People are easier to hack than hardware
On homebrew email servers, Supreme Court decisions, and the fundamental problem of taking information seriously
While it's understandable that people who haven't grown up as "digital natives" aren't well-prepared to think with a security-driven mindset, it also isn't a novel concept to expect people in positions of authority, influence, or power to realize that sometimes they need to take steps that others don't. The revelation that the Supreme Court has been operating under lax security standards for internal documents isn't necessarily surprising, but it does demand reform.
■ If bad actors want your data, it's easier to hack your people than it is to hack your hardware. This is a truth with which we need to grapple, and quickly. The evidence is overwhelming -- from the very highest echelons of government -- that people are willing to go around security policies if they believe they are beyond the reach of consequences. Unfortunately, anyone at such a level -- like a President, a Supreme Court Justice, or a high-ranking general -- is exactly the kind of person whose access makes them a desirable target.
■ This is ultimately a whole-of-society problem. If information security isn't treated as a prominent, visible priority at the top of government, then it is unlikely to be taken as a priority by the public at large. And there are consequences: Carelessness may reveal secrets better kept under wraps, and chronic under-investment in the kind of ongoing training that's needed in all kinds of environments is likely if the problem isn't recognized.
■ That, in the end, is what has to happen. There is only so much protection that can be delivered by antivirus software and clever network administration. The low-hanging fruit of information security -- the stuff that can be handled by routers and switches and the like -- has either already been plucked, or could be, given the right incentives imposed by laws and insurance policies.
■ It's the human side that remains woefully under-guarded and vulnerable as a result. It was an exceptionally stupid policy for a former Secretary of State to try to conduct government business through a personal email server out of a preference for "convenience". It was exceptionally stupid for a former President to keep Top Secret documents in a Florida resort property. It likewise is exceptionally stupid for Supreme Court Justices to use unsecured personal emails for sensitive work and leave confidential papers in poorly-controlled spaces.
■ All are part of the same problem: The failure to recognize that in the 21st Century, information really is power. And while it can't be contained perfectly, it can be contained within an acceptable level of risk -- but only if the people involved choose not to make themselves the weakest links in the security chain. So much better can be done, and so much more ought to be expected.
Microsoft guards its data centers with rows of fences and biometric security, but it can’t make the Supreme Court use secure servers.