Security Professionalisation in Australasia

Security Professionalisation in Australasia

Security Professionalisation is an issue that all who are involved or care about societal resilience should be concerned about. I’ve just written an article for Security Solutions Magazine talking about the efforts that a new organisation, Security Professionals Australasia (SPA) is undertaking to work with the security industry and governments to improve the state of affairs.

The article has been published in the latest edition of Security Solutions Magazine (Nov/Dc 2015) which is available at  http://www.securitysolutionsmagazine.biz/ 

(Disclosure of interest, Alex Webling is a member of SPA)

Climate sustainability and resilience

Resilience for organisations is bound to their adaptability to climate change both in the short and long term.

A review of US public companies shows a number of climate related risks and costs. Their ability to adapt and become resilient to climate change is starting to affect their finances.

The document reveals that USA S&P 500 companies are seeing climate change related risks increase in urgency, likelihood and frequency, with many describing significant impacts already affecting their business operations, according to a new report from CDP, which collects environmental performance information on behalf of investors.

company

Threats include damage to facilities, reduced product demand, lost productivity and necessitated write-offs. The impact of these threats being realised comes with costs that can reach millions of dollars.

Importantly, the proximity of the threat is quite near. 45% of the risks S&P 500 companies face from extreme weather and climate changes are current, or expected to fall within the next one-to-five years, up from 26% just three years ago. 50% of these risks range from “more likely than not” to “virtually certain”. This is up from 34% three years ago.

Around 60 companies describe the current and potential future risks and their associated costs in the research, which highlights excerpts from the companies’ disclosures to their investors between 2011 and 2013. Ironically, even NewCorp made the following contribution to the report.

“Climate projection models make it difficult to know exactly how business might be impacted by episodic weather events. However, it is clear from past severe weather events that some of News Corporation’s businesses are susceptible to such extreme weather.”(p6)

The media release accompanying the report asserts that

Dealing with climate change is now a cost of doing business

Making investments in climate change related resilience planning both in their own operations and in the supply chain has become crucial for all corporations to manage this increasing risk.

Resilience Outcomes has the skills and expertise to help your organisation develop its organisational resilience strategy to take into account how it will adapt to the changing environment. contact us via the form below or at [email protected] to discuss your needs.

Download the full report here

CDP is an international, not-for-profit organisation providing the only global system for companies and cities to measure, disclose, manage and share vital environmental information. We work with market forces to motivate companies to disclose their impacts on the environment and natural resources and take action to reduce them

 

SCADA CERT practice guide

ENISA has released a good practice guide for CERTs that are tasked with protecting industrial control systems  (SCADA).

The European Union Agency for Network and Information Security (ENISA) publishes a lot of advice and recommendations on good practice in information security. Necessarily, it has a European focus, but almost all the advice is applicable to systems in any region.

This SCADA CERT practice guide focuses on how Computer Emergency Response Teams should support Industrial Control Systems (ICS).The terms ‘ICS’ and ‘SCADA’ (Supervisory Control and Data Acquisition) are pretty much interchangeable.

SCADA systems were around before the Internet. The first systems were driven by mainframes and installed to control water and electricity networks. Since then, SCADA has become ubiquitous and systems that were initially designed to work on independent networks have been connected to the Internet.

Connecting SCADA to the Internet has many advantages. It increases system availability and reduces costs of connecting geographically disparate systems. At the same time, connecting SCADA to the Internet decreases system confidentiality and more importantly in this situation, system integrity.

CC Worldbank photo collection
Industrial Control Systems support every aspect of our daily lives. Photo CC WorldBank Photo Collection

The ENISA ICS guide tries to put together in one document, a guide for CERTs that are required to protect SCADA/ICS systems. Importantly, it doesn’t just focus on the technical capabilities required for operations, but also organisational capabilities and what it terms ‘co-operational capabilities’. This last part is important as computer emergency response teams can forget that they are part of a system and the system is only as strong as the weakest link. It is important to remember that preparation for things going wrong involves identifying people, resources and stakeholders that will be required. Developing relationships with other organisations will always pays dividends when an emergency occurs. This is where the ENISA advice is in some ways superior to the advice from the US DOE, although I acknowledge the attractive simplicity of some of their guidance.

