The End of Trust?

A colleague and I attended the Trusted Computing Conference the week of Sept 9th in Orlando, Florida.  WinMagic had a demo pod in the Trusted Computing Group’s booth where we showed SecureDoc booting Windows 8 while managing an Opal SED with UEFI Secure Boot enabled.   More interestingly, we demonstrated PBConnex Autoboot securely retrieving the credentials to unlock the drive from my colleague’s SES server running in Kansas City.  It was a pretty impressive demo (well at least I thought so anyway).

The TCG was a sponsor for the conference but it wasn’t hosted by the TCG. I have attended similar conferences in the past organized by the NSA but this conference was very lightly attended by government types, especially the NSA due to “travel restrictions”; nevertheless, there were lots of good sessions and many informative topics.  When I asked my colleague what I should write my blog about he said, “Write about what everyone is talking about in the hallways.”  That is, the NSA surveillance programs that have come to light, bit by bit, over the last few months.

There is no way I could do that whole topic justice in a short blog but I did detect some irony in a conference with the word “Trusted” in the title whose opening keynote speaker was NSA IAD Director, Debora Plunkett.  She opened with a presentation on principles, standards, and COTS-based security.

Hallway conversations that followed included:

  • Did the NSA really convince NIST to publish a weak random number generator standard with a backdoor?
  • Is the NSA really tracking all the meta-data for every communication?
  • Is that okay or can the NSA derive more from Peta-bytes of meta-data than the actual data anyway?
  • Meta-data aside, is the NSA really breaking RSA-based symmetric encryption for communication real time and looking at the actual data?
  • Are the big internet, cloud, operating system, software and chips vendors complicit in this endeavor?
  • Are other governments, including Canada, in on this too?  They just didn’t get caught yet?

I don’t know how to gauge how real these concerns are but “trust” has definitely been weakened.  The irony was summed up quite nicely in the closing keynote titled, “Trust Is a Linchpin, Once Removed the Wheels Fall off the Cart,” by Richard Stiennon.  The gist of it is that we have now openly entered into the era of the surveillance state and with this loss or betrayal of trust things are going to change a lot in the next decade.  Spending on IT security will increase 10 fold as stakeholders work to re-establish trust with new algorithms, infrastructure, products etc.

So, in summary, my world view has changed a bit.  I used to think that I worked in a maturing industry where there would be an ever increasing reliance on the ‘built-in security’ in the OS, hardware and infrastructure (that view never extended to the Cloud).  Now I think, in historical terms, we are just at the very beginning of the effort to bring true trust to information security and that we all are going to have to pay a lot of attention to the OS, hardware, infrastructure and software that we use daily for a long while yet.

Previous Post
Protecting the US Cloud Industry and their Customers
Next Post
Keeping the random in RNG