Cybersecurity & Tech Lawfare News Surveillance & Privacy

Flat Light: Data Protection for the Disoriented, From Policy to Practice

Andrew Burt, Dan Geer
Thursday, November 29, 2018, 10:00 AM

Flat light is the state of disorientation, feared among pilots, in which all visual references are lost. The effects of flat light “completely obscure features of the terrain, creating an inability to distinguish distances and closure rates. As a result of this reflected light, [flat light] can give pilots the illusion that they are ascending or descending when they may actually be flying level.”

This is the state of information security today.

Published by The Lawfare Institute
in Cooperation With
Brookings

Flat light is the state of disorientation, feared among pilots, in which all visual references are lost. The effects of flat light “completely obscure features of the terrain, creating an inability to distinguish distances and closure rates. As a result of this reflected light, [flat light] can give pilots the illusion that they are ascending or descending when they may actually be flying level.”

This is the state of information security today.

Attack surfaces have expanded beyond any organization’s ability to understand, much less defend against, potential adverse events. Common interdependencies, once assumed secure, are not, rendering entire protocols, infrastructures, and even hardware devices susceptible to exploitation.

So large is the deluge of potential security threats that a new phrase has entered the lexicon for information security professionals: “alert fatigue.” One 2015 study, focused on malware triaging efforts at over 600 US organizations, found an average of 17,000 alerts generated per week, with only 4 percent of such alerts ever investigated. And that’s just malware alerts. The information we have at our disposal about our vulnerabilities does little in the way of mitigating them.

The problem, then, for information security practitioners and policymakers—including government officials, lawyers, and privacy personnel—is one of bearing. When you don’t know where you’re going, all directions are equally useless. We simply do not know what to focus on, how to spend our energy, what precise regulation is called for, or how to significantly disincentivize would-be attackers.

But this state of affairs has not always been the case.

While under siege since its earliest days, the world of information security has always had reference points—or ground truths—that, like physical features in a landscape, have served as guides to practitioners and policymakers alike. These reference points, which we detail below, provided at least a modicum of bearing to those engaged in data protection.

As the aggregate state of information security has deteriorated over time, however, features of this landscape have eroded under the pressure of a changing environment, rendering past reference points either unhelpful (at best) or disinformative (at worst).

Flat light is now upon us.

We aim, in this paper, both to explain how we arrived at this situation, at least in part, and to suggest a path forward.


Andrew Burt is managing partner at bnh.ai, a boutique law firm focused on artificial intelligence and analytics, and chief legal officer at Immuta.
Dan Geer has a long history. Milestones: The X Window System and Kerberos (1988), the first information security consulting firm on Wall Street (1992), convenor of the first academic conference on mobile computing (1993), convenor of the first academic conference on electronic commerce (1995), the “Risk Management Is Where the Money Is” speech that changed the focus of security (1998), the presidency of USENIX Association (2000), the first call for the eclipse of authentication by accountability (2002), principal author of and spokesman for “Cyberinsecurity: The Cost of Monopoly” (2003), co-founder of SecurityMetrics.Org (2004), convener of MetriCon (2006-2019), author of “Economics & Strategies of Data Security” (2008), and author of “Cybersecurity & National Policy” (2010). Creator of the Index of Cyber Security (2011) and the Cyber Security Decision Market (2012). Lifetime Achievement Award, USENIX Association, (2011). Expert for NSA Science of Security award (2013-present). Cybersecurity Hall of Fame (2016) and ISSA Hall of Fame (2019). Six times entrepreneur. Five times before Congress, of which two were as lead witness. He is a Senior Fellow at In-Q-Tel.

Subscribe to Lawfare