Posted by: Michael Morisy
Amazon, Google, Privacy, RSA, RSA 2012, Security
The biggest threat to Internet freedom isn’t traditional “bad guys” like cyberterrorists and hacking groups, says Bruce Schneier, security researcher and author, but the slow, creeping advances of Big Data companies like Google and Amazon that are quietly rewriting the fundamentals of how security is managed.
Schneier explained his fears to a packed room at RSA 2012, outlining how he saw individuals, companies and governments effectively outsourcing security to cloud providers, abdicating ultimate control in exchange for convenience and cost savings.
The result is a state of “security serfdom” where fealty is pledged to one of a few centralized data gatekeepers who promise and deliver great benefits – but upon whom the user becomes completely reliant for basic security. Apple’s legion of adoring gadget geeks and people who live the “Google lifestyle” through GMail, Google Voice and more now rely on those companies to make critical security decisions for them.
It’s not an all together negative trend, particularly since “average users” historically do the bare minimum of backup, encryption and other information security hygiene possible, but it does create a more monolithic landscape that is likely to get harder and harder to opt out of.
“There’s a war on general purpose computing, because companies realize they gave up too much control,” said Schneier.
Battle lines are drawn
He said these companies are now working hard to change that. Big data, in the form of companies like Google, Choicepoint and major ISPs, require almost unfettered access to user data in order to optimize, package and sell analytics and advertising, and so have building products that require that access from day zero.
Meanwhile, law enforcement agencies have been pushing through what Schneier categorized as “ill-conceived legislation” that would endanger the freedom and security of the Internet while doing little or nothing to prevent true threats.
The result is a fast-coming future where data and even device ownership is a grey area: Kindle Fires, iPhones and even many “open” Android devices all severely limit root access, which inevitably diminishes how secure they can be.
“If you pledge your allegiance to Google, they will protect you … as long as they protect you,” he said, explaining that while outsourcing to cloud providers takes away a lot of the traditional security headaches, it means leaving your security in the hands of a corporation whose security policies you cannot control – or sometimes even know.
But we like being oppressed!
[kml_flashembed movie="http://www.youtube.com/v/JvKIWjnEPNY" width="425" height="350" wmode="transparent" /]
There are benefits to this approach, not only for the “feudal lords” controlling the security ecosystem but also for the serfs.
“If you’re the general person, it’s probably better for you, because you’re doing a lousy job,” Schneier said. “Like with Flickr: Now you don’t have to backup your own photos.”
Even enterprises, which have traditionally held to stricter security standards, are finding the allure of serfdom hard to pass up.
“The economic benefits of outsourcing are really great,” Schneier said.
But the big picture impact is a little more mixed, particularly when it comes to the impact of the feudal model of security has on actual security.
“For attackers, it’s more or less the same that it’s ever been,” Schneier said.
Higher walls but bigger payoffs
With more companies and individuals outsourcing their security decisions and implementations to Facebook, Google, Amazon and Microsoft, these companies become increasingly valuable targets for attackers. The consolidation also fundamentally changes the landscape for attackers: It used to be enough to protect most people was to simply be more secure than the next target.
Just like a car thief will pass by a well-alarmed car with a Club on it in favor of a less defended vehicle, users who took basic precautions could generally defend themselves from most untargeted attacks. With monolithic security systems, however, one successful attack can compromise thousands of accounts.
Those payloads will only become more valuable over time.
“Some of these companies are going to become banks,” Schneier said, pointing to Google Wallet. “Full expect some of them to become everything.”
Consolidation, meet regulation
What really worries Schneier, he said, is what happens as these consolidated security lords face more and more regulation, which will almost inevitably negatively impact security.
For example, data retention laws.
“The best way to secure data is to delete it,” Schneier said. But around the world, countries are passing laws requiring data be kept for 30, 60, 90 days or more, making users more vulnerable to both government surveillance as well as unnecessarily vulnerable to unauthorized access from both internal and external attackers.
“I really worry at some point we will be forced to design and Internet kill switch,” he said. “And then I’d have to design it to make sure only the president could push it – I don’t trust myself to build that.”
There is hope, however: Schneier said that SOPA and PIPA were succesfully fought off with the help (and lobbyists) of Big Data companies like Google, and there’s a winning track record of fighting bad Internet legislation.
He said the Internet’s “lack of regulation” stood as a testament to that, but that vigilance was needed.
“Here is my challenge to you: Get involved at layers 8 and 9, the economic layer and the political layer,” Schneier said. “Common sense does not have a lobby.”