We can no longer rely on technology providers to protect the integrity of our personal data republics
Individuals will have to become their own chief security officer – finding a way to manage and control access to all of their digital assets, cloud services, social media profiles, personal communications and private devices. As our personal digital universes expand exponentially, so will the necessity of controlling our data and digital identities.
In a corporate setting, most organisations have a chief security officer, reporting to the CIO or the board, whose job it is to make sure all of the digital assets of that company are secured and protected. Now, a similar role is required of each of us – managing the security, data and access to our personal devices and digital services.
In 2020, we will shift from being mere consumers of data and digital services, to managers of our little digital personal republics. These are filled with devices that need rebooting, operating systems that require updating, and passwords that need to be managed.
If you think this doesn’t yet apply to you, look around. According to the Gartner analysts, the number of connected devices across all technologies will reach 20.6 billion by 2020. Earth will be home to twice as many digital devices as human beings – and that trend is only going to continue. This isn’t just happening in faraway data centers and up in the cloud – but in our homes.
Think about it: at home, do you have more digital devices, or family members and pets? Unless you tend an ant farm, chances are the answer is: more digital devices. Who is the caretaker of your digital zoo? If the answer is no one, it must be you. When was the last time you updated the operating system of your WiFi router, or cycled through your cloud folders to make sure those family photos are only shared with your family?
We may expect technology providers to share at least some of the burden of protecting our devices, but that may not be the case. New laws coming into force are now giving more responsibly, and power, to consumers. In the US states of California and Oregon, legislation coming into power in 2020 will mandate that any “connected device” sold (or even marketed) has a unique password. There are many good reasons to force such changes – hundreds of thousands of home and office devices were remotely hacked by the Mirai worm in 2016, using default passwords, leading to one of the worst distributed denial of service attacks, taking down many high profile US and European websites.
In California law, a connected device is “any device that connects directly or indirectly to the internet and has an IP or Bluetooth address”. In Oregon, the legislators focus specifically on those devices we bring into our homes: “any device or physical object that connects directly or indirectly to the internet and is used primarily for personal, family or household purposes”. These laws will influence future home devices and gadgets, even those not yet invented, and are expected to inspire similar legislation across the world. In 2020, individuals will take on the role of chief security officer in their daily lives.
In the UK, a bill drafted by the MP Margot James, until recently minister for digital policy, recommended that consumers choose electronic products that are labelled secure by design, in order to “help consumers identify products that have basic security features and those that don’t”. It remains to be seen when the bill will become law, but the consultation process is already influencing decisions made by device manufacturers and retailers.
In the US, the California Consumer Privacy Act also comes into effect in 2020. This empowers Californian consumers to see all the information a company may have gathered about them, as well as a full list of all the third parties that data is shared with. Critically, the law allows consumers to sue companies if the privacy guidelines are violated, even if there is no breach – empowering California consumers to become watchdogs over their own data.
Depending on how proactively paranoid you are, your internal security officer may schedule yearly, if not quarterly, reviews of online security: pruning outdated accounts, periodically removing sharing privileges from cloud services, and updating passwords on a regular basis, with a monthly budget allocated to spending on VPN subscriptions and other security tools. In 2020, becoming the chief security officer of your own life will become not just acceptable, but necessary.
Keren Elazari is a senior researcher at the Tel Aviv University Interdisciplinary Cyber Research Centre