News that the New York Times was hacked by the Syrian Electronic Army is interesting not because of the fact that NYT was hacked by the hacking group, but by the method of gaining access.
According to this article, information security at the NYT fell over because they forgot that cyber-security doesn’t stop at the perimeter. It would seem that MelbourneIT , an Australian hosting company for both Twitter and NYT was breached. This then allowed the Syrian Electronic Army to gain access to the DNS records of domains owned by Twitter and NYT which they then proceeded to change.
A number of quick conclusions
This was a well planned attack almost certainly took some time to conceive, research and operationalise.
You should assume your organisation will be hacked. Work out how to detect the breach and recover quickly.
Cyber-security is an evolutionary struggle between those who wish to break systems and those who wish to stop systems being broken. Quite often its the same people eg NSA
80-90% of the differences between good cyber-security and great cyber-security are not in the IT, they are in the organisational approach and culture.
In this hack, a variety of methods seem to have been used, including phishing and attacking the DNS servers via privilege escalation.
Cyber-security requires expertise in managing information, risk and developing resilient organisational frameworks, something often forgotten.
Everybody is your neighbour on the Internet, the good guys and the bad.
Cyber-security practitioners need to consider the risks to high-value systems that they are protecting from connected suppliers and customers.
This requires cyber-security practitioners who are good people influencers, because the vulnerabilities tend to be at human interfaces.
A culture of entitlement is corrosive in a government agency or any organisation
I’ve just come across a USA government document which is both fun to read and educational. Its called the Encyclopedia of ethical failure 2013, its published by the US Defense department. The dry title doesn’t do this piece justice, I think the title should be “A culture of entitlement in an organisation is corrosive”.
The reason that you should be reading it is that it is a series of sometimes funny and tragic stories about how employees forget that the employee/employer relationship is a two-way street. Maybe it is also about how employers forget that their staff are human. They sometimes do dumb things and forget about the consequences of their actions.
Steven Dubner from Freakanomics interviewed the current and past editors Steve Epstein and Jeff Green. Interestingly they said that it was difficult to find common characteristics (M/F, race, religiosity, seniority) between the people who did these things. Green and Epstein suggested that they all didn’t think about the consequences of their actions properly. The other thing to notice is that security people, intelligence officers and lawyers commit these crimes too.
Maybe as a collection these are cases of a man or woman failing to identify the full consequences of their actions. I could put it in risk terms, individual failure to realise initial risk and downstream consequences when the they get caught.
The other observation that is interesting is that some people are cheap to bribe. Some of these people lost their careers and potential earnings of millions of dollars over a lifetime for hundreds of dollars in cash or kind. This is an sign that the perpetrators haven’t thought about personal risk and/or their decision-making is visceral. It makes me wonder whether one possible mitigation against fraud is teaching employees decision-making to improve the way that they weigh up alternatives. Maybe the SWOT analysis is the best preventative tool against fraud!
Because the document was written by the US Defense department, it has a military flavour, but the examples run the gamut of the US Federal public service. Here are some of my favourite excerpts. I’m sure you’ll get a laugh out of these and some food for thought. Maybe some of these are familiar in your organisation…..
FBI Undercover Parties
According to an FBI report, upon the retirement of a senior FBI official, FBI personnel from around the country journeyed to Washington to attend the official’s retirement party. Many out-of-town G-men traveled on official orders and public expense. According to their travel orders, the purpose of the trip was to attend an ethics conference! According to the news report, only five people actually attended the ethics forum.
“But, Judge, I didn’t get anything!”
An offshore safety inspector found much of the Government’s equipment to be in need of repairs to meet safety standards. He then referred the business to his brother-in-law’s repair shop. The rig operators smelled a rat and called the FBI. They discovered that, in return for each referral, the brother-in-law was treating the inspector to an evening with a lady of dubious morals.
The case was brought to trial. In his defense, the inspector claimed that he had not received a “thing of value” in return for the referral. The judge didn’t buy it – and neither did his wife.
A former official of the U.S. Tax Court, Fred Fernando Timbol Jr., was sentenced to 18 months in prison and three years of supervised release in connection with a bribery conspiracy.
Timbol was a facilities services officer in the Facilities Management Section of the U.S. Tax Court. Timbol was responsible for assisting in the award of contracts to contractors who provided maintenance, construction, and other related service to the Court. Timbol admitted to soliciting and accepting over $12,000 from a government contractor in exchange for rigging the award of at least six inflated contracts. As part of a plea agreement and by order of the court, Timbol also agreed to pay restitution of $24,143.
DVD Bootleggers MIA During Government Work Hours
A Federal employee used his Government computer to make illegal copies of commercial DVDs in violation of copyright laws. He and another employee also used their Government computers and duty time to watch the movies. The other employee took lunches lasting up to three hours in order to watch the DVDs and take naps. Initially the employees’ supervisors signed off on this behavior, even assigning extra work to others to make up for the employees’ time wasted napping and movie watching. The employee who copied the DVDs received a written reprimand. The supervisor received an oral admonishment for failing to address the misconduct, and another employee received a Letter of Counseling for knowingly accepting a pirated DVD. In a similar case, a civilian employee working for the U.S. Army in Germany was involved in selling pirated DVDs. He used the profits from his illegal operation to buy vacation homes and luxury cars and to pay for frequent European ski vacations. He devoted some of his duty time to the marketing and selling of the bootleg videos, including taking payments while on the job. Even though the employee had left Federal service by the time the accusations against him were substantiated, administrative action was taken to bar him from US Army Europe installations.
