I was chatting to some folks during the week about the huge number of data breaches floating around out there and this classic line from Donald Rumsfeld popped into my mind:
“Reports that say that something hasn't happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don't know we don't know.”
In that somewhat obscure paragraph he was talking about terrorism which is clearly a very different can of worms, but it struck me how much this resonates with the current state of online security. We have a bunch of “known knowns”, that is there are many security incidents that have hit the headlines and made mainstream news. Adobe, TalkTalk, Ashley Madison and so on. The can has been opened, the worms are everywhere and we’re now in recovery mode.
Then there are the “known unknowns” being all the organisations that had incidents but couldn’t quite put their finger on how bad they were at the time. LinkedIn and Dropbox are perfect examples; they had serious events occur way back in 2012 but they didn’t know the scope of them then. Of course, they’re now “known knowns” courtesy of the data being spread all over the web but they went for years as “known unknowns”.
But it’s that final class Rumsfeld commented on that really got me thinking – the “unknown unknowns” or in other words, the things we don’t even know we don’t know. We just have no idea how many serious incidents are out there and I’m not talking about things that will go wrong in the future, rather things that already have and are just yet to surface. Every now and then I get a little inkling of this when I talk to people who say things along the lines of “you have no idea how many data breaches are out there that you’ve never even heard of”. And they’re right, but equally, neither do they because the reality for all of us is that there are untold “unknown unknowns”.
But as much as that worries me, it also excites me. I wake up every day, grab a coffee and sit down to read the events of the night with absolutely no idea what I’m about to see. Such is the nature of the industry that it could be anything from a state sponsored hack to webcams DDoS’ing us to a major vulnerability discovered in our cars. 2016 was full of unprecedented events that we simply never saw coming and as I wrote a couple of weeks ago, it was the year we realised how little we know and I have no reason to believe that this year will be any different.
The simple fact is, when it comes to security, none of us know just how much we don’t know.