Alright, so probably not the best inspiration for this entry, but nonetheless it struck a chord with me when I went to see Live Free or Die Hard — Security. That is, how does one define security?
Simply put, security is not just the best encryption or the latest and greatest technology, it’s a behavior, a mindset, and an new-world understanding of risks. In the movie, the most vulnerable component in the nation’s security, is the asynchronous network and the ability to seize control of entire systems via computer and the effects would impact government forces, civilians, and result in their rise of power.
Now, I know, the movie is fiction; however, it did combine some logical ideology such as a Firesale. The idea of a firesale is to obtain control by means of chaos in freezing transportation, collapsing the economy, and disrupting government infrastructure. Certainly this is a problem with not only our country, but also others around the world as they (like us) are growing in technology reliance.
The questions to ask, after seeing some vulnerabilities in LFDH would be:
- Who manages and is directly responsible for security of a system (or a process)?
- In making global changes (e.g. not more than a 10-mile radius impact), what overrides or additional security clearances is necessary?
- Is there any AI mechanisms to detect failure and restrict to a fail-safe mode and lockout operators?
- If one or more systems are down, can your system manage itself or provide a means of alert?
- How does one verify an alert has taken place (e.g reporting scientific data, instead of a “dummy light” approach)?
- Do you utilize verifiable communications? Do all stakeholders acknowledge the risks of not using verifiable communications (e.g. Analog Radio)?
Anyhow, those were just a few questions a security analyst might ask when providing a review of a system such as our government.
Sometimes, there is no means of resolving all these questions — but if we ask the questions and provide the most reasonable solution and acknowledge all risks involved — that will make for a safer and more reliable system. I observe everyday that people are afraid to ask questions. That fear resonates in not just in large corporations, but I would only imagine it holds true in government organizations, too.
So, before you stand firm on how new and tight your security is on something; ask yourself is it really secure to all methods of attack? If not, what can be done to minimize it? And to what extent will you disclose such risks.
Finally, what is your definition of security? Or, if you want, share your thoughts on the LFDH movie in the comments below.