This next one is interesting because of the recent Asiana crash
FAA Employee Sentenced for Bribery
A former employee of the Federal Aviation Administration (FAA) was convicted of bribery. In carrying out his primary responsibility of reviewing and processing applications for FAA-issued pilot certificates, the employee accepted bribes of $2,000 and an all-expense paid trip to Korea in exchange for preferential treatment of applications for Korean pilots from the flight school, Wings Over America.
The employee was sentenced to pay a $2,000 fine and serve four months in prison, followed by three years probation for violating 18 U.S.C. 201(b)(2). Bribery occurs when a public official seeks or accepts anything of value in return for being influenced in the performance of an official act.
government Lawyer in Tucson Illegally Possesses Sheep Skull and Horns
The Assistant U.S. Attorney (AUSA) prosecuted an individual for illegally killing a bighorn sheep on an Indian Reservation. As a result of the prosecution, the hunter forfeited the bighorn sheep and trophy (skull and horns), valued at approximately $5,000, to the Arizona Game and Fish Department. Pursuant to a request from the AUSA, the Arizona Game and Fish Department entered into an agreement with the AUSA allowing him to publicly display the skull and horns in his office, but requiring their return upon request. However, after leaving employment with the U.S. Attorney’s office, the AUSA took the skull and horns with him and treated them as his personal property. When the former AUSA was questioned a year later about his possession of the skull and horns, he claimed that an unspecified Indian had sent the skull and horns to him in appreciation for his work on the prosecution of the hunter. Investigation showed that such a gift would have been contrary to tribal practices and no member of the tribe could be found who knew anything about the alleged gift.
CIA Employee Drives Overseas Auto Scheme
As a U.S. Federal employee residing in Egypt, the CIA agent discovered that he could purchase an imported vehicle in Egypt without having to pay the normal 150% excise tax. This fact had created a black market in which Egyptian car brokers would pay U.S. employees to register luxury cars in their names in order to allow the dealers to evade import taxes. Investigators found that while in Cairo, Egypt, the employee had agreed to accept $25,000 in exchange for changing the status of his personally-owned vehicle with the Egyptian Ministry of Foreign Affairs, which would allow him to participate in the scheme
So there’s some of the highlights from my perspective. You can download the full document here (163 pages). You’ll find that it references most vices! What do you think about the alternative title – “A culture of entitlement in an organisation is corrosive”?
Is it possible for health practitioners to achieve information security? Maybe a better question is “How can health professionals balance privacy, information security and accessibility in an online world?” Or even, should the medical profession be bothered with keeping private and sensitive information secure?
Over the last few months, I’ve been working with a number of health practitioners to help them improve their information security. Much of this has been done with a view to the introduction of electronic health records.
I sympathise with hospital administrators, doctors and nurses. They don’t have a lot of time to think about security and privacy. However, the fact is that they have to do better.
Criminals follow the money
According to the Australian Institute of Health and Welfare, the health system costs just under 10% of Australia’s GDP (AUD121.4 billion in 2009/10 according to the AIHW) . In the US, it is around 18% (USD2.6 trillion in 2010 according to the CDC). With this much money involved in the health system, it is a fat series of targets for cyber attack and fraud.
Terrorist vector? Probably not.
The Department of Homeland Security has even gone so far as to suggest that the health system could be targeted by terrorists and activists in the USA. I am not convinced by this or similar suggestions as the no1 aim of terrorists remains to create terror. Terrorists understand this and seek targets and methods along those lines. It matters less how few people a terrorist kills. It is more important for the terrorists that they have an audience that can clearly see a hard link between cause (terrorist attack) and effect (death, destruction etc). The murder of a single UK soldier in May 2013 by allegedly Al-Qaeda inspired terrorists with machetes has created significant community angst, not only in the UK where it occurred but in Australia, Canada and the USA. Yet, it is likely that more people died on that same day on the roads in London. My point is this, that if terrorists discovered some way of causing significant death or maiming from medical equipment, I do not doubt that they would use it. However, it is likely that the effect on the collective public consciousness would not be as great as the machete attack mentioned above.
However, we must accept that it is possible, if not altogether probable. One identified flaw is the chronic inability of many health systems to patch their software and applications.
One high consequence scenario involves hackers attacking defibrillators and insulin delivery systems remotely. I think this comes into the unlikely but possible category. Shodan, was used by a hacker to access the controls of a blood glucose monitor connected to the Internet by WiFi.
Whilst we can probably discount to some extent the terrorist threat, I can imagine the attraction of such attacks as assassination vectors or for the installation of ‘ransomware‘. Thus the high consequence threat from foreign governments and organised crime can’t be as easily discounted.
Beyond the extreme, privacy compromise and fraud
Beyond these extreme events, there is the possibility that patient or staff privacy can be compromised by weak information security. Dr Avi Rubin, a computer scientist and technical director of the Information Security Institute at Johns Hopkins University, talking about the US health system has been quoted . “If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress under my bed.”…. Unfortunately, it is not possible to hide one’s health under the mattress!
I experienced this personally about a week ago when my daughter’s optometrist sent through the results of her recent eye test, only it wasn’t. The attachment data was for somebody I had never met.
