Another day, another raft of emails from online service providers prompting me to update my passwords. My inbox currently resembles a triage unit trying to clamp the impact of Heartbleed. Both professionally and personally, I'm receiving email after email on the topic. In many respects, it's a timely wake-up call to the many millions of people still using the same childhood password for all their online services. It's also a prescient reminder about the vulnerability of our data and the networks we depend so heavily upon.
Over the past few months, I've spent a lot of time talking to experts about network security, specifically in regards to data transport. With almost every discussion, I found one thought repeatedly ringing out like a clarion call - how can networks be so vulnerable? And I'm not referring to just a few networks here and there, I'm talking about an enormous number on a global scale. These networks often belong to businesses that are dependent upon the integrity and safety of their mission-critical data. Businesses that would suffer enormous financial losses if their networks were found to be susceptible to security breaches.
This is nothing new. It's been this way for many years. The only change here is the public's growing awareness around the topic. In this respect, Heartbleed is like the proverbial wrecking ball. People are suddenly talking about data security and network integrity along with plans for the weekend and dinner recipes. The awareness here has been raised beyond any measure. What's more, it's just the start. It's not unimaginable to expect people to start asking online service providers what security measures they have in place before signing up. In fact, this is something that should be wholly encouraged.
But as I alluded to earlier, the problem of data security is more endemic than you may initially think. Increasing security and patching vulnerabilities around servers is one thing, but it's not the endgame. What is yet to be discussed en masse is the weakness around data transportation through the networks themselves. What's happening to the data in the fiber? Is it safe? Is it secure? Has it been intercepted? Do the businesses that we trust with our data, with our money, even know the answer to this? Do they know if their networks are intact?
What amazes me is how easy it is to tap into a network. To surreptitiously intercept data as it passes along fiber networks without anyone knowing. How can people not know? How can alarms not be triggered as soon as a fiber is compromised? The answer is simple. When an intruder uses an optical coupling device to intercept data on a fiber, they are not severing the fiber, they are not stopping the flow of data. They are merely bending the light and extracting the data. Think of it as eavesdropping on a conversation and recording all the details.
You may think such an operation would require military-class technology. Again, no. You can buy fiber optic coupling devices easily online. What's more, they're inexpensive. With this device you have the makings of your own eavesdropping tool. Search for the topic online and you'll even find instructions on how to do it. There's no mystery to this process and yet many businesses appear to be in denial as to their vulnerability. Content to adopt a wait-and-see approach as opposed to proactively developing a robust data security plan.
Part of the reason for this stance must surely be the lack of media attention around fiber tapping. Yes, there have been a few high-level fiber-tapping cases reported but these are sporadic and unsustained. Outside of the NSA and GCHQ's suggested fiber tapping in 2013, the last criminal report to hit the headlines dates back to the early 2000s. Although it's important to note that just because a story isn't featured in the media, doesn't mean that it's not continuing to happen outside of the public eye.
Looking at data from some of the encryption experts at ADVA Optical Networking though, it does appear that things may slowly be changing. One expert suggested that sales of encryption technology for data center interconnects have increased by over 50% in the past couple of years. In fact, he expected this figure to increase further in 2014, specifically as encryption technology becomes available at higher line speeds.
What's clear is that we're at the start here of a mass movement for greater data security. The momentum surrounding Heartbleed will surely continue to gather pace as people start to seriously question what's at risk here. The key question is how we ensure that every aspect of network security is as robust as it can possibly be.
What are your thoughts here? Do you believe that your data is safe? Are you happy with the measures that online service providers are using? Should they be more transparent as to the security measures they use? Let me know what you think.