Scuttlebutt – Musings about the Energy Cost of Information Security
[Of course, this is the August 2022 article from the DeepSec Scuttlebutt mailing list. We publish the postings one month later on our blog. For timely scuttlebutt, please subscribe to the mailing list.]
the Summer is burning Europe and other parts of the world. The climate is changing and poses the biggest challenge to all aspects of our society. And this is without other man-made catastrophes, such as war, lack of raw materials, logistics, health protection, and many more trouble spots. DeepSec is about information security, so I will stick to the digital parts of the story. There are already too much “experts” on social media. No need to add more. Have you ever wondered what amount of energy is used for digital security measures? Have you ever tried an estimate? I played with electronic kits back in the 1980s and immensely enjoyed the little photovoltaic cells one kit had included. It took three cells and a powerful light bulb (the one that produces a lot of heat and isn’t sold any more for environmental protection) to get a small electric motor running, but getting “free energy” from the sun was a revolutionary idea back then. Today it is easy to spin up a bigger virtual machine, increase the storage area, or allocate more resources if you are on a cloud platform (or use virtualisation technologies) and when you need more performance. But how much energy is consumed by every single configuration decision and active component in your infrastructure? What about the security landscape? Getting all the facts necessary for this report is difficult. Now it is too late to think about the theoretical aspects. Reality in the form of bills has caught up.
Information security, if done right or if not working at all, has superficially no impact on the daily tasks provided you are not under attack. If everything works, then no one will complain. If you are not compromised, then there is nothing to worry about. Once you ask detailed questions, things get difficult and expensive. One principle of secure coding is the statement: Keep it simple! I always spend half an hour explaining what this actually means. Security checks are never simple. Securing your code will always add extra code. Filtering documents formats and finding the malicious files is a prime example. You use a lot of checks, deploy a sandbox and observe, or do something else. Either way, you get extra code. File formats are tricky. The recent issues of the POC || GTFO magazine are published as file which are a PDF, JPG, ZIP, and a file in a fourth file format – simultaneously! There is no easy way out. However, there are ways to streamline your security architecture. The key aim is to get rid of potentially harmful _and_ useless data as soon as possible. Same goes for the code. If you start with less, then everything you have to do thereafter gets automatically easier. Why do a refactoring with 100% when your code can do everything with 80% of the code base? This is not complicated, and it is no novel approach. It is merely a step that for removing redundant security measures and reducing the fertile ground for bugs. I read about an interesting approach in a presentation about ransomware. The author started with the analysis of the principal difference between technical people and technical managers. In summary, technician want to solve problems while managers prefer to manage them. Of course, this is the bird’s-eye view of information security, but you will see traces of this behaviour in your favourite IT environment and in your organisation.
Getting back to the energy crisis, it is never too late not to use extra energy. Switching to dark mode on the screen is a small step, but there is more. When the call for papers of DeepSec started back in February, I was inclined to put the topic “green information security” on the topic list. I didn’t do it, because the world of IT is full of meaningless buzzwords and marketing terms. Unfortunately, Green IT is one of these terms, at least in a lot of published materials about it. In retrospect, I think it is about time to put the meaning back into it. How about using “green IT security”? Can you do more with less? If so, let’s have a talk at DeepSec 2022.