We have a tendency to compare the worst case scenario of e-health privacy with the best case scenario of the current system. We all know that it isn’t the case as my example above shows.
Good information security will also help protect healthcare organisations from fraud. Fraud is estimated to be a USD60 Billion impost on US hospitals. Methods that are being used by fraudsters include
Diversion of fee revenue
Diversion of controlled items (eg drugs)
Collusion with suppliers; and
Diversion of accounts receivable.
The same methods are being used in medical practices, albeit on a smaller scale.
What to do
A holistic approach is needed. We have worked with a number of medical practices to implement the key elements of the information security standard ISO 27000. This ensures that the practice has a risk based approach which mitigates threats based on real world experience of consequence and likelihood. Working with practice owners and stakeholders, we determine tolerance to information risk and work with them to implement controls which make sense and meet any regulatory requirements.
If you think this is something your organisation needs, please contact us at [email protected]
You may have seen some fairly alarmist reporting from the ABC about Chinese interests hacking ASIO, Australia’s version of the FBI.
For those who haven’t seen it. The allegations come from the Four Corners program and relate to compromises of sub-contractors of ASIO. ASIO is building a huge new central office and it seems that the Chinese managed to get the blueprints for the building. ASIO is a hard nut for a foreign intelligence agency to attack, so the way to get there is to use their contractors.
The point is that this is not any different from what would have occurred during the cold war! The Chinese or Russians for that matter would have previously used their human intelligence networks. It seems likely that this information would have been a target 50 years ago just as much as now.
What is different then?
The difference is the sheer quantity of attacks that are occurring. We have moved from the Cold War, where the superpowers fought their battles in small third countries such as in South America, Africa or the Middle East to the new paradigm – the cyber insurgency. The wars between the superpowers have moved onshore to the malls and industrial parks of our cities and then they disappear. The authorities and companies are never quite sure who to trust and when / where the insurgent hackers will reappear.
“The guerrilla must swim in the people as the fish swims in the sea.” –Aphorism based on the writing of Mao Zedong
Previously foreign intelligence agencies needed to identify targets and then find resources to compromise them. The new method is to attack anything that might be interesting and suck up whatever comes back. Spies no longer have the difficulty to get the information, they have the challenge to find the needles in the haystack. And they don’t differentiate between business and government. According to reports in the New York Times and a detailed report by Mandiant, any organisation that doesn’t protect its information security, whether private or public is potentially compromised.
– the aim of the war is to gain the support of the population rather than control of territory
– most of the population will be neutral in the conflict.
– support of the population may be lost. The population must be efficiently protected to allow it to cooperate without fear of retribution
– in the guerilla phase of an insurgency, a government must secure its base areas first
Using these principles we can identify a strategic direction
The way to deal with an insurgency is through hearts and minds.
Organisations, whether government agencies or business need to share information with their public and other organisations. Only in this way can they create defence in-depth and help them protect themselves. The attacks on ASIO demonstrate that an organisations’ security is only as good as the weakest link. Importantly, the perimeters of risk in any organisation do not stop at the front door- if they ever did. Organisations suffer from hubris if they believe otherwise. This is why the concepts of deperimeterisation as espoused by the Jericho Foundation and others are so useful.
Organisations need to work out what they need to protect and set about protecting that. Declassification, although counter-intuitive is one way that can help organisations work out what information is valuable.
Organisations need to be adaptable and willing to work with the fact that most information will become available to their adversaries. They need to take advantage of the information in the intervening time.
By making information security central to their organisational decision process, organisations can become more adaptable to this evolving threat. This means moving the security officer from the corner office to the top-level of the organisation. In turn, the security officer needs to change his/her attitude from the ‘computer says no’ person, to the one who says, yes, this is the best way we can do it to make the organisation’s aims with tolerable risk.
Such an organisation is indeed resilient. Change needs to come in the leadership of government and organisations to deal with it. I’m not sure they understand how big this challenge will be.
ENISA, Europe’s network and information security agency, just released a report looking at cloud computing from the perspective of critical infrastructure protection.
ENISA asserts that 80% of large organisations will be using cloud solutions within two years. The approach that ENISA takes is nicely balanced, pointing out that cloud adoption is both good and bad in terms of critical infrastructure protection. From an organisational perspective, the message is similar
Like any information security endeavour, adoption of cloud boils down to a series of risk decisions. There is of course also a question of organisational and possibly national resilience in the case of critical infrastructure to adapt if any threats are realised.
However, it is possible to use the cloud securely for many applications. It requires resources devoted to intelligent system design. This means that the business case for cloud adoption is not one necessarily about saving money. One company that uses the Amazon service, but did not get affected in 2011 was Netflix. Netflix has a very clever piece of software called Chaosmonkey which tests its environment during working hours with the intention that systems are fixed before they break. Netflix released the software as open source in July 2012. http://techblog.netflix.com/2012/07/chaos-monkey-released-into-wild.html
Cloud providers can afford people, processes and equipment which is state of the art
Cloud providers able to offer very good uptime and good backup.
Cloud provides good mitigation against natural disasters
Elasticity – Cloud offerings are able to increase and decrease load dynamically, this allows them to mitigate against DDOS attacks
Cloud providers concentrate datasets from disparate organisations
Vulnerabilities are shared across the cloud
Even though cloud providers generally have excellent protective security, failures happen (eg Amazon in 2011)
Cloud providers located in different jurisdictions add complexity to the compliance and governance of organisations.
