2013: What We’ve Learned

They say that your worst fears and your fondest dreams are rarely realized. That may well be true in most walks of life, but in the information security world, 2013 was the year that our worst fears were not only confirmed, but so were some things that few but the most paranoid among us thought possible.

They say that your worst fears and your fondest dreams are rarely realized. That may well be true in most walks of life, but in the information security world, 2013 was the year that our worst fears were not only confirmed, but so were some things that few but the most paranoid among us thought possible.

The list of NSA-related revelations is well-known by now: the phone metadata collection program, PRISM, subversion of a random number generator in a NIST standard, development of an arsenal of capabilities to break SSL, tapping undersea fiber cables, monitoring the communications of foreign leaders and even assembling a catalog of information-warfare tools with outlandish capabilities. Some of these revelations involve capabilities or programs that people in the security industry have either suspected were in use or had some evidence were being used. The metadata program, for example, had been discussed in some corners of the industry for several years, as had the possibility of a backdoor in the Dual_EC DRBG random number generator.

The security and privacy implications of these programs, as well as the others that have been revealed by the leaks of documents from Edward Snowden, are obvious and devastating. Some of the fundamental technologies and platforms that billions of users rely on for their communications every day are continuously monitored. They should be considered compromised.

In many ways, the promise of the Internet as an open, usable communications platform available to everyone has been broken. For the network to be useful, its users must be able to place some level of trust in it, and the protocols and technologies on which it’s built. The revelations of the last seven months have made it clear that’s just not possible. The plain truth is that we no longer know what to trust.

That’s the cold, ugly lesson of 2013, that trust, the thing that’s needed in order for security and privacy to work, is not just difficult, but may be impossible in some cases. If you rely on encryption to protect your sensitive online communications, as many of us do, how can you trust that those packets you’re sending and receiving aren’t being diverted or decrypted somewhere? You can’t. If you prefer to be left alone and not have your every online movement, interaction and email tracked, you’re out of luck.

The Internet hasn’t been the open, flexible, user-oriented network it was meant to be for a long time–if it ever actually was. Now, it’s become a poisoned, paranoid environment where everything is suspect. The last year was a brutal one for privacy, freedom and security and it’s unclear whether 2014 or any of the coming years will be any better. Only the most optimistic bettor would make that wager and optimists seem to be an endangered species these days.

Suggested articles