This is Part 2 of my coverage of the White House #CyberSecuritySummit; see Part 1 here.
On Feb 13th, at President Obahama's request, a good number of the upper echelon of Internet experts gathered at Stanford University in Silicon Valley to work out what to do next about cybersecurity and consumer protection online. The Cyber Security Summit was put together around Obama's signing a new Executive Order to create new cyber threat information sharing hubs and standards to foster sharing while protecting privacy, and it was meant to maintain the momentum of his cybersecurity and privacy legislative program.
The main session of the summit traversed very few technical security issues. The dominant theme was intelligence sharing: how can business and government share what they know in real time about vulnerabilities and emerging cyber attacks? Just a couple of speakers made good points about preventative measures. Intel President Renee James highlighted the importance of a "baseline of computing security"; MasterCard CEO Ajay Banga was eloquent on how innovation can thrive in a safety-oriented regulated environment like road infrastructure and road rules. So apart from these few deviations, the summit had a distinct military intelligence vibe, in keeping with the cyber warfare trope beloved by politicians.
On the one hand, it would be naive to expect such an event to make actual progress. And I don't mind a political showcase if it secures the commitment of influencers and builds awareness. But on the other hand, the root causes of our cybersecurity dilemma have been well known for years, and this esteemed gathering seemed oblivious to them.
Where's the serious talk of preventing cyber security problems? Where is the attention to making e-business platforms and digital economy infostructure more robust?
Personal Information today is like nitroglycerin - it has to be handled with the utmost care, lest it blow up in your face. So we have the elaborate and brittle measures of PCI-DSS or the HIPAA security rules, rendered useless by the slightest operational slip-up.
How about rendering personal information safer online, so it cannot be stolen, co-opted, modified and replayed? If stolen information couldn't be used by identity thieves with impunity, we would neutralise the bulk of today's cybercrime. This is how EMV Chip & PIN payment security works. Personal data and purchase details are combined in a secure chip and digitally signed under the customer's control, to prove to the merchant that the transaction was genuine. The signed transaction data cannot be hacked; stolen identity data is useless to a thief if they don't control the chip; a stolen chip is only good for single transactions (and only if the PIN is stolen as well) rather than the mass fraud perpetrated after raiding large databases.
It's obvious (isn't it?) that we need to do something radically different before the Internet of Things turns into a digital cesspool. The good news for privacy and security in ubiquitous computing is that most smart devices can come with Secure Elements and built-in digital signature capability, so that all the data they broadcast can be given pedigree. We should be able to know tell for sure that every piece of information flowing in the IoT has come from a genuine device, with definite attributes, operating with the consent of its owner.
The technical building blocks for a properly secure IoT are at hand. Machine-to-Machine (M2M) identity modules (MIMs) and Trusted Execution Environments (TEEs) provide safe key storage and cryptographic functionality. The FIDO Alliance protocols leverage this embedded hardware and enable personal attributes to be exchanged reliably. Only a couple of years ago, Vint Cerf in an RSA Conference keynote speculated that ubiquitous public key cryptography would play a critical role in the Internet of Things, but he didn't know how exactly.
In fact, we have have known what to do with this technology for years.
At the close of the Cyber Security Summit, President Obama signed his Executive Order -- in ink. The irony of using a pen to sign a cybersecurity order seemed lost on all concerned. And it is truly tragic.
In 1998, Bill Clinton and his Irish counterpart Bertie Ahern signed an US-Ireland communique on e-commerce. At that time, the presidents used smartcards. Then in 2003 -- still early days -- Bill Gates espoused the importance of chip technology for authentication. Within weeks, several notebook computers were released with integrated smartcard readers, but service providers chose not to use the stronger security options. Instead of leading a new wave of decent security, banks and governments muddled through with passwords and then password generators or text messages. Mainstream e-business missed a huge opportunity through the 2000s to embed smart authentication in the day-to-day user experience.
We probably wouldn't need a cybersecurity summit in 2015 if serious transaction security had been built into the cyber infrastructure over a decade ago.