{"id":21412,"date":"2023-03-06T10:30:07","date_gmt":"2023-03-06T18:30:07","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2023\/03\/06\/news-15143\/"},"modified":"2023-03-06T10:30:07","modified_gmt":"2023-03-06T18:30:07","slug":"news-15143","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/03\/06\/news-15143\/","title":{"rendered":"Maybe one day every platform will be as secure as Apple"},"content":{"rendered":"

<\/p>\n

A look at the Biden Administration\u2019s recently updated National Cybersecurity Strategy document<\/a> seems to reflect some of the approaches to cybercrime Apple already employs.\u00a0<\/p>\n

Take privacy, for example. The proposal suggests that privacy protection will no longer be something big tech can argue against \u2013 companies will be required to prioritize privacy. That\u2019s fine if you run a business that does not require wholesale collection and analysis of user information, which has always been Apple\u2019s approach. The best way to keep information private, the company argues, is not to collect it at all<\/a>.<\/p>\n

While that approach isn\u2019t total \u2014 you don\u2019t need to kick hard at Apple\u2019s activation servers to recognize that at least some information about you and your devices is visible to some extent \u2014 most of your personal information is not<\/a>. Apple\u2019s recent decision to extend the protections<\/a> it makes available to iCloud also seems to reflect some of the commitments made in the NCS document.<\/p>\n

Just as App Store apps are required to disclose privacy policies and admit what they do with your information, the new security strategy is to require software makers and service providers to take much more responsibility for the security of their products.<\/p>\n

\u201cWe must rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, and local governments, and onto the organizations that are most capable and best-positioned to reduce risks for all of us,\u201d explains a White House briefing statement<\/a>.<\/p>\n

Apple\u2019s reputation for creating a secure platform has always shown that it’s possible to build and maintain such platforms. And while security protection is never perfect, that the company has managed to do this at all means it is possible for any company to follow suit.<\/p>\n

That (and more) is effectively what the new proposals require. As you might expect, this is prompting some pushback from some industry players as it means they will be held responsible if their software or services are found to be vulnerable.<\/p>\n

The Information Technology Industry Council<\/a>, for example, seems to think these arrangements threaten the private contracts made between developers and customers.<\/p>\n

At the same time, as CNN reports<\/a>, the proposal reflects what the US government sees as a failure by market forces to keep the nation safe. Light touch regulation should not equate complacency. There\u2019s also the argument that negligence isn\u2019t always the reason security protections fail.<\/p>\n

Aaron Kiemele, CISO at Apple-focused MDM and security company Jamf, says: \u201cAll software is vulnerable in some way to future exploitation. If a new issue arises and causes widespread impact, that doesn\u2019t mean that the software vendor was negligent. You can do everything right and still be impacted by a security incident.<\/p>\n

\u201cThat being said, there are plenty of old vulnerabilities that remain unpatched for years as well as companies that are truly not prioritizing security and privacy,” he said. “How to take the outcome (often a poor indicator of the underlying security capabilities of the company) and drive reform without this becoming a punitive punishment for a security environment that cannot reasonably be predicted is going to be tricky.<\/p>\n

\u201cThe most interesting piece for me continues to be that this sounds like a good-faith effort to impose appropriate liability on software companies who are not currently doing the right thing to protect their data and their customers,\u201d said Kiemele.<\/p>\n

\u201cIt will be nice to be held to account more fully knowing that we will be rewarded for our good practices while others in the industry will be required to do the bare minimum to secure the digital ecosystem.\u201d<\/p>\n

Jamf last year launched a fund to invest in Apple-related security start-ups<\/a>.<\/p>\n

Apple\u2019s sturdy approach to securing its platforms may lend it to want to make a similar statement.<\/p>\n

Then there\u2019s the consideration around connected devices. Think back over the history of Apple\u2019s smart home solution, HomeKit, and you can see that its adoption was never as rapid as expected. Apple history watchers will know that one of the reasons for this was because Apple insisted on manufacturers meeting security standards and making use of its own silicon<\/a>. Others didn\u2019t require the same stringent protection, and we\u2019ve seen plenty of evidence of how that can be abused<\/a>. Even Apple abused this trust when it set Siri to snooping<\/a>.<\/p>\n

But when it comes to national security, the vulnerabilities extend beyond home speaker systems listening in on what you say. We know Industry 4.0 is rolling out globally, even as connected healthcare systems see deployment accelerate.<\/p>\n

All those connected devices rely on software and services and the move to make vendors in those spaces more responsible for those systems seems logical.<\/p>\n

We\u2019ve known since the infamous HVAC attack against Target<\/a> how even a less-important connected system can be targeted. While no one should purchase any connected device that can\u2019t be secured or updated, neither should any manufacturer sell items with a weak passcode like 0,0,0,0 installed by default.<\/p>\n

Making vendors responsible for hardening those systems makes sense because we\u2019ve seen too many incidences of failure.<\/p>\n

The White House security proposals also look to future threats, such as the impact of quantum computing on traditional perimeter and endpoint security protection<\/a>. You could argue that Apple has some answers here, with biometric ID and its support for password-free Passkeys, but there will be many more miles to that journey, and we\u2019ve needed to move beyond passwords for years.<\/p>\n

But at least the proposals should mean that everyone involved in that space will be more motivated to work toward securing their products, rather than waiting for someone else to do it.<\/p>\n

And that is the big positive in these proposals. In essence, telling software and service providers to take more responsibility for security will probably drive most to toughen up. There will be glaring inconsistencies along the way \u2014 for example, is the regulatory drive to force every smartphone vendor<\/a>\u00a0to support every app store compatible with the need to secure platforms and services?<\/p>\n

If security and privacy are so important, how is it right that Apple be forced to reduce the security and privacy of the products and services it provides?<\/p>\n

The National Cybersecurity Strategy doesn\u2019t have all the answers to this complex web of shifting problems, but it does offer a stronger starting point from which to move forward. Social media firms can expect a great deal of scrutiny, at last.<\/p>\n

It calls to mind a Steve Jobs quote, that may be relevant here:<\/p>\n

\u201cWhen you first start off trying to solve a problem, the first solutions you come up with are very complex, and most people stop there. But if you keep going and live with the problem and peel more layers of the onion off, you can often times arrive at some very elegant and simple solutions. Most people don\u2019t put in the time or energy to get there.\u201d<\/p>\n

While there will be much work to do, the proposals do put some urgency in place for tech to accelerate its efforts to make security simple and certainly suggests the days in which laissez-faire tech firms could sell insecurity as a service are numbered.<\/p>\n

That\u2019s a really good thing.<\/p>\n

Please follow me on\u00a0Mastodon<\/a>, or join me in the\u00a0AppleHolic\u2019s bar & grill<\/a>\u00a0and\u00a0<\/em>Apple<\/em>\u00a0Discussions<\/em><\/a>\u00a0groups on MeWe.<\/em><\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

\n
\n

A look at the Biden Administration\u2019s recently updated National Cybersecurity Strategy document<\/a> seems to reflect some of the approaches to cybercrime Apple already employs.\u00a0<\/p>\n

Take privacy, for example. The proposal suggests that privacy protection will no longer be something big tech can argue against \u2013 companies will be required to prioritize privacy. That\u2019s fine if you run a business that does not require wholesale collection and analysis of user information, which has always been Apple\u2019s approach. The best way to keep information private, the company argues, is not to collect it at all<\/a>.<\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[2211,1328,10554,714,24580],"class_list":["post-21412","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-apple","tag-government","tag-mobile","tag-security","tag-small-and-medium-business"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21412","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=21412"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/21412\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=21412"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=21412"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=21412"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}