Welcome to the Information Security Leadership blog.

Latest post

Patch Deployment

Any CISO strives after two things to mitigate cyberrisk to acceptable levels: visibility and control. One of the most important controls that should be implemented well and operated effectively is making sure that an effective patch management infrastructure is in place. In lieu of that, a patch deployment mechanism will work too.

The Australian Signals Directorate (ASD) has put out some excellent guidance with regards to cybersecurity. Specifically, their Top 4 Strategies to Mitigate Risks are mandatory reading for anyone with institutional responsibility for cyberdefense. Two of their four controls are directly related to having this capability in place!

Other recent posts

New Research Blog

In order to not dilute the nature of the posts here, I have just started a new Research Blog, which will focus on my ongoing academic research.

This Information Security Leadership Blog will continue to focus on more high-level content and will primarily target CISO-level folks working on defensive security.

RSS Feed Hickup

My RSS feed seems to have experienced a hickup and listed some old articles as new. Apoligies for the inconvenience and/or confusion!

Apple's Dilemma

By now, most people know that Apple is refusing to comply with a court order to decrypt the contents of a cell phone. The Justice Department isn't too happy with that, and calls it a marketing strategy.

They are right.

However, to call it just a marketing strategy would be incredibly short-sighted. Before I can address that, let's look at what's are the heart of all this. Over the last couple of days, I spent more time explaining what cryptography is, and what purpose it serves, than I spend time explaining what the order is really about.

So, here it goes: cryptography is a technique to allow people to communicate securely in the presence of an opponent. There are a few key components:

1. Cryptography is about communications. In other words, cryptography protects messages. In today's world, most of those messages live on mobile devices, such as smartphones.

2. Cryptography is about security. In most cases, that idea of security is used synonymously with confidentiality. Cryptography can do more than that, but the other cryptographic services are not really in scope in this case.

3. Cryptography assumes an adversarial environment. Without an 'us-and-them', there is no need for cryptography.

Apple, Google, Facebook, WhatsApp are all in the business of messaging. Furthermore, they believe that the senders and recipients of messages expect a level of privacy concerning their exchanges. As a matter of fact, they see privacy as a key competitive advantage, and they believe that without privacy their services will fall out of demand.

Privacy requires message confidentiality. Confidentiality of messages requires cryptography.

In other words, removing, or purposefully weakening cryptography, puts these companies at a global competitive disadvantage.

Note the word 'global'. Apple doesn't just sell their goods in the U.S. While flawed, the U.S. system of checks and balances actually works pretty well; especially when compared with other countries. Consumers in repressive regimes don't just look for cryptography as a nice-to-have feature, it is something that can save their lives, or even the lives of their families, friends and neighbors.

Second, the court order requires Apple to invent and build a product that currently does not exist. It is similar to telling a builder to first build a house that isn't there yet, but leave out any doors and windows, so that a warrant can be executed when he is done. Apple is not the FBI's private on-demand software development shop. Asking a company, via court order, to invent, build and hand over something that does not yet exist is a scary idea.

Third, all iPhones are pretty much the same. Once the software has been developed to unlock the phone's secrets, it can be used to open all iPhones. Anywhere in the world. Always.

While the FBI stipulates that this court order only applies to one specific physical device, the damage to Apple's brand is done as soon as words comes out that the vulnerable version of their software exists. As much as companies try to keep things secret, they aren't very good at it. The mere existence of such software will cause it to eventually leak. When that happens, anyone (national states, criminals, or just about anyone else), will be able to use it.

Two real questions remain:

1. Is this court order indeed based on legal grounds? I am not a lawyer, and I cannot answer that question.

2. Is our deep fear of terrorism an acceptable reason to compel one of the countries strongest companies to weaken its own brand, invent and develop products that do not exist, and provide governments world-wide (not just in the U.S.) with unlimited access to any cell phone, at any time?

If so, the terrorists have achieved their goal: we have allowed fear to influence every aspect of our daily lives. The fact that Apple unlocks one more phone really doesn't matter then.

Update: Fixed a whole lot of typos.