We all understand the idea of "Plan A" and "Plan B". Plan A is the plan we put in place that is meant to work as planned. In security, it is the plan we hope will ensure the CIA (Confidentiality, Integrity, and Availability) triad is in place. We put a lot of effort into Plan A, and then the more intelligent among us will put some effort into a Plan B. This is the plan we switch over to in the event Plan A fails.
This is generally the "damage control" mode plan. This is the plan we all hope we never have to go to, since by this point something very bad has happened. This could be something like...say perhaps...all of our national secret and top secret information getting leaked on a website.
That can be a really bad thing...
By now we are all probably keenly aware that the masterminds behind the WikiLeaks website have decided that information must all be publicly shared no matter what. Someone asked me my opinion about this several days ago....if I thought it was a good thing of bad thing...and my response was simple. I do not have an opinion about it being a good thing or bad thing. What I do know is that it is something that exists, and we must now figure out a way to deal with it, because it is NOT going to go away...EVER! It is like winter in Cleveland...deal with it.
I know this may sound harsh, but that is what we are facing. We live in an age where information ebbs and flows (and overflows) like water in an ocean. It comes to us as a gentle and calm breeze, or as a hurricane. It drifts down like snowflakes, or comes crashing down like an avalanche.
Okay...enough analogies...you get the picture. The truth is, we simply no longer have the control of information we once thought we had. The very nature in which we communicate today has created an environment were massively scalable information storms can occur. In the "good old days" we communicated by sending letters and talking. Today we communicate by generating data that gets pumped into "The Cloud", and then BLINDLY trust that it will only get to the intended recipients and nobody else.
Isn't that cute...
The Plan A way of dealing with information has been to protect the confidentiality, integrity, and availability of the information for as long as information has been important to us (essentially forever, but perhaps more so today in the information age). While we have created some absolutely fantastic systems for insuring both the integrity and availability of information over the last several decades, it seems that the very systems we have built have made it increasingly more difficult to insure confidentiality. Through the application of Moore's Law we have created systems with insane amounts of processing power, and have driven down the cost of these systems to almost nothing (I say almost nothing because you can find computers for free these days...at least in the San Francisco Bay Area), meaning that anyone can get their hands on the tools needed to both obtain and distribute information. There was a time when getting confidential information meant breaking encryption or applying brute force or dictionary attacks on systems. While this is still true today, we now live in a world where there are so many people accessing systems throughout the world, we no longer need to break into systems to get a hold of sensitive information. Today somebody who has authorized access to information either copies it or sends it into the cloud for all to consume. What makes this so difficult to control is that there are so many who have access to information, and either through direct access or aggregation the information can be assembled into nice little information bombs.
In other words, confidentiality has become nearly impossible to both achieve and manage.
This makes Plan A an incredibly difficult plan to manage, and certainly makes our reliance on Plan A more and more difficult to justify from a due diligence/due care perspective. We simply live in an age where we MUST assume compromise. We must accept the fact that, at some point, confidentiality goes out the window. Time to look at Plan B.
I am not sure what the US Government is doing with respect to Plan B. I saw an article where the US Government is warning college students to not talk about WikiLeaks...or else. I see some efforts to shut down the WikiLeaks site, and cut off funding sources. I imagine these are all some valid steps to take...in an act of desperation. Okay, maybe it is not desperation, but it certainly seems desperate. I mean...c'mon...do we really believe this is going to do anything more that irritate a bunch of college students who already do not like our government to begin with, and who are perhaps infinitely more savvy about the information age?
I am fairly certain that Plan B has not been given the level of attention it should have been given. It is very difficult for people who are intelligent AND arrogant (a bad but common combination) to consider the possibility that their best laid plans may have a fatal flaw. Consequently, anything more than a cursory level of attention to Plan B is considered an admission that maybe they are not as smart as they think they are. Perish the thought!
The truth is, Plan B has ALWAYS been more important than Plan A. By the time you get to point where you need to use Plan B, things have generally gotten very bad. This is now the time were you must not only figure out how to keep things operational, but also undo the damage that caused Plan A to fail. This is the "do or die" moment.
We certainly need to continually focus on protecting information. We do indeed have systems and methods available to us today that can buy us some time in the race between those who need to protect information and those who want to uncover it. We simply need to understand that at some point the information we so dearly protected is likely to be become publicly available, and use that mentality to weather the information age. It may take some time, but I am sure we will eventually get to a point where we can deal with this...much like I dealt with 21 years of Cleveland winters.