Aegis Paper Series

Flat Light: Data Protection for the Disoriented, From Policy to Practice

By Andrew Burt, Dan Geer
Thursday, November 29, 2018, 10:00 AM

Flat light is the state of disorientation, feared among pilots, in which all visual references are lost. The effects of flat light “completely obscure features of the terrain, creating an inability to distinguish distances and closure rates. As a result of this reflected light, [flat light] can give pilots the illusion that they are ascending or descending when they may actually be flying level.”

This is the state of information security today.

Attack surfaces have expanded beyond any organization’s ability to understand, much less defend against, potential adverse events. Common interdependencies, once assumed secure, are not, rendering entire protocols, infrastructures, and even hardware devices susceptible to exploitation.

So large is the deluge of potential security threats that a new phrase has entered the lexicon for information security professionals: “alert fatigue.” One 2015 study, focused on malware triaging efforts at over 600 US organizations, found an average of 17,000 alerts generated per week, with only 4 percent of such alerts ever investigated. And that’s just malware alerts. The information we have at our disposal about our vulnerabilities does little in the way of mitigating them.

The problem, then, for information security practitioners and policymakers—including government officials, lawyers, and privacy personnel—is one of bearing. When you don’t know where you’re going, all directions are equally useless. We simply do not know what to focus on, how to spend our energy, what precise regulation is called for, or how to significantly disincentivize would-be attackers.

But this state of affairs has not always been the case.

While under siege since its earliest days, the world of information security has always had reference points—or ground truths—that, like physical features in a landscape, have served as guides to practitioners and policymakers alike. These reference points, which we detail below, provided at least a modicum of bearing to those engaged in data protection.

As the aggregate state of information security has deteriorated over time, however, features of this landscape have eroded under the pressure of a changing environment, rendering past reference points either unhelpful (at best) or disinformative (at worst).

Flat light is now upon us.

We aim, in this paper, both to explain how we arrived at this situation, at least in part, and to suggest a path forward.