June 2024 Security Topic - Digital Blight

There is a curious debate with some history behind it in the Information Technology and Cybersecurity worlds. It's not about quantum computing, artificial general intelligence, Internet of Things (IoT), wearable technology, augmented reality, or anything developing now or in the future. The debate is really about the past. A problem that cropped up in 1961 at the Massachusetts Institute of Technology (MIT) (Nachreiner, 2018).

Back then computers were rare and expensive. Students and researchers had to share, and MIT used an application called the Compatible Time-Sharing System (CTSS) to manage the sharing. While CTSS managed the time allocations of the users, it did not prevent users from accessing the files and resources of everyone else (Nachreiner, 2018).

The concepts of computing and computers date back as far as 200 BC (Barfield, 2020). But there was never any detailed consideration for privacy, separation, and ownership. The primary focus of mechanical and digital computing was performing calculations and ideally doing it better than human computers. Computers were not generally designed to be secure from the very beginning and throughout their development.

Passwords, firewalls, anti-virus applications and all these things came later. They are not inherent in how computers work. They have limited security incident prevention value on their own. This point is made wonderfully by the American cryptographer Bruce Schneier at the Black Hat Conference in 2000 (Schneier, 2013). Even though his talk is 24 years old, it still provides a great deal of insight into this problem.

Armed with that context, onwards to the controversial question. Should we remove old user accounts? Such a simple but shockingly divisive question. The field of Information Technology answer is to keep the accounts just in case often because the related human resources and business processes are not clear. Once user accounts are fully deleted, they can't be recovered. It's a better-safe-than-sorry approach. The common consensus among IT practitioners (at least the ones I have met in my career) is often that there isn't much harm in keeping them.

From the Cybersecurity perspective old accounts can be high risk. Disabling and deleting them is critically important. The professional field often proclaims this as established truth, but it's often not accepted as such. It's in every standard (Joint Task Force Interagency Working Group, 2020) and recommendation from security firms (Steel, 2023) and government agencies (Cyber Essentials, 2020).

Often because these related fields are so technical and complex, we rely on metaphors to communicate ideas in ways that are easier to understand. Part of the reason this issue is not fully understood could be that practitioners incorrectly feel it is self-evident and obvious. We then don't put the work into describing this problem with the appropriate metaphors. This lack of understanding then leads to major cybersecurity incidents such as the Colonial Pipeline hack (Novinson, 2021).

A good metaphor for this problem may be the issue of vacant commercial and residential properties. People and businesses construct buildings to meet their needs. But then over time they move on, nobody buys those buildings, and they sit vacant for many years. Eventually they can decay to the point of presenting a public safety issue. Then they need to be demolished. This resembles the life cycle of user accounts and digital resources very well.

While nobody is actively using a vacant property, it's still there in the community. It needs to be protected from vandalism and theft of contents by police, periodically inspected for fire safety by the fire department, and supported by a public works department (Vacant and Abandoned Properties | City of Batavia NY, 2015). Local governments can spend millions of dollars on supporting and maintaining vacant properties and the often complex issues related to them. It's difficult to even identify how many vacant buildings there are because of the many different reasons for vacancy and the lengths of time involved (Vacant Properties Growing, 2011). Paradoxically, a vacant property may exist for a long time even though no one wants to buy it. Nobody wants them, but nobody wants to pay to tear them down. They are essentially rejected by the market where the most cost-effective choice may be abandonment. Ultimately the public bears the cost and deals with the consequences of that decision (Gordon, 2008).

In 2009 a survey was conducted in Detroit which indicated that a third of the city was vacant land and abandoned buildings. Abandoned spaces provide opportunities for criminal activity but how much and what kinds can be difficult to measure (Raleigh & Galster, 2015). Activities in abandoned spaces are not very well tracked (Vacant Properties Growing, 2011). A term frequently used for vacant properties and the problems they cause is blight (Vacant and Abandoned Properties, n.d.). We can then say that a third of Detroit suffered from this blight in 2009.

Unlike a city, however, we can't walk through our digital presence and see the digital blight in our neighborhood. The streets with rows of vacant accounts and empty IT services with people squatting in them. We can't see the financial and employee resources needed to maintain support on them after everyone has left. We can't see the criminal element moving in to leverage the abandoned accounts and services. We don't observe the greater need for cybersecurity professionals to more frequently check in. We need more resources to make blighted areas safe. Digital blight is dangerous and invisible presenting risks and additional costs that many people don't always fully understand.

Hopefully armed with this metaphor we can have a different conversation about old user accounts. Computers are not secure and protected by default. We must manage the risks they present by making good decisions. The importance of disabling and deleting old user accounts and removing unused digital resources should not be taken for granted. It's not an amazing new technology invention, but it's critical to preventing and lessening the impact of cybersecurity incidents.