Security often gets forgotten as the technological world quenches its thirst for innovation. Many of the most exciting developments – for both consumers and businesses – have developed way ahead of security concerns. Trends such as IoT and wearables, for example, both present challenges for cybersecurity strategists and white hat hackers. As we bridge the gap between hardware and software new challenges emerge. Arguably, as software becomes more and more embedded in everyday life – both literally and metaphorically – the lines between cybersecurity and traditional security and surveillance become much more blurred too.
Recent high profile cases have put cybersecurity on the agenda, even if it remains a subject that’s little understood. The celebrity iCloud hack was a reminder that even the largest systems, built by tech giants and used by hundreds of millions of people, can be attacked. In the UK in 2015 broadband company Talk Talk underwent a massive security attack with 157,000 customers’ data put at risk – the fact that 2 teenage boys were later arrested for the incident only serves to underline that cybersecurity is a strange place. On the one hand demonstrating the disturbing power of a couple of kids with exceptional hacking skills; on the other, the vulnerability of entire systems and infrastructures.
Managing security in a world built on Open Source software and cloud
The paradoxes of cybersecurity mirror those of the wider software world. On the one hand we’ve never felt more powerful – when it comes to technology, change feels inevitable and exhilarating. Yet the more powerful we feel – as both consumers and programmers, the more we remember the tools that build awesome products, that help us manage huge projects and infrastructures, are largely built and maintained by communities. It is precisely because those tools of apparent progress seem democratic and open that they can be undone, used against the very things they build.
While Open Source may be one reason that cybersecurity has become more challenging and complex, it’s worth also thinking about how we use software. The role of cloud in managing software and delivering services in particular has had an impact. Our devices – our digital lives – are no longer intermittently connected to the ‘world wide web’ (a phrase that sounds somewhat dated today) but rather continuously in communication with ‘the cloud’ – information and services are always available. Frictionless user experiences are great for users, but they’re also pretty useful for cybercriminals too.
We feel powerless when it comes to security. Yet this lack of power is paradoxically wedded to our contemporary experience of complete control and connectivity and the ability to craft and cultivate our lives online exactly as we want. We want software that is built around our lifestyles with minimum friction, yet that often comes at a price. Consider, for example, what security looked like 10 years ago. The most essential step to being ‘safe’ online was to make sure your firewall was active and your antivirus was up to date. Today that can be difficult, as multiple devices access a range of networks even in the space of a single day (from airport Wi-Fi to mobile data). It’s hard to keep up. The issue isn’t just one for everyday consumers; it’s also a problem for cybersecurity teams developing the products we need.
Security is all about stability. This is antithetical to today’s technological ethos. But what can we do to keep systems and infrastructure safe? To keep our information and data secure?
How we learned to stop worrying and love hackers
But perhaps we’ve found a solution. The emerging phenomenon of the cybersecurity hackathon, in which security experts and friendly hackers are invited to test and expose vulnerabilities, find ways in and around a huge range of software infrastructures. Perhaps the best example of this recently happening was the ‘Hack the Pentagon’ program, the U.S. Government’s ‘bug bounty’, in which more than a thousand security experts (mercenary hackers if you want to be impolite) uncovered hundreds of vulnerabilities in the Pentagon’s software infrastructure. You can find similar events all around the world – organizations whose infrastructure is built on Open Source software are effectively open sourcing their own security capabilities. These sort of events prove that developing security skills (pentesting in particular) can be invaluable, and also a great way to learn more about how software works, and how people have decided to build things.
It makes sense. Gone are the days when you could guarantee security with your software package, when you could rely on your contact at Oracle for support. Insofar as most attacks and security risks are always external to a system or an organization, it makes sense to replicate those external threats when trying to identify vulnerabilities and protect yourself. It’s also important to acknowledge that you can’t cover everything internally. It’s easy to be hubristic, but hubris is very often the first sign of weakness.
The way forward – UX, IA and security
But are hackathons enough? Should cybersecurity in fact be something that we bear greater consideration, as individuals and organizations? Instead of viewing security as a problem to consider at the end of a development process, an irritating inconvenience, by focusing on questions of accessibility and security as design and user experience issues, we can begin to use software in a much smarter and hopefully safer way. For individuals that might mean thinking more carefully about your digital footprint, the data we allow organizations to access. (And yes, maybe we could manage our passwords a little better, but I really didn’t want to include such trite advice…) For businesses and other institutions it may mean aligning cybersecurity with UX and Information Architecture questions.
While cybersecurity is definitely a software problem – one which anyone with an inclination towards code should learn more about – it’s also much more than that. It’s a design problem, an issue about where complex software systems interact with the real world in all its complexity and chaos.