This week at the RSA security conference, Microsoft and a number of other technology industry firms are set to announce a Tech Accord, but its wording is vague. It calls for action only by tech companies. What’s missing is the important private-public partnership piece. And the urgency for data protection is that much greater now given how badly user privacy has been breached in recent times.
On the one hand, we have Facebook, which was built around a model that exploits user data explicitly. We were told as much in the fine print (which no one read), and Facebook founder Mark Zuckerberg gave us a peek at his intentions way back in 2005. But almost no one seemed bothered. Even people who threatened to leave Facebook after the latest revelations about Cambridge Analytica are still there.
On the other, we have Microsoft and Intel, which, between them, designed low-cost computing systems that were never meant to be secure in the first place. Over time, these systems were put to use for general business purposes, including, eventually, mission-critical functions like banking, process control, and medical information management.
Part of the reason people continue to rely on these platforms is just plain laziness, part is inertia of the infrastructure in place, and part is a lack of awareness of vulnerability and an understanding of the consequences of data loss.
Laziness, I don’t think, has to be explained.
The issue of infrastructure inertia refers to the public’s and businesses’ general reliance on Wintel technology (a combination of Intel’s x86-architecture microprocessors and Microsoft’s Windows operating system). An illustration of this can be found in the unfolding story of the Spectre and Meltdown flaws that affect microprocessors. Intel and other microprocessor makers, aiming to increase performance in multicore processors, allowed idle cores to speculatively execute potential code streams ahead of the moment their results were needed. If they were, they could be dropped right in. If not, they could be thrown away. No harm done. Except that the speculative streams existed for some period of time in memory accessible by various processes, including those from less-privileged users. Thus, the hardware itself was vulnerable to so-called “side-channel” attacks. These attacks just so happen to be more likely and more devastating in multi-tenant virtualized cloud environments, on which enterprise customers are increasingly reliant.
The first line of defense against this vulnerability was Microsoft (and Apple, also a user of Intel microprocessors), which issued software patches. These patches worked, in that they prevented execution of malicious code, but they caused some degradation of performance. Be that as it may, Spectre and Meltdown are only the latest, most-important, and lowest-level flaws to surface from the Wintel camp. Microsoft dines out quite nicely these days on the continuous issuance of software patches to mitigate flaws discovered constantly in that leaky ship called Windows. In fact, this constant need to patch has allowed Microsoft to shift its business model from software sales to software-as-a-service (SaaS). Microsoft — the “Patch Tuesday” king — has mixed motivations with respect to privacy and security. Last year, it was using fears about the WannaCry ransomware attack to force its customers to upgrade their software.
So, who does take user data privacy seriously? Well, for one, IBM.
IBM has been paying close attention to security for years because its customers demand high levels of computing horsepower while handling some of the most sensitive end-user data. Data that, if it got out into the wild, could expose those customers to enormous legal and financial consequences.
IBM recently commissioned a survey that illustrates the importance of data privacy and security to end users. Conducted online by The Harris Poll at the end of March 2018 and gathering input from more than 8,000 adult respondents in seven countries, the poll found that more than three-quarters of respondents believe that a company’s ability to keep their data private is “extremely important.” Similar percentages said they would not buy a product from a company if they didn’t trust it to protect their data, think businesses focus more on profit than on addressing consumers’ security needs, and indicated that it is extremely important for companies to take actions quickly to stop a data breach. Only 20 percent “completely trust” organizations they interact with to maintain the privacy of their data.
So, most end users want companies to respect their privacy, but don’t think that they do. We’re between Facebook, which violates privacy as a matter of policy, and Microsoft, which can’t seem to get it right.
IBM has been concerned about customer data security for years. Following heightened anxiety about governments’ access to private data, the company published an open letter to customers in 2014 that explained the company’s policy on sharing customer data with governments. IBM also supported the Cybersecurity Information Sharing Act (CISA) of 2015, which, by limiting their liability, encourages organizations to share data-breach information quickly to prevent further damage.
In 2015, the company established the X-Force Exchange, a publicly accessible 800 terabyte real-time database of security threat information to help organizations collaborate on battling cybercrime. IBM further clarified its policies on handling customer data in October 2017, when it issued Data Responsibility @IBM. And in 2017, IBM was among the first to sign the EU Data Protection Code of Conduct for Cloud Service Providers, guaranteeing a high standard of protection for data in the company’s SoftLayer and Bluemix cloud services.
Cybercriminals are organized. Tech companies can’t address privacy on their own. They need to take a holistic approach, working in partnership with governments and companies outside the tech sector. Data breaches need to be reported immediately. To combat the constant barrage of threats, governments around the world, the tech industry, and tech customers, need to work together — consistently and over time.