Sunday, October 11, 2009

"Protect the Data" from Whom?

This is a follow-on from my "Protect the Data" Idiot! post. Another question to consider when someone says "protect the data" is this: "from whom?" The answer makes all the difference.

I remember a conversation I overheard or read involving Marcus Ranum and a private citizen discussing threats from nation-state actors.

Questioner: How do you protect yourself from nation-state actors?

MJR: You don't.

Q: What do you do then?

MJR: You lose.


In other words, private citizens (and most organizations who are not nation-state actors) do not have a chance to win against a sufficiently motivated and resourced high-end threat. The only actors who have a chance of defending themselves against high-end threats are other nation-state actors. Furthermore, the defenders don't necessarily have a defensive advantage over average joes because the nation-state possesses superior people, products, or processes. Many nation-state actors are deficient in all three. Rather, nation-state actors can draw on other instruments of power that are unavailable to average joes.

I outlined this approach in my posts The Best Cyber-Defense..., Digital Situational Awareness Methods and Counterintelligence Options for Digital Security:

[T]he best way to protect a nation's intelligence from enemies is to attack the adversary's intelligence services. In other words, conduct aggressive counterintelligence to find out what the enemy knows about you.

In the "protect the data" scenario, this means knowing how the adversary can access the containers holding your data. Nation-states are generally the only organizations with the discipline, experience, and funding to conduct these sorts of CI actions. They are not outside the realm of organized crime or certain private groups with CI backgrounds.

To summarize, it makes no sense to ponder how to "protect the data" without determining what adversaries want it. If we unify against threats we can direct our resources against the adversaries we can possibly counter independently, and then petition others (like our governments and law enforcement) to collaborate against threats that outstrip our authority and defenses.

3 comments:

Colin Percival said...

Whether private citizens can win against motivated nation-state actors depends on how you define "win". In many cases, it isn't necessary to prevent an adversary from accessing data; rather, it is merely necessary to prevent an adversary from accessing data *without your knowledge*. There is a large difference between attacks on data and attacks on users: Data doesn't call press conferences if you kidnap and torture it.

My model adversary for my Tarsnap online backup service is a nation-state actor; but this doesn't mean that Tarsnap will keep your data secure from nation-state actors. Rather, it means that when and if nation-state actors steal your data, it won't be due to a weakness in Tarsnap. In some situations, this is enough.

Anonymous said...

Marcus totally rocks.

Anonymous said...

Richard,
this is a great series of post. I laughed so hard when i read the Marcus quote. I can image the "Point Counter Point" with Marcus and Bruce Schneier on this one - it would be a short agreement!

Thanks!