Considering the opinion of Martha Lane Fox who has called upon the UK to lead the way by setting up neutral, independent body to ensure that ‘privacy’, ‘security’ and ‘trust’ are maintained on the internet would seem to be a considerable expectation which, when conjoined represent a very big ask indeed, as when aggregated these objectives may be in conflict.
In 2015 it may be asserted that cyber-criminals are well ahead of the curve, and it may be accepted that the levels of successful compromises, and unauthorised incursions are running at an all-time high – so when we look to the subject of ‘security’ I am fully supportive of such a mission – and not withstanding the UK, the US, or for that any other country who would care to take up this banner, I am right behind them with support. However, when we discuss security in the context of the Internet, we must keep an open mind as to what falls within that conversations. Are we talking about security of communications, or the way organisations run their operations? Are we talking about the opportunities for extremists to use this globally connected resource to operate under the guise of a secured DarkNet? And above all, are we looking at the wider agenda of the electronic frontier which may also pose the potential to underpin operations which could affect lives? Thus it is very important to appreciate the scope of the mission prior to setting course on what could be an impossible venture, which will only, once again represent the product of lip-service, looking like it is serving a purpose, whilst failing to deliver.
It is the balance between ‘Privacy’ and ‘Trust’ where the real challenge exists when placed in close proximity of Security, as they can become very uncomfortable bedfellows indeed. For example if we are seek to set the objective of security, then we must anticipate that there will be levels of conflict with the element of privacy, as in the year 2015 we live in a very different place, with levels of criminality utilising the Internet for the successful pursuit of their nefarious activities, ranging from running scams, on-line child abuse and the distribution of paedophilia, right up to that of supporting extremism. Thus by inference dictates that if these, in particular the latter, will require an offset when it comes to the human right of privacy, and that of security. And so like it or not, there must be an acceptance that those in the world of Security Agencies, and Law Enforcement must be empowered with the underpin to both investigate, and to have the ability of a Minority Style [Pre-Crime] role to detect, and respond to serious threats before they occur – e.g. A bomb on public transport, the killing of an off duty solider, or some other such serious event with real-world life implications and consequence.
There is however another area which tends to get overlooked in the great debate of ‘Privacy’ and ‘Security’, and that is in relation to the commercial world who today hold so much of our personal and valuable information. And in this same debate, the public do need to recognise that the high value of such data now represents a valuable trading commodity, which has seen a growth in the levels of legal data sharing in the form of commercial exfiltration-for-profit, which in the majority of cases has been agreed by the end user under the acceptance of terms and conditions for their established contract.
To seek real-world solutions, it is in the area of the commercial data access, and retentions which I believe is one of the most needy places to look at is security, for it can be these very custodians who serve up the greatest threat though lacklustre defences. For instance, I am aware of multiples of security compromises of organisations who have lost complete data sets of end user records, including banking credentials which were not reported under the expectations of the Data Protection Law, let alone that of the expectations of Payment Card Security leaving the end user unknowingly exposed!
Here the ultimate conclusion is recognition of the levels insecurity which exists on the Internet today, exposing those organisations and individuals who utilise it for business or personal use. Furthermore it should be appreciated that we can’t have every demand catered for without an acceptable balance between that of security and privacy to accommodate the ultimate end-goal to protect society. And last but not least, the public should demand that security is an expectation of those who store and process our data and expect its complete protection, and assert that that those who hold such data do more to secure such custodianship – and to do the right thing when it has been breached. Remember, to be proactive serves up more value that responding after the fact.
It is not just a case of setting up yet another expensive quango which will most likely be over compensated with the likes of big name consultancies, but more a case of getting the personal and corporate mind-set in the right place. Why not consider investment in a public campaign to educate the public and SME to the threat from Cyber – to be proactive is a high value activity, but to be smart after the fact would seem to be only addressing the horse that has bolted. In other words, less talk, and more action.