It is good that the authors acknowledge that this area is one where there is limited experience and that the guide should be considered a ‘living document’. As usual in cyber-security protection, both technical expertise and organisational /management guidance are required.

 

More information available from ENISA

US DOE SCADA guide

 

 

Privacy in an information age – Does it exist?

The Four Corners program that aired tonight “In Google We Trust”  was interesting if a little alarmist as these things sometimes are. But it did make some good points about privacy in the information age.

  • There was an interesting piece of information about the NSW Police licence plate tracking technology which has been installed on about 200 police vehicles and has contributed to a database of several million pictures of cars, numberplates and associated metadata.
    • Whilst the  NSW Police were willing to explain what the technology did, they were unwilling to explain how it was being used or what protections were placed on the data.
  • Comments by Danny O’Brien from the Electronic Frontier Foundation emphasising  that data held for non-US citizens by US corporations has none of the protections that one might otherwise expect, despite the protestations of Google, Microsoft, Apple and others.
    • The assertion that Australian authorities might be using this to circumvent Australian laws by getting the US authorities to ‘retrieve’ Australians’ data and hand it over to Australian authorities.
  •  Revelations that a broad number of agencies including Australia Post and the RSPCA (yes the dog and cat people)  were able to access Australians’ metadata with no legal oversight and little administrative control.
  • The poignant comment by one of the commentators that when information becomes available, people find a way of using it before actually thinking whether they should. This was followed by the question of whether in a democracy the government should know as much about you as it can, or whether there should be limits?

As an aside, it would seem that the US has been telling fibs when it said that the NSA PRISM system was just used to catch terrorists and that there was no economic espionage undertaken. The Brazilians are  rightfully annoyed after the latest Snowden leaks reported in the Wall Street Journal show that the NSA targeted the Brazilian national oil company Petrobas.  The article states

 In the past, the U.S. has harshly criticized Chinese hackers, for example, for allegedly engaging in industrial espionage. But the new allegations at the very least showed the NSA using corporate targets for training purposes. One of the slides presented on the show listed three reasons for spying—one was “economic.”

A case of pot calling the kettle black I wonder?

 

privacy in the information age

 

NSA/GCHQ built vulnerabilities into encryption?

Have the NSA and GCHQ been building vulnerabilities into commercial encryption products?

If this is true, another argument for open source software has been made. Articles in the New York Times and the Guardian  alleged that  the N.S.A. has been deliberately weakening the international encryption standards adopted by developers. One goal in the agency’s 2013 budget request was to “influence policies, standards and specifications for commercial public key technologies,” .

The problem with this approach is that the NSA and GCHQ have two roles and it would seem that they have failed to balance them. This is the question of intelligence equities. These organisations are charged to reveal the secrets of their enemies, but also to protect the information of their countries. By building back doors into software and hardware being sold to unsuspecting customers, they are doing what they have accused the Chinese of doing.

Moreover the fact that these backdoor vulnerabilities exist, mean that others can find and use them, not just NSA and GCHQ but also other cyber criminals.

It is the ultimate hubris to think that NSA and GCHQ are the only ones capable of discovering and exploiting these vulnerabilities. “If you want to keep a secret, you must also hide it from yourself.”  George Orwell1984 . No organisation as large as the NSA can do this forever.

The USA tried under President Clinton to make all manufacturers insert a hardware ‘clipper’ chip  into their devices, but the backlash was such that the US government withdrew support for the idea. What this information is telling us is that the NSA didn’t give up and found alternative means to realise the  concept.

The only logical conclusion from this revelation is that the signals intelligence agencies are unable to both reveal the enemies’ secrets and protect those of their citizens at the same time. They should be split. The information assurance role should come under the control of the trade, infrastructure and industry portfolios.

 

You can find the NYT article here – http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?pagewanted=all 

You can find the Guardian article here – http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security

Hacking the spies – or how to counter the cyber insurgency

You may have seen some fairly alarmist reporting from the ABC about Chinese interests hacking ASIO, Australia’s version of the FBI.

