The general principles of good application security design are well-understood, with best practices being widely promulgated if not always applied. These apply not just to ordinary applications, but also to fundamental backbone structures such as operating systems.

At the heart of these best practices is building in security from the outset rather than bolting it on. But how do you know if the job has actually been done correctly? The only way to know is to perform a security assessment or audit, examining and testing the security features.

But whenever you bring in an auditor or review team, you are giving more human eyeballs access to security features. Every new set of eyes constitutes an added risk. As Dennis McCafferty noted at CIO Insight, professionals now rate social engineering and insider threats at the very top of the threat hierarchy, which makes the review process itself a major risk.

From Road Maps to Back Doors

A backdoor controversy with respect to government agencies is really just one specific instance of this general principle. To have a road map to a system — which a security assessment team must have to do its job — is to know that it is hackable, how its defenses are put together and how those defenses might be circumvented.

Put another way, any system complex enough to be useful is potentially hackable. No formal back door is needed; just sufficient detailed knowledge of the application and how it works.

Even more to the point, at a basic level, it does not matter whether a security assessment team comes in from outside (such as a government agency or an audit service) or is assigned in-house. On the one hand, the additional eyeballs are needed to assess and confirm security. On the other hand, those eyeballs become a potential security threat.

In the end, there is no purely technical solution to this problem. So long as computers are being designed and used by human beings, the human factor will continue to be the most crucial element of their security. The issues of identity and access will continue to pose a challenge for information security leaders.

More from Government

CIRCIA feedback update: Critical infrastructure providers weigh in on NPRM

3 min read - In 2022, the Cyber Incident for Reporting Critical Infrastructure Act (CIRCIA) went into effect. According to Secretary of Homeland Security Alejandro N. Mayorkas, "CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors."While the law itself is on the books, the reporting requirements for covered entities won't come into force until CISA completes its rulemaking process. As part of…

Important details about CIRCIA ransomware reporting

4 min read - In March 2022, the Biden Administration signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.The CIRCIA incident reports are meant to enable CISA to:Rapidly deploy resources and render assistance to victims suffering attacksAnalyze incoming reporting across sectors to spot trendsQuickly share information with network defenders to warn other…

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today