Better collaboration with other organisations, integration of supply chain across disparate organisations and locations.
Organisations that utilise cloud well can become more resilient eg Netflix
Cloud providers concentrate datasets so their ‘attractiveness’ as a target increases (aggregation)
An outage in one cloud provider can have consequences for multiple organisations. Additional issues may become apparent if those organisations are all providers of the same critical infrastructure.
A legal dispute related to data owned by one organisation which is located in the cloud might affect others
The threat from human actors can be seen to be the combination of intent and capability. Both organised crime and nation states have the capability to attack cloud providers. Their intent is obviously higher if they assess that they can access several prize organisations through a single attack.
I’m struck by the thought that the emergence of cloud should mean that risks to the critical infrastructure from natural disasters and mistakes should decrease. However, on the other hand, cloud providers are such attractive targets, that the risks from human (active) threats are likely to be higher.
Importantly, the report makes a number of useful suggestions for organisations that are moving towards the use of cloud solutions in terms of risk assessment, security measures and recovery and reporting of incidents.
I was asked to give a snapshot about what I thought the big risks for organisations were likely to be in the cyber world in 2013. Below are eight trends that I think are more likely than not to be important in the next twelve months.
1 Boards continue to struggle to consider cyber risks in a holistic manner
With the exception of technology based companies, most government and private sector boards lack directors with a good understanding of their cyber risks. However all organisations are becoming more dependent on electronic information and commerce. This brings with it both opportunities and threats which are not well understood by boards. Good risk management depends on the board setting the risk tolerance for the organisation. Risk and reward are two sides of the same coin.
Senior Management must create a culture where they acknowledge that cyber risk is evolving and encourage sharing of incident information with trusted partners in government, police, industry and with their service providers. Moreover, if boards see problems in sharing information, they should lobby governments to improve the conditions for sharing.
2 BYOD goes ballistic – deperimeterisation is forced upon organisations, even when they aren’t ready.
Many organisations are in denial about the threat that ‘bring your own device’ (BYOD) policies make them bear. Together BYOD and Cloud technologies will force deperimeterisation on organisations. The pressure will come from primarily within as their profit centres demand more connectivity to develop new and rapidly changing business relationships.
In the long-term, this is likely to be positive because it will drive down costs and increase flexibility for organisations. But only the resilient will survive the transition. Even resilient organisations will not go through this deperimeterisation unchanged. This process is likely to cause rude shocks for those organisations and their boards that are not prepared and do not invest prudently in technology and more importantly people to transition smoothly.
3 Attacks that intentionally destroy data
The other threat which may arise is where the attacker intentionally destroys data, usually after stealing it. This may be as an act of protest by an issue motivated group, the opposite of Wikileaks if you think of it. Or, it could be undertaken by organised crime against either government agencies or business. Attacks of this nature could cripple many organisations that do not have hot-backup, even then the question of data integrity comes into play. Boards will need to think carefully about the ‘three cornered stool’ of confidentiality, integrity and availability’ relative to their organisations.
Ransomware, where data is encrypted by an attacker to become inaccessible to the owner until a ransom is paid will increase. However, the problem is likely to remain primarily at the home user and SME level. This is less due to technical difficulties with the attacks and more because of the standard problem for such scams – how to extract money when the authorities have been alerted and are on the hunt. Technologies such as Bitcoin will find increasing use here.
4 More sophisticated attacks by organised crime and nation states.
Here’s an easy one. I am more certain of this prediction than any of the others. We are in a cyber arms race between the attackers and the defenders. The advantage currently lies with the attackers. Since the possibility of an international agreement to curb cyberattacks is negligible as per my cyber law of the sea post, I see no let up in 2013.
5 Privacy continues to increase as a concern for governments in most western countries
In Australia, the Parliament passed the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 in November, tightening the Commonwealth Privacy Act 1988, which applies to Commonwealth agencies and private sector organisations. A summary of the changes are here.
In the same month, the European Network and Information Security Agency (ENISA) published a report about the right to be forgotten. This report proposes a regulation that would allow a European citizen to have their personal data destroyed on request unless there were legitimate grounds for retention.
Large multinationals, like Facebook are going to continue to face scrutiny by privacy advocates and governments around the world about the data that they collect and mine. The new version of Microsoft Internet Explorer set a cat among the pigeons when it was shipped with the ‘do not track’ setting on by default. The Digital Advertising Alliance issued a statement that “Machine-driven do not track does not represent user choice; it represents browser-manufacturer choice”.
It will be interesting to see who wins. Consumers have shown themselves to be willing to choose services which commercialise their information in return for real value. The key here is choice.
6 Failure by government to protect private sector organisations causes more of them to create CERTs
In a number of countries national Computer Emergency Response Teams have been created with much fanfare with the aim to share information between government and industry about the threats to the critical infrastructure. In general it hasn’t worked well. Western economies are dependent on infrastructure that is primarily in the hands of private enterprise, so all the players understand that neither government, nor industry can ‘solve cyber’ on their own. In a federal system like Australia or the US, the problem is exponentially harder.
At its heart, the problem is not technical, it is trust. Security and law enforcement have long come to the CERTs with their hands out asking for information, but unwilling to share what they knew about. Industry doesn’t trust government or their competitors. Meanwhile, the attackers make hay.
