Security should protect people, not exploit them

Digital Security technologies underpin every part of the modern world. Whether it's an email address or national infrastructure, the underlying principles and technologies remain the same.

It is important that these technologies are used for the good of people and are not exploited or undermined - whether by governments or others. At PI, we know that none of these technologies or design decisions exist in a vacuum. We want a world which is safer for everyone, and at the heart of this is technologies which are secure by default.

What is the problem?

Companies and governments build systems, devices, networks and services that generate and accumulate vast data stores without proper regard to risk, security, or data minimisation. Because it is cheap to connect devices to the internet, every conceivable thing is being connected to the internet without regard to security. Governments’ surveillance ambitions and industry’s voraciousness for data, and their disregard to data security, are increasing the attack surfaces and making us all vulnerable.

Whether it is companies undermining security for profit, governments passing laws to make maths illegal in the name of 'national security', media organisations demanding someone do something, or the perpetual leaks of highly personal data; security technologies are under constant attack.

What is the solution?

Protecting and defending individuals, devices and networks should form the basis of any cyber security strategy. Individuals, devices and networks are interlinked and interdependent. Defending security means securing all three, simultaneously. Examples of security failures across all three domains are evident in almost every major cyber-attack. 

If, as a society, we are to have a hope of protecting both our privacy and our security when using technology, networks must be secure by default, from the start. Good network security means reducing the attack surface and then allowing the right people through the right devices to access the right services on a network, and keeping everyone and everything else out. Protecting and defending a network can mean protecting a home Wi-Fi network, a company’s intranet, a telecommunications network accessed by the public, a bank’s network, an industrial control system (ICS) in a factory, or a nation’s critical infrastructure, such as a power grid. 

We need to push back against the false narratives around security, showing that there are no safe ways of having “secure backdoors” and that there never can be technical solutions to social problems.

There's so much to worry about that we can sometimes end up feeling stupid or powerless. We need to help people to understand threats, appreciate risk, do analysis, and make hard decisions.

What PI is doing.

PI is taking a multi-disciplinary approach to its strategic interventions on cybersecurity.

Exposing harm and demanding change from companies and governments: We work to understand emerging technology and to consider how existing legal definitions and frameworks map onto technology. We work closely with our partners to stand in the way of laws and systems which will ultimately reduce the safety and security of whole populations.

Building knowledge to enable action: The last three years at PI have been a shift in the way we see and engage with technology and security. We have built ThornSec, a software which automates the deployment, testing, and auditing of internal and external services as well as articulating our thoughts around what Digital Security looks like; acknowledging that Security requires more than just "Use Signal, use Tor".