Being Open About Secrecy

[As ever, you can read this on the BBC News website too]

It must be tricky to be an advocate of transparency when your job involves selling serious encryption tools to government departments, large and small companies, hospitals and people who are concerned about having their bank account details hijacked from a home PC.

After all, the point about good encryption software and the systems that surround it is that they provide a way to keep your secrets secret, while open government and the effective regulation of financial services would seem to require the widest possible dissemination of all sorts of operational data, from MPs expenses to bank investment portfolios.

And once something is on a website, in an email or available for inspection through a published program interface then it is no longer secret, however well the copy on your internal network might be protected.

Phil Dunkelberger, CEO of encryption specialists PGP Corporation, believes that openness and secrecy are actually two sides of the same coin, and that the fundamental question concerns the ways organisations and individuals manage their data so that they can decide on policies for disclosure and stick to them.

He also thinks that the best way to make companies and businesses take data security seriously is to make them aware of just how much it costs them when they are careless, which is why PGP sponsors the independent Ponemon Institute  to produce an authoritative survey of how companies use encryption, how many data breaches they suffer and how much it costs them.

Dunkelberger was in London this week to launch the latest report on the UK data breaches, which found that 70% of UK organisations have had at least one incident in the past year, with public sector respondents admitting to an average of 4.5 breaches per organisation.

Separate research by Ponemon estimates that the average cost of incidents is £60 per record lost or £1.7 million per organisation, and of course the wider impact on people’s lives as they have to change bank details or clear their credit records is also significant.

Over half of the data breaches that feature in the Ponemon report were caused by staff error, with people losing computers or data storage devices, deliberately breaking procedures because they did not understand their importance, or simply making mistakes that the systems developers had not anticipated.

Whatever its flaws, computerised data processing is not going to go away, and the proliferation of mobile devices, portable data storage and online access means that the problem of data leakage is not going to go away either.

And recent moves towards more openness between organisations and more transparency in both public and private sectors makes it impossible to simply lock the data up in a corporate vault, however well-constructed.

The tension between openness and security has always existed, and modern technologies do not change the fundamental reality that once a secret is shared then it is less of a secret.

The best way to keep a computer secure is to disconnect it from the network and unplug the power, but this also makes it rather less useful, so any sensible data management policy has to accept that perfect security is not possible and have procedures to mitigate the impact of the inevitable leaks and failures.

A good system  should also allow for effective disclosure. A proper MPs expenses system would not have relied on scanned receipts, released as thousands of pages of PDF files with potentially sensitive data blacked out by hand, but have been built around a database in which all data was stored, cross-referenced to original documents for verification.

Releasing the expenses data would then only have required changing the permissions on a few database tables.

Of course, explaining this to MPs would have taken a lot of effort, because few of our elected representatives have any background in computing or any real understanding of the principles of systems thinking.

We can’t be too hard on MPs. Data security is a complex area that involves hard mathematics and complicated software and requires an ability to think clearly about the interrelationships between multiple overlapping systems, only some of which are computer-based, and few us have the necessary training to do this.

But if we are going to have a network society that relies on computer-based systems then everyone needs to understand how those systems operate and how they are put together.  Just as a democracy can only really function if the citizens are actively engaged in the decision-making process and not merely turing out to vote every few years, a wired world needs people who appreciate what is being done in their name.

At last weekend’s OpenTech conference I talked yet again about the growing divide between the geeks, who can code and know about computers, and the users who simply take what systems they are offered and work with them.

OpenTech was a conference about getting things done, not just talking about it, so we decided that every new member of parliament elected at the next General Election should be taught the basics of programming, so that when they come to vote on expensive IT systems they at least know how computers work.

We might even persuade them all to use encryption sensibly on their office computers, laptops and phones, and to use digital signatures for their emails.

It may be a small start, but it would be a start. And once MPs are doing data security properly it might offer a good model for the rest of us.

Bill’s Links

PGP Corporation:
Ponemon Institute:
OpenTech:

4 Replies to “Being Open About Secrecy”

  1. As I stated at OpenTech (along with a number of other people), this hassle with releasing MP’s expenses could have been reduced if they’d each had a House of Commons credit card. Their credit card provider would have emailed them a file containing all their transactions and they would have been able to manage everything electronically, rather than relying on carting around bits of paper.

    As a programmer – I am rather reluctant to teach MPs programming. I’d see more benefit in teaching the ECDL. Throw in some CISSP (security) training and the fundamentals of networking as well to keep them up to speed.

    Programming is just a means to an end. Aside from the confusion of whether to teach BASIC, C++, Java, C#, or Ruby – you’ve got the problems of teaching algorithmic thought and pure predicate logic. I’d certainly welcome those above the teaching of big and little endianism.

    But, perhaps, what is needed more than all of this is basic project management and procurement skills. It simply beggars belief that the same companies are allowed again and again to allow projects to wildly over-run in both cost and time. We expect our politicians to be more like managers than revolutionaries – perhaps they should be taught management skills?

    Oh… sod it… Let them loose on Perl and watch how many tear their own eyes out in frustration.

    T

  2. We need security is we are going to have openness. As the old mantra goes, you can have security without privacy but you can’t have privacy without security. There’s no point have access to open data if you can’t trust it, so an integral component of a more open interweb is, perhaps paradoxically, a more secure interweb. I’m obsessed with this topic at the moment, because we desparately need a breakthrough at the policy level. If we don’t get it, I’ll bet the mother of parliaments next steps will be to pass a law (as they have just done in Jordan) requiring all web site operators to register all of their passwords with the Home Office.

  3. Hello Bill

    Two Things :

    1. “with public sector respondents admitting to an average of 4.5 breaches per organisation”

    How weak can you make data? – this is meaningless.

    How many organizations/Which ones/How serious were the breaches etc.etc.etc.etc and D…. Statistics.

    2. What posssible advanatage could be obtained from teaching these people ‘programming’ – Computer Skills / Digital Security Awareness / Encription Methods – Yes – but programming?

    A pointless and very expensive waste, and there has already been far too much of this missselling in the public sector already.

    Best

    Fred F.

Comments are closed.