In a similar way to international negotiations, when multilateral agreements fail, bilateral ones can take their place (messily). Increasingly we are likely to see technology dependent organisations setting up their own CERTs and working at the technical level with like organisations, at the same time, bypassing central government CERTs and inward focussed intelligence organisations.
7 Organisations start to concern themselves more with cyber-dependencies
Organisations have long understood in the physical world that if their supply chain is attacked or degraded, then their ability to function is impeded. Without wheels from factory A, factory B can’t assemble cars. Therefore Factory B is keen to ensure that Factory A survives, but it’s also keen to make sure that the tyres from Factory A don’t cause car accidents. A company’s dependencies do not stop at their front door.
This principle needs to be extended actively into the cyber space. Most organisations do not develop all their technology in house. Vulnerabilities in hardware and software operated by their suppliers are of prime importance. Defence companies have long needed to take this account, but this thinking will expand to more parts of the economy.
8 Developing trusted identities continue to challenge governments and organisations
With deperimeterisation upon us, organisations must assume that attackers can enter their networks. Only through good identity and access management can an organisation potentially protect itself. My post, Trusted Identity – a primer took a longer look at this trend.
If an organisation has no perimeter, it becomes impossible to work out who should access what, if there is not a good identity system in place. Governments are realising the same. Essentially if they are to provide the services that their citizens want, then they have to have ways of identifying for certain what those citizens are entitled to.
In 2013, we will see some results from the US efforts (NSTIC) to pilot programs to develop trusted identities. Business is taking a big part in this, with leadership from the likes of Paypal.
In Australia, there are varying signals coming from the Commonwealth Government. E-Health is moving forward, albeit slowly, and so is online Service Delivery Reform which will also depend on identity at its core. There has not been much news of late about the Cyber white paper, which was due in the second half of 2012.
You may have heard recently about the efforts being promoted by the USA and Australia amongst others to promote trusted online identities. There are also significant efforts in the private sector to develop online trust systems.
Trust will be the currency of the new economy as it was in the mediaeval village. During the late 19th and early 20th Century, formal identity credentials gradually replaced more informal systems of identifying people that we interacted with. Increasing population and technology drove this change. It was simply impossible to know everybody that you might deal with and so societies began to rely on commonly used credentials such as drivers’ licences to prove identity and ‘place’ in society. Of course, drivers’ licences don’t say much if anything about reputation. But if you think about high value financial transactions you establish your identity and then you give a mechanism to pay for the transaction. Although in most cases it wouldn’t matter who you are, it gives the vendor some comfort that the name on your driver’s licence is the same as on your credit card and makes it just that bit more difficult to commit fraud on the vendor if the credit card isn’t legit. However this isn’t the case with interbank lending. Most of this is done on a trust basis within the ‘club’ of banks and it is only at a later time that the financials are tallied up for the day.
What is a trusted ID?
Most simply, trusted online identity systems are the online equivalent of a physical credential such as a drivers’ licence used to give evidence of identity online. They can (but don’t have to) also be the basis for online reputation. They may also say something about the rights of the credential holder, such as that they are a resident in a particular country.
Which countries are developing trusted identity systems
Some countries have already implemented online identity systems simply by migrating their physical identity cards online and allowing these to be used as trusted online systems. A number of Asian countries including Malaysia, Hong Kong and Singapore have proportions of their online services available through such means. Estonia probably leads the world in online service delivery with around 90% of the population having access to an online ID card and around 98% of banking transactions being via the Internet. More information at the Estonia EU website. While NSTIC was issued by the USA government, it calls for the private sector to lead the development of an Identity Ecosystem that can replace passwords, allow people to prove online that they are who they claim to be, and enhance privacy. A tall order which runs the risk of creating an oligopoly of identity systems driven by corporate interests and not one which suits users. It may be a signal of things to come that Citibank and Paypal have recently been accepted to lead development of the NSTIC. There are also a number of private sector initiatives which come at the issue from a different perspective. Beyond Paypal, Google Wallet and the recently announced Apple Passbook are interesting initiatives which give some of the attributes of a trusted identity.
Why might we want one?
As more services go online from both government and business and more people want to use them there will be an increased demand for a way of proving who you are online without having to repeat the process separately with each service provider. In some ways this is already happening when we use PayPal to buy products not only on eBay, where it originated but also on Wiggle.co.uk and many others. The problem is that different services need different levels of trust between the vendor and the purchaser. Thinking about a transaction in terms of risk… The majority of private sector transactions online carry equal risk for both the vendor and customer. In that the customer risks that he or she won’t get a product or service from the transaction and the vendor risks that they won’t get the cash. Here online escrow services such as Transpact, or PayPal can help.
Where this doesn’t work well is where there complexity to the transaction. The banking or government services sector are key areas where this is the case. Here the vendor must know their customer. One area might be analysing whether a customer can pay for a service on credit. Another is in applying for a passport, you need to prove that you are a citizen and pay a fee. However, the intrinsic value of the passport is far greater than the face value, as shown by the black market price. The result to the government if it issues the passport to the wrong person is not the value of the nominal fee, but closer to the black market value of the passport.
As a result, we are at an impasse online, in order for more ‘high trust’ services to go online the community has to have more trust that people are who they say they are.
Who might need a trusted identity?
