This piece originally ran in DARKReading
Current headlines remind us that security matters, in all of its forms. Top of mind for those of us in the cybersecurity community is whether critical infrastructure functions, defense forces can communicate, citizens are accessing truthful information, and the technology underpinnings of economic and national security can be trusted and are available.
The past 30 years in cybersecurity have been characterized by two opposing forces. On the one hand, there’s the desire to drive security and innovation into the information infrastructure. On the other, there’s the hunt to find vulnerabilities and exploit them for criminal activity or national interest.
Along the way, we have developed principles, some rules, and tried to nudge people toward adopting best practices. These include: We should bake security into the product at the start; security is about people, process, and technology; the advantage is with the offense; architect defense in depth; use a systems engineering approach to security; and companies should compete on security and privacy.
Thankfully, we have made progress on addressing many of these. Each of these is animated by several facts — the information infrastructure is global; commercial products are built once and sold globally; the same commercial product is used by consumers, critical infrastructure, governments, and the military; and cyber laws, regulations, and public-private partnerships have real and global effects.
In addition to the now-usual plethora of proposals to improve the state of cybersecurity, several policy proposals involving competition and affecting security are under consideration. As both a former cybersecurity executive and a former chief of staff of the Antitrust Division of the Department of Justice, these competition policy proposals have caught my attention.
As an antitruster, I’m glad to see a focus on competition, which is critical to the economy. As a security professional, I am concerned about the unintended consequences of some portions of these legislative policy proposals. A number of competition policy proposals would force mobile phone producers to allow the downloading of unvetted mobile phone applications onto a device. That could include apps filled with malware, designed to obtain and use information about you without your permission, designed to spy on you, steal your banking information, or turn your phone into a brick.
Allowing apps that have not been vetted by the phone’s official app stores would circumvent the effective technical and human app store security and privacy checks now in place to keep consumers, critical infrastructure, and governments safe. Official app stores reject over a million apps a year and have meaningful security and privacy checks and requirements. With 85% of Americans using smartphones, the documented security benefits of only downloading from an official app store (as indicated by the DHS, NSA, NIST, GSA, and cyber agencies globally), and the rising wave of exploits of devices that allow this “sideloading” of apps, the unintended adverse security consequence of this policy, if enacted, is predictable, critical, and avoidable. Whatever competition policy goals one might be trying to achieve should be achieved without undermining global security.
Things Shouldn’t Be So Hard
I’ve long said that you shouldn’t have to be a chief information security officer to use technology; it should just be secure. These days, more than 75% of security incidents arise from social engineering or a human factor — we are tricked into clicking on a link we shouldn’t, or sending information we shouldn’t, or changing a setting to let the bad-guy in. Given we are human, denying untrustworthy apps the right to live on our devices in the first place makes sense. Because of today’s bad actors, you can’t just toggle security on and off — experience shows us the bad guys will indeed find a way to trick you into turning security off (for example in the recent FluBot and FakeSpy criminal campaigns). Companies should not be forced to lower the level of their security.
Given the government’s interest in a secure information infrastructure, it is incumbent on the national security agencies to share their expertise with policymakers on these issues. This is particularly true in this situation, where companies are actually doing what we all asked them to do: compete on security and privacy. These are not trivial issues, and given that these products are used in consumer, critical infrastructure, and military networks, they affect both economic and national security.
So, in times such as these, I hope that we take the time to apply the requisite “security screen” to all policy proposals. Dig into the technical, practical, and real-world market and security effects, and ensure we avoid any unintended consequences — vital security is at stake.