A 2 for 1 Post: Richard Clarke – Right & Wrong / My Thoughts on the Future of Infosec

This blog post pointed me over to a techtarget article that interviewed Richard Clarke. Clarke is reported as saying:

“That illustrates the problem,” he said. “It’s about what you don’t know, or what you don’t see or can’t prove. Industrial and national espionage is happening daily on a massive scale. Your databases are being stolen and copied, and just because the evidence isn’t in front of you doesn’t mean it’s not a problem.”

We’ll he’s right, but the reasoning is wrong. He’s right that industrial espionage happens and he’s correct that we need to implement more encryption, except the argument is bogus. Think of it this way: Out in the universe there is a moon made of green cheese, but just because the evidence isn’t in front of you, doesn’t mean it doesn’t exist.

A different potential counter argument to Clarke’s case: someone who is a trusted insider [such as DuPont’s Gary Min] would be able to decrypt the data before exporting it. How much risk does encryption really reduce?

In other news…

My prediction for InfoSec that I voiced at the United Nations: It’ll be back to the data. But Ken, you may object, wasn’t it always about the data? Yes. Although if one looks back at the security space for the last few years, first it’s been about network security (Firewall, IPS/IDS, Spam Filter, etc.) and now it’s about application security (SDLC, web apps, etc.). The next stage is the “Data Stage”: ACLs over the data, encryption of the data, permissions with-in the applications themselves. Does this happen now? To an extent. It’s just we’ll see that much more of it. After this data stage we’ll have evolved into a mature security computing society. We’ll still deal with various security issues (ad infinitum) such as vulnerabilities and patches, but our transition from a naive security computing society to a mature, robust one will be relatively complete.

One Comment

  1. Alex Jun 14, 2007 at 8:08 am | Permalink

    “How much risk does encryption really reduce?”

    Depends on the various factors of risk and the scenario in which you’re studying, but in general – encryption reduces risk by a significant amount. In addition, encryption usually increases your capability to manage risk by a good amount, as well.

Post a Comment

Your email is never published nor shared. Required fields are marked *