If you take the Estonian example, 90% of the population. Most of us carry around some form of identity on our persons that we can present if required. In some countries, it’s the law that a citizen must carry their identity card around with them. In Australia and Canada and other countries, it’s a bit more relaxed. In the end the question will be whether a trusted id is used by customers and required by vendors. This will be influenced by whether there are alternative ways of conveying trust between people and institutions which are independent of the concept of identity in the traditional sense of the word
What are the security and safety implications of a trusted identity and a discussion of about social footprint and whether this may overtake government efforts
I’ve been thinking for the best part of the last decade about Internet governance and its impact on national security. In that time, little has changed to improve security for users.
The Internet as we know it today can be compared in many ways to the high seas during the swashbuckling so-called Golden age of Piracy between around 1650 and 1730 when pirates ruled the Caribbean.
Why is this comparison valid? Because in the Internet today, like on the high seas of yesteryear, there are islands of order surrounded by seas of chaos. The islands of order are the corporate networks like Facebook, Google, Amazon, Ebay etc and those run by competent governments for their citizens. However, between these orderly Internet islands are large areas where there are no rules and where pirates and vagabonds thrive. An additional similarity is that some of the most competent and successful historical pirates operated with the explicit support from countries seeking to further their national aims.
Even those who govern the orderly Internet islands are subject to bold attacks from chaos agents if they are not vigilant! Witness the compromise of Linkedin earlier this year and very few governments have not had some significant compromise affect their operations.
On the high seas, piracy has been reduced significantly since the 18th Century. With the exception of places like the coast of Somalia, there are now far fewer places where there is a significant piracy problem. There are a number of reasons why this has been a success. Not least of these has been the development of law of the high seas.
In cyberspace, the world also needs to be moving on from the swashbuckling days. Internet criminals need to be hunted down in whichever corner of the Internet they lurk. Additionally, the concept that some countries could give free reign to local cyber-criminals, as long as they don’t terrorise their own countrymen/women, is an anathema in the 21st Century.
The long term solution has remained in my view a cyber version of the UN Convention on the Law of the Sea. UCLOS is the international agreement, most recently updated in 1982 that governs behaviour by ships in international waters. Apart from other things the convention deals with acts of piracy committed in international waters.
In the same way, a similar international cybercrime convention could deal with acts where the victim was from for example the USA, the criminal from the Vatican and the offence committed on a server in South Korea.
It would seem that at the moment any move towards a UN convention has gone off the boil. A proposal was shot down in 2010 over disagreements around national sovereignty and human rights. As well, the European Union and USA position was that a new treaty on cyber crime was not needed since the Council of Europe Convention on Cyber Crime had already been in place for 10 years and has been signed or ratified by 46 countries since 2001.
As I recently noted, wariness by both USA and China continues and means that any international agreement which includes Western countries and the BRICs will be a long time coming. China, Russia and other countries submitted a Document of International Code of Conduct for Information Security to the United Nations in 2011 which the USA seems to have dismissed out of hand.
A code of conduct is nice and the Council of Europe convention is a good start, but they need to be supported by some sort of international cyber ‘muscle’ in the long term.
However, all is not lost. In the meantime, working to coordinate the orderly organisations’ defences that I wrote about before, is a practical step that organisations and governments should be doing more of. This is the cyber equivalent of escorting ships through dangerous waters and passing them from one island of order to another.
There’s a good reason for this, and here’s the resilience message. The cyber-security of an organisation does not begin and end at their firewall or outer perimeter. Whilst in most cases an organisation cannot force other organisations to which it is connected to change, it can maintain vigilance over areas outside its direct sphere of control. This then allows the organisation more time to adapt to its changing environment and of course, a chain is only a strong as its weakest link.
The other step to be taken is to help emerging nations and organisations with poor online security to improve their cyber-defences. If the first step was like escorting ships between the orderly islands, this second step is the equivalent of helping nearby islands to improve their battlements so that the pirates don’t take over and then attack us! This work has been going on for some time. I chaired a number of seminars on cyber security and the need for computer emergency response teams for the APEC telecommunication and information working group which began this work in 2003 and this has been carried on by a number of countries around the world in fits and starts, but we need more.
I’ve been trying to summarise organisational resilience into a form that can be visualised for some of the people who I’m working with. The key has been to summarise the thinking on resilience as succinctly as possible.
Apart from the diagram you can see, the text below attempts to give concise answers to the following questions
Resilience is about the ability to adapt for the future and to survive. Whether that is for an organisation, country or an individual.
What seems sometimes forgotten is that the adaptation is best done before a crisis!
And here Resilience is more an organisational strategic management strategy, and not a security protocol. In this sense, Resilience is the ‘why’ to Change Management’s ‘how’
Why should my organisation care about resilience?
Research shows that the average rate of turnover of large organisations is accelerating. from around 35 years in 1965 to around 15 years in 1995. Organisations that want to stick around need to adapt with the changing environment.
Organisations know that they need to change to survive, but today’s urgency overrides the vague need to do something about a long term problem. For this reason, crises can be the catalyst for change.
Resilience is about dealing with organisational inertia, because the environment will change. The more successful an organisation has been in the past, the more difficult it will be to make change and so it becomes susceptible to abrupt failure. Miller coined the term ‘Icarus Paradox‘ to describe the effect and wrote a book by the same name. Icarus was the fictional Greek character who with his son made wings made from feathers and wax, but died when he flew too close to the sun and the wax melted, causing the feathers to fall out of the wings.
