Legal Due Process in Cyberspace
The challenge however is not establishing standards for due process. That’s relatively straightforward. The challenge for global telecommunications firms, consumer internet firms and their respective government partners and regulatory authorities is verifying that those standards are being followed. To Estonia & the European Union the “transparency reports” published by important firms such as Google & Microsoft raise the fundamental question “how can you trust the message if you can’t trust the messenger?” Without the ability to verify the veracity of the message you are left with blind trust?
Doveryai no Proveryai
Prior to the digital age the solution to lack of trust was “Doveryai no Proveryai” a Russian saying that was translated for Ronald Reagan and became his signature phrase “Trust, but Verify”. This worked in the physical world of nuclear weapons because it was possible to have extensive verification procedures to monitor compliance on both sides. What however of the digital world? How to verify anything at all when all activity is represented in digital form and easily manipulated without leaving a trace?
Trust, can’t verify: Why Modern Security Solutions Fail
Modern security solutions, whether next generation firewalls, sandboxing (or “multi-vector virtual execution”) help stop some attacks. Firewalls and Anti Virus Software and 100% encryption are todays preferred solutions of choice. The problem however is that there is no mechanism to verify that they are working. The challenge of Sandboxing & Perimeter defense is that the systems rely on a defensive and reactionary approach with the associated dependencies on detection, monitoring, inspecting each packet in real time while searching inside and testing the content. They work well and in closed loop systems from a data supply chain and information assurance perspective but both systems and their respective technologies are fundamentally less effective against sophisticated attackers who have penetrated the layered security defense and can control networks and access user data, enterprise data and government networks from the inside.
Where do we stand today
There is a new reality the world’s enterprises, citizens and governments must address. Approximately 95% of all enterprise networks have already been compromised. The resulting loss of intellectual property from Fortune 500 firms alone has been described as the largest wealth transfer in history. Despite this massive and ongoing security failure, the security status quo for digital society today remains trust; trusted insiders to protect and administer digital systems and trust that security systems will catch the bad guys. They don’t. Trust without verification is clearly a failed strategy.
Extending Ronald Reagan’s Doctrine to Cyberspace
After suffering a crippling, prolonged national-scale cyberattack, Estonia recognized that a new approach was needed to restore trust in digital systems. Under the auspices of the Estonian Government and the small country’s private sector, in 2007 a team of specialists designed a digital authentication service that could provide exabyte-scale real-time authentication for all the world’s networked digital assets. That means – trust AND verify. Assume that your network has already been compromised but provide authentication and monitoring of all digital assets to ensure that any malicious activity can be detected in time.
Estonia has already solved the Problem
There is a reason that the EU, the United States and its NATO alliance members worldwide send their top cybersecurity and information security officials on data regulatory “trade” missions to Estonia. It is the world’s foremost digital society built entirely post-Internet with complete transparency, accountability and attribution in cyberspace.
Edward Snowden could not have committed his unauthorized act in Estonia. With real-time monitoring of the integrity of digital events his attempt to cover his tracks would have raised an immediate alert and he would have been held accountable for his actions.
General Keith B. Alexander and President Toomas Hendrik Ilves
It has been seven months since NSA Director General Keith Alexander visited Estonia for Cycon and President Ilves spoke on the importance of using KSI for government accountability and transparency, something that we were given the opportunity to present to the UN General Assembly later last year. So it is no surprise that cybersecurity and trust have moved to center stage at Davos.
To quote another president, last year US President Barack Obama said that you can’t have 100% security, 100% privacy and zero inconvenience. At Guardtime we agree. You can however have 100% transparency and accountability, across all networks for all citizens and their respective government institutions that serve and protect them.
Hans Vestberg, CEO of Ericsson in a recent interview commented (on security) “Of course there are concerns, That’s why vendors like us must operate with complete transparency and trust.” The good news is that by adopting the Estonian model of attributed networks, delivered as a service to world governments and global corporations via their telecommunication partners it is possible to deliver complete accountability and transparency, re-establishing trust in global business and simultaneously solving that three trillion dollar problem.
Image by Ardi Hallismaa (Kaitseväe Peastaap).