Information security (InfoSec) is a very static yet dynamic field of study. One thing that is important to understand about information security is that over time it transforms, but the underline concept always remains the same: to protect information or data (bits) from unauthorized access. This is only the underlying concept of information security; there are many other parts to it. Several decades ago InfoSec was all about how secure of a lock you had on your physical data room. These days it has transformed quite-a-bit. Today we have the Internet; a large network of interconnected routers. With the Internet comes great challenges to the InfoSec world. In the growing dynamics of the interconnected Internet, as we know it, we are continuously losing our security, privacy, and dignity; the challenging part to understand is that most of us don’t even know it.
In ~50 ms or so you can transmit data to a remote server all the way around the world passing through dozens of routers in the process, leaving a trail everywhere you go. 90% of the people don’t even think about this. They do not know or even care if they leave a trail behind, or if their data is being transmitted securely. This is a problem and not because of 3rd party hackers, but because of the “bigger fish” out there. Let me tell you that the 15 year old living in his parent’s basement down the street who thinks he is a “hacker” is not the one you need to waste your time worrying about. You need to be concerned with the nation states who have billions of dollars backing them; these are the “bigger fish” in the sea.
Whenever I talk to people about this subject and get into nation states most people always look the other way assuming that I am just some paranoid person. Let me just say “Yes, I am!” However everyone who has seen the truth and believes it, is as well. This is because the truth is beyond what most people can comprehend. People don’t understand how the surveillance technology works therefore they do not believe it. Consequently they put themselves in denial.
Everybody assumes that the person who is going to “hack” into their email account, computer, phone, etc. is going to be some single hacker working alone with the goal of stealing your information and causing havoc. For most people this is the case but before you dismiss my paranoid talk, please consider this: Could the very basis of the infrastructure that you are using be compromised? Could your devices kernel be so infiltrated that it is that way by design? Did you deploy the infrastructure that you rely on a daily basis? Did you actually write the code of the kernel for the operating system that you are using? For most people the answer to these questions is: “No”. InfoSec professionals have it very difficult. In order for them to even be somewhat confident that their systems are secure, they need to literally know everything about that system all the way from the bare hardware level to the top software level. From the lowest level language to the highest.
I am going to switch gears a bit and talk about who we need to secure our data from. The obvious goal is to secure our data from everyone who should not have access, but let’s think about who we need to really worry about in that group of people. Most average people are worried about small time hackers who are trying to gain access to social security numbers, bank account numbers, etc. Businesses are worried about somewhat larger groups of hackers who are after financial records, sensitive and private business information, etc. And the most paranoid of all see the reality of the situation and know that the so called “Internet” that we think we know and love now-a-days is nothing but a fishing pool filled with many fish starving to death in crystal clear waters. Whether you believe it or not, the biggest hackers of them all are the nation states. Not only the United States but everyone involved with Five Eyes (FVEY). That is: Australia, Canada, New Zealand, the United Kingdom, and of course the United States.
Each and every one of these countries has their own version of the NSA and other related intelligence agencies. Australia has the Australian Secret Intelligence Service (ASIS) for HUMINT, the Australian Signals Directorate (ASD) for SIGINT, and the Defence Intelligence Organisation (DIO) for defense intelligence. Canada has the Canadian Security Intelligence Service (CSIS) for HUMINT, the Communications Security Establishment (CSE) for SIGINT, and the Chief of Defence Intelligence (CDIS) for defense intelligence. New Zealand has the New Zealand Security Intelligence Service (NZSIS) for HUMINT, the Government Communications Security Bureau (GCSB) for SIGINT, and the Directorate of Defence Intelligence and Security (DDIS) defense intelligence. The United Kingdom has the Secret Intelligence Service (MI6) for HUMINT, the Government Communications Headquarters (GCHQ) for SIGINT, the Defence Intelligence (DI) for defense intelligence, and The Security Service (MI5) for security intelligence. Lastly the United States has the Central Intelligence Agency (CIA) for HUMINT, the National Security Agency (NSA) for SIGINT, the Defense Intelligence Agency (DIA) for defense intelligence, and the Federal Bureau of Investigation (FBI) for security intelligence.
All of the listed agencies above are able to share information amongst each other because of the intelligence alliance FVEY. I am a pretty practical person so I’ve got to mention the great accomplishment that this is. Getting this many people together to share and collaborate is a wonderful and powerful thing, however it can be a very bad thing. Judging by the documents that we have access to, it appears that certain agencies are abusing their power and overstepping their boundaries. I am not one who is against surveillance; I am one who is against unlawful surveillance. I know that the security of our nation comes at a cost of privacy; for that matter the security of our nations, and largely our planet.
Decisions regarding surveillance on this scale should not be discussed and decided in a room behind locked doors. It should be open to the public, to the citizens of the country, after all: That’s who they are trying to protect and defend. Isn’t it? Some people have speculated about what a colorful world like ours would be like (such as George Orwell with his book titled: “Nineteen Eighty-Four”) but none of them have been able to predict it exactly. The truth today is for us to see and experience. One thing has remained true throughout history, that is: “Absolute power corrupts absolutely”! This is true because we are all human; it is as simple as that.
Everyone in the United States has a slight advantage over many other countries facing the same issues. That’s because: We the people, do in fact have the power to make a change. Much more so here than in other countries. Whether we know it or not, ordinary people are changing the shape of the information security world. The less we care about the security and integrity of our data, the fewer InfoSec professionals there will be. The more concern we show about security and integrity, the more InfoSec professionals there will be. If we the people show that security is one of our top priorities, then software developers will be forced to worry about security in the beginning stages of development and nation states will be forced to abide by our rule of security and privacy. So come on everyone: Let’s come together, unite, and show the world what we care about. Let’s change the world of information security and how the world views it!