Written in my garden on a cold spring day with a warm coffee and the fresh scent of blossom on the breeze, and dispatched to silicon.com from the Institute of Directors in London.
CIOs and security departments continue to spend most of their time, money, and effort on issues that pose a small fraction of the real threat.
At every security gathering I attend, people generally acknowledge that the insider threat represents the most significant risk to any organisation. But without fail, the focus always reverts to technology – and specifically network-borne threats.
No one seems to know what to do about employees, part-timers, secondees, contractors, suppliers and visitors. So the focus is always on firewalls, working practices, memory sticks, wi-fi, protocols and defence from attacks from Trojans, worms, viruses and hackers. And it has been this way for decades.
I suppose one day the people issue will be addressed, but in the meantime I reckon there may be an even bigger threat that we all stare at every day. Where was your PC and laptop manufactured? Where did your printer and copier, memory stick, wi-fi and 3G dongle come from? Where did all the chips and other components originate, and where were they assembled? For the most part, China.
Where was the code written for your OS and your various applications? A large percentage will undoubtedly have been created in India, Russia, South America and, of course, China. Today software is a commodity business, often with components from different centres across the planet, and there is also a degree of copying and counterfeiting.
Could the situation be worse than we imagine? Yes. Because the same concerns certainly apply to vast numbers of routers, switches and servers in our networks. And of course just about every telecoms and network provider and ISP has sourced vast amounts of infrastructure from, you guessed, China. And if they haven’t directly sourced from China, there are counterfeit devices on the market that are almost identical to the real thing.
Then of course the same is true of the software supporting the network and systems, plus operations and management information. Huge quantities of software are now produced remotely from the West and well outside its control.
You get the picture. We just don’t know how much of this equipment and software has been deployed, or indeed where it is in the network, offices and homes. And we certainly have no way of knowing that all this equipment is free from malevolent inclusions such as backdoors, traps, implants and activity monitors.
So our only course is to assume that we are at least wide open to monitoring and data leakage today and some form of attack in the future. Do all CIOs see it this way? I’m far from sure that all do.
So how should we as individuals respond? How about weaving a web of contrived confusion? Encrypted documents, with a priori knowledge used to turn the cryptic useful by splitting the context over two or three domains including voice, vision and documents, real and virtual worlds, and fixed and mobile.
And, of course, we generate a huge volume of irrelevant chit-chat. That automatically produces quite a smoke screen.