It is possible that Eastman Kodak is the best example of this trait. An organisation that was very successful between 1880 and 2007, Kodak failed to make the transition to digital and to move out of film fast enough.
Why is detailed planning not working?
Simply put, the world is too complex and the outliers becoming more common
increasing connectedness – interdependencies leading to increasing brittleness of society/organisations – just in time process management – risks, in rare instances, may become highly correlated even if they have shown independence in the past
speed of communication forces speedier decisionmaking
increasing complexity compounds the effect of any variability in data and therefore the uncertainty for decisionmakers
biology – we build systems with an optimism bias. Almost all humans are more optimistic about their future than statistically possible. We plan for a future which is better than it is and do not recognise the chances of outlier events correct. Additionally, we plan using (somewhat biased) rational thought, but respond to crises with our emotions.
we can’t predict the outlier events and
this makes most strategy less useful– especially that which is written and gathers dust without being lived ,
maybe we can be more resilient when we run into the outliers. What Taleb calls the Black Swans in the book of the same name.
Taleb’s book is available from Book Depository and is well worth the read, even if he can’t help repeating himself and dropping hints about fabulous wealth.
What’s the recipe for resilience?
Bad news, there isn’t a hard recipe for a resilient organisation, just like there isn’t one for a successful company, but they all seem to share some common attributes such as:
Agility and the ability to recover quickly from an event and,
an awareness of their changing environment and the willingness to evolve with it amongst others.
How does an organisation develop these characteristics?
It is a combination of many things –
developing an organisational culture which recognises these attributes which is supported and facilitated from the top of the organisation;
partnering with other organisations to increase their knowledge and reach when an event comes; and
Lastly engaging in the debate and learning about best practices
Resilience before and after (a crisis)
But is resilience just one set of behaviours or a number. When we think of resilient organisations and communities, our minds tend to go to the brave community / people / organisation that rose up after a high consequence event and overcame adversity. These people and organisations persist in the face of natural and manmade threats. Numerous examples include New York after the September 2001 events; Brisbane after the floods in 2011; and the Asian Tsunami in 2004.
However there is another set of actions which are more difficult in many ways to achieve. This is the capacity to mitigate the high consequence, low likelihood events or the creeping disaster before a crisis is experienced. The US behaved admirably in responding to the 9/11 terrorist disaster after it had occurred, but as the 9/11 Commission Report notes, terrorists had attempted on numerous occasions to bring down the World Trade Center and come quite close to succeeding.
In this thought may be one of the best argument for blue sky research. Serendipity – wondering through the universe with your eyes open to observe what’s happening around you, rather than head down and focussed only on one task – is this the secret to innovation?
How does nature do resilience ?
Life becomes resilient in that it is replicated wildly so that many copies exist, so that if some number fail, life can continue. Individual creatures carry DNA, which is all that needs to be replicated. Those creatures compete with each other and the environment to become more and more efficient. An individual creature may or may not be resilient, but the DNA is almost immortal.
How an organisation achieves this is the challenge that every management team needs to address. Over the next posts I will expand more
This might seem a brave call when talking about cyber-security threat information. But the truth is that the cyber world forces a new paradigm on security. The tools that are familiar in the offline world for providing elements of security, such as obscurity, tend to benefit the attackers rather than the defenders, because the very advantages of the online world, things like search and constant availability are also the online world’s greatest weaknesses. What matters most in the online world is not what you know, but how fast you know and make use of the information you have.
I’ve been reading the Cyber Security Task Force: Public-Private Information Sharingreport, and I think its worth promoting what it says. It presents a call to action for government and companies in the US to improve information-sharing to prevent the increasing risks from cyber attacks on organisations, both public and private. The work was clearly done with a view to helping the passage of legislation being proposed in the USA, however..
Most, if not all the findings made could be extrapolated to every advanced democracy around the world.
If you are familiar with this field, much of what has been written will not be new, as we have been calling for the sorts of measures that are proposed in the report since at least 2002. That does not mean that the authors haven’t made a valuable contribution, because they have made recommendations about how to solve the problem. Specifically they recommend removing legislative impediments to sharing whilst maintaining protections on personal information.
According to the authors: From October 2011 through February 2012, over 50,000 cyber attacks on private and government networks were reported to the Department of Homeland Security (DHS), with 86 of those attacks taking place on critical infrastructure networks. As they rightly point out, the number reported represents a tiny fraction of the total occurrences.
As is the case in many areas of security, the lack of an evidence base is at the core of the problem, because it creates a cycle where there is resistance to change and adaptation to fix the problems efficiently and effectively.
Of course, the other thing that happens is that organisations don’t support an even level of focus or resourcing on the problem, because, most of the time, like an iceberg, the bit of the problem that you can ‘see’ is comparatively small.
To make matters worse, new research is telling us that we are optimistically biased when making predictions about the future. That is, people generally underestimate the likelihood of negative events. So without ‘hard’ data, and given the choice of underestimating the size of a problem or overestimating it, humans that make decisions in organisations and governments are likely to underestimate the likelihood of bad things happening. You can find out more about the optimism bias in a talk by Tali Sharot on TED.com
The cost differential to organisations when they don’t build in cyber security, are unable to mitigate risks and then need to recover from cyber attacks is significant. This cost is felt most by the organisations affected, but its effects are passed across an economy.
