Exploring cyber-attacks, data privacy and risk assessment

I have mentioned several cyber attacks in one of my articles, one of which was the massive breach of a financial institution, you may wonder that some of the institutions could be so lax. But were their information security platforms poorly designed in terms of protecting the sensitive information in their trust? 

It is important to note that no matter how well an institutions platforms are designed and implemented irrespective of the huge financial investment, they will still run on operating systems and other infrastructure in which flaws are identified daily. 

Therefore, are successful cyber attacks indicative of poor privacy and security design? Based on my experience, I think not. No institution sets out to have inadequate information security. The fact that their security proves to be deficient is often based on a shortfall in risk assessment.

It is well understood that institutions should evaluate the risk to their information resources and apply suitable controls consistent with their understanding of the potential for those resources to be misused. 

But sadly, there may be a gap between the assessment and the reality. Assessments are extrapolations of known facts into potential outcomes. To the extent that imprecision leads to error, these respective institutions find themselves exposed.

For instance, financial institutions understand their information is valuable and at risk. So does the military. Yet these institutions have been severely attacked and so have military systems. Surely no one thinks that entities such as these are incapable of designing security—and by extension privacy—into their platforms. Someone was simply able to exploit a shortcoming that a risk assessment did not and could not identify in advance.

So, how did these weaknesses get there? Perhaps from experience you would find that security was designed properly but not implemented well. Implementation and execution must compliment each other equally where possible, but again in reality complete implementation of information security is impossible. No matter how well an institution’s platforms are designed and implemented, they run on operating systems and other infrastructure in which flaws are identified daily. If there were to be a zero-day attack, how could any institution be faulted for failing to anticipate and prevent it?

Even if perfect implementation were possible, perfect execution cannot be, because execution relies on imperfect human beings.

Security platforms that undergird privacy will never be definite because the world contains too many weak links and existing vulnerabilities, not to mention the unscrupulous among us. Errors will occur and personal information will be disclosed because of failures of trust as well as deficiencies of information security.

From another viewpoint, as evidenced today there is tremendous pressure to get software to the market as quickly as possible.

The pressure of the market leads to poor privacy over personal information. As users we are drawn to all sorts of software upgrades say from our mobile phones. As it is, too much software is delivered frequently that does not do what it is supposed to do, followed by several patch updates and so on.  It is therefore probably too much to ask that it does not do what it is not supposed to do. 

It is not only commercial software that makes privacy by design difficult to implement and execute. Agile development, so popular these days, creates challenges in complying with privacy requirements. 

In my opinion, Agile undervalues documentation, which makes it difficult for auditors and privacy specialists to determine whether and how privacy has been designed into a platform. While I am not saying that Agile is the enemy of privacy, I do believe that it is one more factor that mitigates against implementing adequate privacy in the consequent platform development.

Crus Barigye, director of ICT systems and security at the Financial Intelligence Authority of Uganda