The international cybersecurity problem has reached the point of travesty. From backdoors left open or even actively created by the NSA, leading to the “most devastating cyberattack in history“; to extorting bitcoin payments from mentally ill patients in the latest healthcare breach; to years of stolen data from SolarWinds; and, finally, the shutting down of a major US pipeline—the scene has reached critical mass.
If the situation wasn’t so dire, it might be considered funny.
There is no uniform model for cybersecurity. Disparate software vendors, fiercely held proprietary code, government agencies who are happy to keep holes open, and an industry that is machine-gunned daily by a jaw-dropping number of cybersecurity incidents all combine to bring about the mishmash of what passes for “security” these days.
Overseers impose tougher regulations and dizzying penalties in those sectors where data protection is most essential—healthcare, financial services, and defense. But tightening the thumbscrews is only a solution if the underlying system it hopes to fix is actually fixable.
Right now, it isn’t.
The problem with cybersecurity at the moment is that it’s fragmented, conflicting, and difficult to accomplish within an organization’s security policies.
Cybersecurity should be the vehicle we use to get us from one day to the next without breaches. But, instead of a vehicle, we currently have a bunch of parts that are combined differently from company to company. Worse: Each part is made by a different vendor and was never designed with integration in mind.
Exacerbating this problem is that so many cybersecurity solutions are proprietary. As Lt. Gen. Dennis Crall recently put it, “We want to avoid proprietary solutions. We want data-sharing. We want to have the ability to fuse data together in ways that are nimble, like industry does today.”
Even if an IT department does manage to assemble the various cybersecurity parts into something semi-workable, confusion ensues when one part doesn’t function properly or needs to be changed, or when key updates demanded by security policies must be enforced.
For startups, the need to enforce evermore complicated security means that a complete security solution is often relegated to the bottom of the features list in favor of getting to market fast.
It’s the 2010 SSL saga all over again.
It feels like only yesterday that Firesheep made headlines as a one-click method that empowered anyone to hack someone’s Twitter account on public WiFi. The flurry of controversial articles that followed—erudite discussions about whether the internet should run entirely on SSL or not (of course it should)—is laughable in retrospect.
The main argument against it? SSL was slightly slower to load.
But the evidence was compelling, and the tech giants eventually capitulated to the security community’s demands. Google started defaulting to SSL, so did Twitter, Facebook, and then the rest of the web, driven by the fact that Google finally chose to prioritize sites that used SSL.
The 2010 SSL saga was fuelled by the same dilemma companies face today: They put expediency and cost-of-implementation before security. And expediency always wins—until the security breaches get so bad that companies have no choice but to pay attention.
Our culture of “Release Early, Iterate Often” can result in broken systems that are easily hacked.
But fierce competition in Silicon Valley demands early releases if startups want to stay afloat. Even when startups do want to do a good job on security, this bit-and-piece security paradigm makes it too difficult for them to do it properly and still get to market fast enough.
Worsening the problem is the rise of “managed service providers.” These now give hackers an easy “one-to-many” approach to their targets, mowing down multiple victims through a single attack.
No incident better illustrates this than the recent hack of information technology firm Kaseya. By using one of the oldest tricks in the book, the hacker group REvil was able to infiltrate companies on a truly global scale. This single attack penetrated companies in 17 countries, reaching from South Africa to Canada.
The recent Fastly software bug which triggered an “internet meltdown” and brought down such megaliths as CNN, Bloomberg News, and The Guardian was not a hack. But it serves as a useful proof-of-concept: This over-reliance on central companies to provide services to so many entities makes it easier to devastate large swathes of connected companies by hitting the central service provider.
This is not to say that central service providers are a bad thing. It’s the age-old law of economics: Find or create a demand, then supply it. The problem of cybersecurity is not a problem with the basic laws of economics. It is the lack of an easy, integrated solution that does the job from top to bottom with just a few lines of code.
Peacemakr — a holistic, turnkey, open-source solution to a company’s every data security need—is the brainchild of five battle-scarred Silicon Valley security engineers with a cumulative experience of 100 years working in top tech companies like Apple, UnifyID, VISA, Symphony, Bell Labs, and others. Together, we had built and rebuilt the core of many security systems in different companies, only to sit back and ask ourselves, “Why are we developing the core system over and over again?”
Sadly, some of the tech we worked on never made it to market because of this very problem: Lost time reinventing the wheel.
The solution was to create Peacemakr.
Cybercrime requires a solution that encompasses every aspect of the data security problem, resulting in complete end-to-end encryption every time. The solution needs to work seamlessly within the security policy framework of that data owner’s particular company.
Most of all, it should be easy, slotting into an app with just a few simple API calls. End-to-end encryption—whether you’re in music streaming or homeland security, healthcare, or social media—should be as easy as:
And now, with Peacemakr, it is.
We welcome you to download it, to try it, to get involved in it. Security needs to be open-sourced. We simply cannot afford the broken proprietary solutions anymore. Security by obscurity is not security at all.
Peacemaker currently has open-source SDKs for:
Learn the most common data protection opportunities and how Peacemakr works with your infrastructure and products to stop data breaches.