So what can be done to break this cycle of complacency? Government and industry experts have long spoken about the need for better sharing of information about cyberthreats. I was talking in public fora about this ten years ago.
The devil is in the detail in the ‘what’ and the ‘how’. Inside the ‘what’ is also the ‘who’. I’ll explain below
What should be shared, who should do the sharing – and with whom?
Both government and industry, whilst they generally enthusiastically agree that there should be sharing, think that the other party should be doing more of it and then come up with any number of excuses as to why they can’t! For those who are fans of iconic 80’s TV, it reminds me of the Yes Minister episode where the PM wants to have a policy of promoting women and in cabinet each minister enthusiastically agrees that it should be done, whilst explaining why it wouldn’t be possible in his department. In government, the spooks will tell you that they have ‘concerns’ with sharing, ie they want to spy on other countries and don’t want to give up any potential tools. It’s no better in industry, companies don’t have an incentive to share specific data, because their competitors might get some kind of advantage.
The UK has developed perhaps the most mature approach to this. UK organisations have been subject to a number of significant cyber attacks and government officials attempt to ‘share what is shareable’. The ability to do this may be because of the close relationship between the UK government and industry, developed initially during the time of the Troubles in Ireland and has been maintained in one form or other through the terrorism crises of this Century. It remains to be seen whether the government will be able to maintain these relationships and UK industry will see value in them as the UK and Europe struggle with short-termism brought on by the fiscal situation.
Australia has also attempted to share what is shareable, however as the government computer emergency response team sits directly within a department of state this is very difficult. It seems that the CERT does not have a clear mission. Is it an arbiter of cyber-policy and information disseminator, or an operational organisation that facilitates information exchange on cyber issues between government and industry?
This quandary has not been solved completely by any G20 country. Indeed, it will never be solved, it is a journey without end. It is possible that New Zealand has come closest, but this seems to be because of the small size of the country and the ability to develop individual relationships between key people in industry and government. Another country that is doing reasonably well is South Korea – mainly because it has to, it has the greatest percentage of broadband users of any country and North Korea just a telephone line away. The Korean Internet security agency – KISA brings together industry development, Internet policy, personal information protection, government security, incident prevention and response under one umbrella.
For larger countries, I am of the view that a national CERT should be a quasi-government organisation that is controlled by a board comprised of:
companies that are subject to attack (including critical infrastructure);
government security and
government policy agencies.
In this way, the CERT would strive to serve the country more fully. There would be more incentive from government to share information with industry and industry to share information with government. With this template, it is possible to create a national cyber-defence strategy that benefits all parts of the society and provides defence-in-depth to those parts of the community that we are most dependent on, ie the critical infrastructure and government.
Ensuring two-way information flow within the broader community and with industry has the potential to provide direct benefits for national cyber-security and for the community more broadly. Firstly, by helping business and the community to protect itself. Secondly, for government, telecommunications providers and the critical infrastructure in the development of sentinel systems in the community, which like the proverbial canary in the coalmine, signal danger if they are compromised. Thirdly, by improving the evidence base through increased quality and quantity of incident reporting – which is so often overlooked.
Governments can easily encourage two-way communication by ‘sharing first’. Industry often questions the value of information exchanges, because they turn up to these events at their own expense and some government bigwig opens and says ‘let there be sharing’ and then there is silence, because the operatives from the three letter security agencies don’t have the seniority to share anything and the senior ones don’t understand the technical issues. I am not the first person to say that in many cases (I think 90%), technical details that can assist organisations to protect their networks do not need to include the sensitive ‘sources and methods’ discussion. By that I mean, if a trust relationship exists or is developed between organisations in government and industry and one party passes a piece of information to the other and says “Do x and be protected from y damage”, then the likelihood of the receiving party to undertake the action depends on how much they trust the provider. Sources and methods information are useful to help determine trustworthiness, but they are not intrinsically essential (usually) to fixing the problem.
As the Public-Private Information Sharing report suggests, many of the complex discussions about information classification/ over-classification and national security clearances can be left behind. Don’t get me wrong; having developed the Australian Government’s current protective security policy framework, I think there is a vital place for security clearances and information classification. However, I think that it is vastly over-rated in a speed of light environment where the winner is not the side with the most information, but the side that can operationalise it most quickly and effectively. Security clearances and information classification get in the way of this and potentially deliver more benefit to the enemy by stopping the good guys from getting the right information in time. We come back to the question of balancing confidentiality, integrity and availability – the perishable nature of sensitive information is greater than ever.
How should cyber threat information be shared?
This brings me to the next area of concern. There is also a problem with how information is shared between industry and government, or more importantly the speed with which it is shared. In an era when cyber attacks are automated, the defence systems are still primarily manual and amazingly, in some cases rely on paper based systems to exchange threat signatures. There is an opportunity for national CERTs to significantly improve the current systems to share unclassified information about threats automatically. Ideally these systems would be designed so that threat information goes out to organisations from the national CERT and information about possible data breaches returns immediately to be analysed.
Of course, the other benefit of well-designed automated systems could be that they automatically strip customer private information out of any communications, as with the sources and methods info, peoples’ details are not important (spear phishing being an exception). In most cases, I’d rather have a machine automatically removing my private details than some representative of my ‘friendly’ telecommunications provider or other organisation.
These things are all technically possible, the impediments are only organisational. Isn’t it funny, people are inherrently optimistic, but don’t trust each other. Its surprising civilisation has got this far.