Digital security, like everything else in 2020, was focused on two issues: The COVID-19 pandemic and the US general election. Product and standard advancements were couched in terms related to both. Major political efforts were dedicated to resolving security issues and complicated both issues. In some cases, major concerns were seemingly resolved and new concerns arose while in others things got worse.
Widespread citizen surveillance overlapped both human rights and pandemic issues early in the year as digital tracking and facial recognition was a major concern in the news. Several speakers at the TechnoSecurity Conference in March, however, discounted the pervasiveness of government surveillance technology. Facial recognition technology has proven useless, according to several law enforcement representatives and even the FBI revealed that their fingerprint database covered only a fraction of the of the world populations (less than 10 percent of US citizens). But Rex Lee, senior analyst for Texas-based BLACKOPS partners, warned that corporations like Apple, Microsoft, and Google were actively collecting location data on citizens through municipal infrastructure like traffic lights and security cameras, a potential privacy issue, especially in light of concerns from human rights organizations like Black Lives Matter, which came into sharp focus about the same time.
But March also saw the rapid advancement of the pandemic, making the possibility of tracking potential virus carriers a priority, By May of 2020, multiple apps were being put out on the market with the hopes of automating contact tracing, but it turns out there were so many options and such concern the data would be improperly used, that the technology never got off the ground.
Corporate/government surveillance took a back seat in June as the US General Election took center stage. Since the 2016 election there have been a tsunami of investigations and documentaries about the technological weaknesses of the US patchwork of election systems. Security journalists like Kim Zetter warned that 2020 could be the most vulnerable election ever, but something strange happened. A pandemic forced the US to do what many countries have done for a long time, focus on paper ballots, hand counting and plugging holes in outdated elections systems. Court cases required the weakest county systems to completely retool.
By the time early voting started, the US had gone from among the most vulnerable election process to one of the most secure according to Chris Krebs, former United States Director of the Cybersecurity and Infrastructure Security Agency, Krebs first predicted how secure the systems would be in a talk at the Black Hat Conference in August, He confirmed his position two weeks after the election much to the displeasure of his boss, President Donald Trump, and was summarily fired. It is not inconceivable that without the pandemic, it is possible the warnings between 2016 and 2020 might never have been addressed.
The security concerns of the 2020 election brought digital security to the forefront of the Western world’s attention and the buzz phrase “zero trust” went from tech company lip service to an actual technology feature. And for good reason. The biggest problem in digital security is not technological but human. People just didn’t want to make the effort to keep their data secure.
The UK Information Commissioner’s Office reported in early 2020 that 90 percent of data breaches was due to human error up from 61% in 2017. On the positive side, Verizon’s 2019 Data Breach Investigations Report (DBIR) found human error in employees to be the source of 21 percent of breaches. While the latter is still very high, at least within the corporate world, there is more effort being dedicated to security protocols than in the general public. That low number, however, is more likely due to corporations spending most of the money budgeted for tools and services.
There was no lack of new products going on the market in 2020 targeted at corporate use. From Tosibox in Finland to Airgap Networks in California the common sales metric was “we are in use in members of the S&P 100.” With a marketing description of “zero trust” technology, generally based on an artificial intelligence component to screen out potential attackers. The general public, however, is blocked from using the latest tools due to cost and lack of understanding regarding implementation and use. Hence the discrepancy between the corporate and public market sectors.
The discrepancy is being dealt with on a government level with new laws and regulations. The European Union’s General Data Protection Regulations (GDPR) and the California Consumer Protection Act added a level of complexity to simple web surfing by adding a pop-up form on websites in both jurisdictions. Most people choose to click on “accept” without making any restrictions on the site, but enough people have modified their permissions to actually damage the data collection of personal data that Facebook and Google use to sell advertising.
But in the November election (there’s that connection again) California voters put significant teeth into the years-old CCPA to establish a bureaucracy to investigate and impose hefty fines on violations. The GDPR is imposing similar penalties. Advertising and marketing firms are still trying to figure out how to deal with the restrictions and Google is already seeing a financial bite from the changes. More importantly, the measures have taken responsibility for security out of the hands of personal users to a small degree.
In retrospect, we are still in a pandemic and politics is a disgusting mess, but we actually are seeing progress in the digital security area.