Lock the virtual door and encrypt the key: That’s been cybersecurity’s chief modus operandi to date. But as law enforcers know, no lock ever invented has been completely secure. From padlocks to passcodes, each new method of protecting our valuables only serves as a challenge to those determined to steal from us.
As breaches proliferate — a record high number in 2014, and it’s expected to increase even more in 2015, according to digital security company Gemalto’s report “2014: Year of Record Breaches and Identity Theft” — cybersecurity professionals are trying new approaches to protecting data: adding layer upon layer of controls, for instance, like barring entry to a high-security building with multiple doors; and segmenting data to mitigate losses should a breach occur. But what if we could tie security to the information itself, keeping it in our control at all times?
Right now, when cybercriminals gain access to our data, it belongs to them for good. Tracking it is an uncertain art; retrieving it is impossible. Without our permission or even our knowledge, the hackers can use our information to make purchases, withdraw cash from our bank accounts, profit from our trade secrets and more. If sold on the “darknet,” our stolen data might be seen and used, unauthorized, all over the world.
But what if we could find out instantly where our data goes, prevent it from being forwarded, and even call it back to us, as though we held it on a leash?
One of the most popular sports in ancient and medieval times was falconry, using birds of prey to hunt. To tether the birds during training and between flights, falconers tie “jesses,” or leather restraints, to their legs. Once released, any birds that don’t return can be tracked via bells or, today, radio transmitters.
Think of the possibilities if we could do the same with our data, keeping it close to us by means of digital tethers and, should it fly or be spirited away, tracking and retrieving it with ease. We already have the means to track goods, pets and people — why not information, as well?
A digital trail
One of the most popular “tracking” tools, GPS, helps us find our phones, keys, pets, destinations and more. Police use it, too, to catch thieves, such as robbers stealing oxycodone. In New York City, a drug store heist may include a “decoy” bottle or two equipped with GPS sensors that lead law enforcement to the thieves.
How could we track our data in like manner, using GPS-like technology to lead us directly to the thieves who took it, and even mapping its precise location? Surely such a system would help capture cybercriminals, who are, at present, notoriously difficult to identify.
In fact, data-tracking technology is already here. Digital watermarking, used primarily for copyright protection and identity authentication, is being touted by some as the next big thing in information security. In one data-tracking experiment, watermarking code was added to a spreadsheet containing a phony list of names and personal identifying information. When thieves opened the spreadsheet, the code sent an alert to the list’s originators, telling them who downloaded the information, and identifying the device and its location.
For our eyes only
Of course, tracking alone is not always enough to keep our information from being used or sold, especially if the thieves are working beyond our country’s jurisdictional boundaries. But digital watermarking also may prevent unauthorized manipulation of data, a growing concern, and enable remote “wiping” of devices containing the stolen information.
Some question the legal implications of destroying all data on a device that someone else owns — a legitimate concern. But today’s data-tracking ventures offer exciting possibilities for cybersecurity’s future. What if, a la James Bond, we could cause sensitive data to self-destruct during an unauthorized attempt to open it? Could we program our files so that, after a certain number of failed attempts at authentication and/or access, they vanished from a device, ”exploded” into meaningless gibberish, or, like a homing pigeon, flew back from whence they came? We are only steps away, it seems, from the ability to leash our data, putting cybercriminals in a virtual bind, as well.
When our valuables and loved ones are threatened, we tend to draw them close, to protect them from harm. Now that our data has become essential to our lives and business, what if we could do the same against the rising threat of cybertheft? Locks are a necessary first deterrent, but when they fail, chains might be in order — the virtual kind, tying our data to our devices inextricably, and giving us unprecedented control.
JR Reagan is the global chief information security officer of Deloitte. He also serves as professional faculty at Johns Hopkins, Cornell and Columbia universities. Follow him @IdeaXplorer. Read more from JR Reagan.