Right Now with Nick Smith
What I’m reading: Secrets and Lies: Digital Security in a Networked World by Bruce Schneier
What I’m listening to: Jotdog! It also helps to listen to Spanish language music — it’s kinda like Marina and the Diamonds, not bad! It’s upbeat enough, anyway. Plus, I don’t really know enough Spanish yet to be sure whether or not it’s awful. We’ll get there.
So, surely as civil servants you saw this headline a couple days ago: White House Weighs Personal Mobile Phone Ban for Staff
And when you did, I’m certain it prompted some … thoughts.
Thoughts like, “What?” “That doesn’t seem right.” “Is that constitutional?” and “Wait, how far up would this ban extend? I might actually be for it.”
In fact, before we had a President on Twitter, before we had Twitter even, we had already seen this fight for this same reason in 2009 when President Obama fought the NSA to keep his BlackBerry when he assumed the White House — because of the device’s security. Surely the technology has gotten better, no? Of course it has. To borrow from the book referenced at the beginning of the article (emphasis mine):
The technologies of computer and network security are getting better. Today’s firewalls are much better than the ones designed ten years ago … tamper-resistance technologies are improving; biometric technologies are improving. What aren’t changing are the fundamentals of the technologies and the people using them.
In all fairness to Schneier, the unbelievable prescience of this passage is lost in 2017, because we’re desensitized to a smartphone-drenched universe that didn’t even exist when he wrote it in 2000 — which is to say, this guy straight up predicted the faults in Bring Your Own Device before the concept of Your Device even existed.
Now, it’s estimated that nearly 70% of the US population owns a smartphone, and that number is not only undoubtedly higher in the modern government office, but is predicted to rise to over 80% in the next five years. What’s more, is that according to a recent survey, there’s a good (~1-in-6) chance your IT department either doesn’t know that employees are accessing email/other stuff from their own device, or worse, a better chance (1-in-4) that they’re actively doing nothing about it.
When you consider that it’s not just cell phones, and there’s the cloud, USB sticks, RSA keys; all kinds of newfangled things we force upon people, this is scary. Sure, the rising tide of technology has to be lifting all the literacy boats, but there is still undoubtedly something out there that’s the 21st century analog of not knowing how to program the blinking clock on your VCR, and statistically, you work with at least one of that person.
Hell, the whole thing that prompted this White House ban wasn’t just some low-level staffer or some rogue veteran leaking stuff to the press — no, the Chief of Staff himself had his phone hacked. Naturally your stakes aren’t as high as what’s going on at 1600 Penn Ave, but can you imagine the fallout if your head of HR or Police Chief had their personal device hacked? And it doesn’t even have to be hacked. It could be lost. It could be stolen.
Or, my personal favorite, they could be the victims of social engineering. Are you teaching your people about social engineering? YOU SHOULD BE.
In fact, that’s where I’m going to leave this: Train your people on Information Security. From the junior mail room lackeys to the most senior managers. People aren’t going to get better unless you teach them how to and why they need to; and especially when it comes to rapidly-evolving technology, there are just so many unknown unknowns that it would be impossible for the people who need help the most to get it on their own.
You might not fend off a nuclear war, but you might just save everyone’s butt anyway.