Wikileaks is back in the news again today, with more information on its threat to disclose information on Bank of America. Any responses to block this will likely be followed with more DDoS attacks by Operation Payback. In light of this, it is easy to fall into the pattern of focusing on the “tax” that hackers impose on the cost of IT and information security.
However, there is another way to look at this. The good thing about technology is that it always adapts. The technology industry will evolve to the new threats that Wikileaks and is fans have found and develop products to address them. Here are just a few that come to mind:
We have the technologies today (e.g., distributed read-only caches, on-demand cloud computing capacity) to handle massive spikes in traffic. What remains is someone who can offer this up as an “insurance service.” Here is how it would work:
- You buy the service with set traffic thresholds
- When traffic spikes above these the company calls and asks if it is due to a promotion or and unscheduled event (i.e., DDoS attack)
- If it is true traffic, the company allocates more computing capacity at a surge charge
- If it a DDoS attack, it allocates read-only caches to share the load, directing users to the full functionality servers after they have authenticated.
I could see Amazon easily step into this space (they already provide capacity to help Twitter support surges).
Consumer-friendly Security Certificates
We have many technologies to certify that users are valid, from certificates to VPNs to thick local clients. However, most of these technologies are not user-friendly to mainstream consumers. (Some would argue they are not user-friendly to business users as well). What is needed is:
- Packaging this into a mainstream product that is both consumer friendly and easy to integrate with existing business web sites
- Establishing a partner network with businesses to accept the certificates
- Setting up the customer service infrastructure to support consumers
Many would argue that this would remove much of the anonymity of the Internet. However, as the rise of social media has shown, consumers are less scared of disclosing personal information to companies than many of us thought.
I could see a company like PayPal making this work. They have the security expertise and a network in place that combines it with identity protection.
We have digital watermarking and rights management for multimedia (e.g., pictures, videos, music). We will eventually need to incorporate this into raw data. This would allow use to track the chain of custody for all data—making it harder for people to download confidential data and bring it home to share. It would have to–
- Be integrated into the data itself, in a manner that destroys the integrity of the data if removed
- Incorporate the time and point of access from which the data ware removed or accessed
- Include the option to force inclusion of the logged in identity of users accessing the data (for businesses, government, etc.)
- Capture and append this whenever the data is written
This is a tricky one. I see groups ranging from MIT to the US NSA figuring out how this would work. However, organisations using sensitive data would love it (and pay much for it).
Acceleration of the InfoSec Arms Race
Once these products are place, people like Julian Assange will quickly find new ways around them. However, technology providers will counter these with new and improved services. The net result of this “InfoSec Arms Race” will be improved control and security of our information. It will also create wealth for creative professionals and savvy investors.
Isn’t innovation wonderful?