A unifying theme among many of the Information Security Forum’s threat predictions for 2016 and beyond comes from increased awareness of state-sponsored cyber-espionage. Durbin had a hearty chuckle when queried, rather jokingly, about blockbuster revelations dominating the news in 2013 regarding GCHQ surveillance of communications data. The conversation soon pivoted back to a more serious discussion on the effects of NSA surveillance and Edward Snowden on data security and corporate attitudes moving forward.
“I think what Snowden did was open people’s eyes to the fact that some of the stuff we had always pointed a finger as going on in North Korea or China was also taking place in the United States, in the UK, in France, and for many this was something of a shock”, Durbin observes. “From a European point of view it fuelled political hysteria.” He adds that – regardless of one’s opinion on the value of this type of surveillance – there are political gains to be made from stirring up a reaction to Snowden’s disclosures.
One of the political by-products has been discussions around regionally organized internets. “These proposals really make no sense at all”, Durbin says of calls for a balkanized web. He believes that if such proposals ever came to pass, any security or privacy benefits from regional control of the internet would be far outweighed by the negative impacts on commerce.
“We just all need to appreciate that in today’s environment, we are sacrificing some privacy”, he adds. “We have to assume that any data we put out – whether it is in the cloud or transmitted – could be stolen or hacked.” Durbin advises that organizations and individuals adopt a new mind-set that steers away from rigid data security practices, and towards risk mitigation. Each individual and organization will need to adopt a unique approach, he notes, depending on the value of the data and how it is being used.
Crystalizing his argument, Durbin believes that governments can’t be omnipresent, and this is especially true for internet governance and legislation regarding data privacy.
“Government can’t do it all”, he warns when reflecting on proposed regulatory responses to privacy and surveillance issues. “By the time they get their act together, the world – and technology – has moved on significantly.” Durbin extolls his admiration for the speed with which the NIST Cybersecurity Framework in the US was created. It’s not a perfect set of guidelines, he admits, and even portions of this speedily developed framework will now be seen as obsolete.
When it comes to cybersecurity and data protection, something like the NIST Cybersecurity Framework – itself a voluntary guideline – will not apply to all areas of a particular organization’s security efforts. Then again, it doesn’t have to, Durbin explains, it just needs to provide a comprehensive starting point. In the end, he concludes, “It’s about being agile.”