October 2024 marks the 20th anniversary of Ubuntu. The cybersecurity landscape has significantly shifted since 2004. If you have been following the Ubuntu Security Team’s special three-part series podcast that we put out to mark Cybersecurity Awareness Month, you will have listened to us talk about significant moments that have shaped the industry, as well as what our recommendations to stay safe are. Some of these best practices will not be that far removed from what you would’ve heard two decades ago, but some technologies or processes could come across as unfamiliar.
For example, while the CVE program existed in 2004 (and, coincidentally, this October the program celebrated its 25th anniversary), coordinated vulnerability disclosure (CVD) was far less widespread; the NCSC started recommending
Watershed moments
Over the years, a number of incidents have provided eye-opening moments that emphasized just how much of an impact security breaches can have. It’s difficult to pinpoint one single example that changed the industry’s course, but professionals would struggle to forget the difficulties that shook Yahoo and its users in 2013-2014. Possibly still the largest data breach in history, it highlighted just how fragile passwords can be as an authentication technology. For affected people, it put the spotlight on how their online identities could be abused.
The landscape changes
Since then, security professionals have succeeded in making people around the world significantly more aware of online threats. We have collectively developed tools that are robust, comprehensive and easier to use, all the while starting to formalize this domain with mathematical rigor. Human-friendly passkeys are certainly worth mentioning – they have both the potential to reduce the impact of password data breaches, such as the aforementioned Yahoo incident, as well as provide a slick experience for the end-user. A myriad of other technologies offer protections at the click of a button, from containerized applications to fine-grained access control through Linux Security Modules, such as AppArmor. Enterprises, large and small, can rely on well-defined, yet flexible, security frameworks and standards, such as the CIS Critical Security Controls, NIST’s Cybersecurity Framework, ISO 27001 or the card payment industry’s PCI DSS. The overarching theme is offering security by default, which in Ubuntu translates to a carefully designed distribution, security patches you can rely on and too many other features to mention here.
What hasn’t fundamentally changed is that cybersecurity is not a solved problem. As long as there continues to be a burden on the users, the targets of crime, we haven’t achieved our security goals. Our aim should be to make security for the masses not just intuitive and inherent in every product, but something that people don’t need to think about.
Looking forward to the future
Ubuntu was initially conceived as Linux for human beings, a distribution that set out to make free software available to the widest possible audience. Today, Ubuntu continues to stay true to its mission by making security easier for the user and being a platform to access a wider world of secure open source. The general availability of Ubuntu Pro in 2023 brought more security fixes for Ubuntu, in the context of an ever-expanding list of published CVEs. We have a very exciting road ahead. You may have seen previews of AppArmor seamlessly integrating into desktop environments with user prompting or workstation authentication interfacing with cloud-based identity providers through authd. These are just a few examples.
If I had a crystal ball, I would make out a picture of a future where security is implicit and people, from software engineers to artists and business leaders, can innovate with confidence and be creative, without having to worry about cybercrime. On the October 18th podcast I talked about security technologies not being magic. But it may not be the worst thing to have a world where security can be indistinguishable from magic for the vast majority of us – cybersecurity for human beings.
