Next time government goes on about wanting more mandate or money for accessing citizens’ private communications…
Jokes set aside, the discussions coming out of this reveal interesting things about how different people reason around security concerns of, simply put, connecting everything and everyone everywhere to everything else all the time.
What does this mean?
I’m no security expert, and trying to make sense of this. Curious to hear what others think?
What does it mean for building a “next generation internet” that is human-friendly and human centric?
I also am no infosec expert. But, two anecdotes that stayed with me:
Anecdote 1. Company X sets up a secure intranet. You log in with a username and password. The password has to be complex: at least 16 characters, at least one small letter, one big letter, one number, one symbol, one pentacle with an invocation of Chtulhu, a drop of blood of the users’ firstborn, and so on. Result: employees write their passwords on post-its and stick the post-its on their monitor’s frame.
Anecdote 2. The computer system of the Swedish public health has a burdensome secure login (see above). Logged in users are also automatically logged out if they do not do anything for 10 minutes. Swedish doctors respond by instructing their nurses to move the mouse every 9 minutes, so they will remain logged in.
Tentative conclusions:
Security is expensive. Think before you add any security. Do you really need it?
When the makers of security are not also its users, there is a “reverse moral hazard problem”. If the strong password was not enforced, the infosec technologist gets the blame for breaches. If the secure system is so difficult to use that people circumvent it to use insecure solutions, the users get the blame for breaches. If you are the infosec technologist, making an unusable system is the dominant choice, because it lets you off the hook.
Computer systems (absolutely not only their security aspects) are often seen by their intended users as instruments of oppression, like in the Swedish example. When that happens, rather than making them secure it would be a good idea to ask why that is, and if those system could not be redesigned or disposed of altogether.