Published on the 07/02/2019 | Written by Jonathan Cotton
Could there actually be a case for not digitising your data?...
It’s only a month into the new year we’ve already facing one of the biggest – if not the biggest – data breaches in history: The Collection #1 breach, with two billion rows of information coming from thousands of different sources and containing 700 million email addresses and nearly 22 million passwords recently uncovered by data breach notification portal Have I Been Pwned. (Visit the link, search for your email address and despair.)
Now a new leak – dubbed Collection #2-5 – has been discovered bringing with it a further 2.2 billion unique usernames and passwords.
Both Kiwi and Australian sites have been implicated in the breach, but it’s not just small fish sites that pose a risk for punters. In November, 52 million Google users were compromised in a data breach. In September, 50 million Facebook users. Over the holidays it was quietly revealed that part of a Victorian Government directory had been downloaded by an unknown party, exposing the details of 30,000 Victorian public servants.
It’s getting to the point where breaches such as these look less like growing pains and more like a fatal flaw at the heart of the global digitisation project. And as more devices connect – 27.1 billion networked devices by 2021 according to Cisco – things are gearing up to get worse, not better.
But could the data itself be to blame?
Some are beginning to question the wisdom of ‘digitising all the things’. Andrew Burt, chief privacy officer and legal engineer at data management platform Immuta, and Dan Geer, CIO of American not-for-profit venture capital firm In-Q-Tel propose a radical solution to the problems of the digital age: Digitise less.
“Once information is digitised, no one can fully guarantee its safety,” the pair write in a new op-ed for the HBR. “The only way to reclaim control over this environment is to more meaningfully manage what it is we digitise – in other words, to carefully decrease the pace of adoption of networked technology.”
The key, they say, is to slow down and approach digitisation itself more cautiously.
“This means slowing down the pace of adoption of networked technology with new laws and standards aimed at increasing the quality and reliability of any device with an IP address. And it means carefully preserving analogue capabilities, even as we embrace the digital.”
And the most immediate threat? Those 27.1 billion connected devices Cisco is predicting.
“The root of our cybersecurity problems is the unprecedented rate at which we’ve embraced networked devices. Buying a lightbulb? It may now be connected to the internet. A refrigerator? The same. A toilet? Soon enough. In some places, we can’t even make purchases without using network-connected credit cards or services like Apple Pay.”
It’s case of fools rush in say the researchers, as the market races to meet the market and security is sacrificed in the name of speed.
And who would be responsible for overseeing such a radical proposal. It starts with government, say the authors, as it’s governments that have the power to slow the rate of adoption by implementing new laws and standards and by ensuring that “analogue alternatives to select technologies are preserved”.
“Only then might we at least understand and gain some degree of control over our growing digital dependence.”
At a practical level lawmakers could begin by passing laws mandating that any system with network connectivity either has a specific, finite lifetime or must accept updates. (It’s estimated that around 30 percent of the 1.4 billion Android devices on the market – 409 million – can’t be patched at all).
“Even if laws are slow to enforce this mandate, companies and individuals would both be wise to let this guide their decisions,” say the researchers. “If the device they want can’t be updated and doesn’t die, it should have no place in their organisation or their home.
Secondly, software makers must be taken to task for breaches caused by sloppy code: “Liability for cybersecurity flaws must be made clear, and software makers whose code causes glitches must be held to account, just like producers of other consumer or industrial products.
“Today, most penalties for cybersecurity defects relate to either failures in reporting after breaches or to misrepresentations in a product’s terms of service. Neither contributes to safer code.”
And the time to act is now, say the researchers.
“Over the last decade, we’ve collectively chosen connectivity and convenience over security and privacy. That tradeoff need not be permanent. The choice is still ours to make.”