PGP Blogs

This year marks the 60th anniversary of the creation of the Bulletin of Atomic Scientists' famed Doomsday Clock. The clock was originally conceived as a way to promote the risks associated with the unconstrained proliferation of nuclear weapons. Although it's certainly a morbid metaphor, there's no denying the Doomsday Clock has achieved its primary objective: No nation has chosen to exercise its supposed first-strike capability since the clock first appeared.

In its 60 years, the clock has been "adjusted" 19 times. The closest to midnight ("doomsday") we've been was in 1953 when the clock was set to 11:58pm on the occasion of the United States and the Soviet Union testing thermonuclear devices within 9 months of one another. The furthest from midnight to which the clock has been set was 11:43pm in 1991 when the same two nations signed the Strategic Arms Reduction Treaty. The clock was most recently adjusted in January of this year to 5 minutes to midnight in recognition of North Korea's and Iran's nuclear programs. I mention this anniversary because I think it's an apt metaphor for what many private and public enterprises now face as they evaluate the ever-increasing threats from cyber terrorists and common criminals. Consider just three headlines we've seen in the last few months:

It's impossible to read these stories and not conclude that we're entering a new phase in the battle to protect information and the systems that contain it. The difference between this war and the one predicted by the Doomsday Clock is that each company, institution, and government will have to face their own privacy doomsday if they don't take action now to prevent it.

As I've observed before, protecting confidential information in the current environment requires vigilance in protecting both the systems we use to process information and the information itself. I won't rehash those arguments here, but I will point you to a resource focused on how to best protect confidential information in an increasingly dangerous world.

The Jericho Forum has been championing the idea of what they term "de-perimeterization" for a number of years. The basic idea behind de-perimeterization is that no matter how good your firewalls are and how well you manage them, you can't completely protect confidential information because it now resides on so many devices outside the perimeter. In fact, the level of protection offered for those devices that do sit behind firewall devices is also diminishing with time. To do business today, you have to open ports in even the best firewalls, and that flow of transactions is inevitably accompanied by attacks. Eventually, one or more of those attacks will succeed, as TJX and others have so painfully learned.

The security experts at the Jericho Forum are much more knowledgeable and articulate on these issues than I am, and I'd encourage anyone who is a serious student of cybersecurity to become familiar with their materials. If you only have time to review one document, check out the Jericho Forum Commandments. It's only two pages, and I guarantee it will open your eyes about how best to protect confidential information.

As the number and types of devices containing confidential information continue to proliferate (BlackBerry® devices, mobile phones, MP3 players, and even satellites), security experts in all enterprises need to consider what new threat models they face when only a fraction of their existing IT devices have firewall protection. Those that don't begin thinking seriously about this issue now will start to hear their own doomsday clocks ticking ever louder.

- Phil