The Future of Security: The Bottom Line

Protecting tomorrow’s technology is the responsibility of the many, not the few
Protecting tomorrow’s technology is the responsibility of the many, not the few

This week, leaders in technology and academia debated our greatest security vulnerabilities, and what it will take to get ahead of them, in a virtual roundtable on Medium. What emerged from the discussion — including perspectives from Google, Facebook, Twitter, Dropbox, Square, and more — is that the future’s biggest challenges lie closer to the fringes of technology, where companies and innovations tend to be less established. The bulk of our panelists represented big firms with lots of expertise, infrastructure and money to put toward security. They are, as Sarah Guo adroitly put it yesterday, “the one percent.”

Kevin Poulsen, Contributing Editor / WiredSecurity is harder for everyone else: the startup with a really cool app that collects reams of data; the Internet of Things coders developing for tiny platforms, where every byte set aside for authentication or crypto is one less byte for features. For them, security is an expensive and technically challenging endeavor with an uncertain outcome. And there’s virtually no intrinsic motivation for them to pursue it — it’s not going to make a difference in sales, or in getting funded, or in anything else that matters to the company’s bottom line.

The barriers are too high and the incentives for surmounting them too weak. The proposals put forth this week are aimed at both variables.

Raising Incentives

Invest in public awareness. An informed public can enforce accountability from the bottom up, and weigh security tradeoffs when choosing a product.

Enact a User’s Bill of Rights. Pass a law that would force companies to live up to basic security standards.

Hold corporations liable. Make companies hosting consumer data legally liable for breaches.

Lowering Barriers

Increase information sharing. Support more efforts like Facebook’s ThreatExchange and Google’s Safe Browsing initiative.

Share security technology. Google’s work on two-factor authentication is one example of “trickle sideways security” that benefits everyone.

Defend existing privacy tools. Resist efforts to criminalize security products and features.

Invest in Research. The technology industry should fund more research into the human elements of security, and important but neglected areas like defense. And research should be turned into practical tools at a faster rate.

My two cents: There’s a lot to flesh out on the legislative proposals. A 15-year-old-law called FISMA was supposed to force government agencies to meet security standards, yet failed to prevent the massive OPM breach. And while liability sounds nice, it’s unclear how it would work for non-financial incidents, like privacy breaches or Cylon attacks.

I’m a fan of technology giants using their resources and influence to shore up our shared environment. In 2014 Google made SSL a “ranking signal” in its search engine, and Apple recently made full SSL a requirement for new ioses apps. Both moves greatly incentivize developers to encrypt Internet traffic. More of this please.

Want to start at the beginning? Learn about the major hacks and exploits that are making security a major concern among today’s technology leaders.

The Future of Security Roundtable is a Google-sponsored initiative that brings together thought leaders to discuss how we can best protect ourselves from the data breaches and security risks of tomorrow. Panelists are not affiliated with Google, and their opinions are their own. Read the post that kicked off the roundtable here and feel free to join in the conversation.