Information Dominos 1

 

New espionage?

For those who haven’t seen it. The allegations come from the Four Corners program and relate to compromises of sub-contractors of ASIO. ASIO is building a huge new central office and it seems that the Chinese managed to get the blueprints for the building. ASIO is a hard nut for a foreign intelligence agency to attack, so the way to get there is to use their contractors.

The point is that this is not any different from what would have occurred during the cold war! The Chinese or Russians for that matter would have previously used their human intelligence networks. It seems likely that this information would have been a target 50 years ago just as much as now.

Information Dominos 2

What is different then?

The difference is the sheer quantity of attacks that are occurring. We have moved from the Cold War, where the superpowers fought their battles in small third countries such as in South America, Africa or the Middle East to the new paradigm – the cyber insurgency. The wars between the superpowers have moved onshore to the malls and industrial parks of our cities and then they disappear. The authorities and companies are never quite sure who to trust and when / where the insurgent hackers will reappear.

The guerrilla must swim in the people as the fish swims in the sea.” –Aphorism based on the writing of Mao Zedong

Previously foreign intelligence agencies needed to identify targets and then find resources to compromise them. The new method is to attack anything that might be interesting and suck up whatever comes back. Spies no longer have the difficulty to get the information, they have the challenge to find the needles in the haystack. And they don’t differentiate between business and government. According to reports in the New York Times and a detailed report by Mandiant, any organisation that doesn’t protect its information security, whether private or public is potentially compromised.

4d

How can my organisation protect itself?

Paraphrasing the principles of counter-insurgency as espoused by David Galula and Robert Thompson

– the aim of the war is to gain the support of the population rather than control of territory

– most of the population will be neutral in the conflict.

– support of the population may be lost. The population must be efficiently protected to allow it to cooperate without fear of retribution

– in the guerilla phase of an insurgency, a government must secure its base areas first

Using these principles we can identify a strategic direction

The way to deal with an insurgency is through hearts and minds.Information Dominos 6

Organisations, whether government agencies or business need to share information with their public and other organisations. Only in this way can they create defence in-depth and help them protect themselves. The attacks on ASIO demonstrate that an organisations’ security is only as good as the weakest link. Importantly, the perimeters of risk in any organisation do not stop at the front door- if they ever did. Organisations suffer from hubris if they believe otherwise. This is why the concepts of deperimeterisation as espoused by the Jericho Foundation and others are so useful.

Organisations need to work out what they need to protect and set about protecting that. Declassification, although counter-intuitive is one way that can help organisations work out what information is valuable.

Organisations need to be adaptable and willing to work with the fact that most information will become available to their adversaries. They need to take advantage of the information in the intervening time.

By making information security central to their organisational decision process, organisations can become more adaptable to this evolving threat. This means moving the security officer from the corner office to the top-level of the organisation. In turn, the security officer needs to change his/her attitude from the ‘computer says no’ person, to the one who says, yes, this is the best way we can do it to make the organisation’s aims with tolerable risk.

Such an organisation is indeed resilient.  Change needs to come in the leadership of government and organisations to deal with it. I’m not sure they understand how big this challenge will be.

Information, if you don't protect it, it just fades away
Information, if you don’t protect it, it just fades away

 

Back To Top

 

Privacy, public surveillance, terrorism

Is Privacy overrated, or should we just think about it in a more balanced way?

Richard Posner (US Judge) in an opinion piece in the NY Times has responded to NY Mayor Bloomberg’s view that there should be a more welcoming attitude towards surveillance cameras.  Bloomberg argues that the US Constitution should be changed to allow more surveillance. Posner makes a good point about Surveillance use in public spaces.

It seems likely that if the Boston bombers hadn’t been caught soon, they would have continued their killing, whether in Boston or NY, only they can say definitively.

surveillance cameras by Jonathan Mcintosh
Surveillance cameras in NY – Photo by Jonathan Mcintosh – http://www.flickr.com/photos/jonathanmcintosh/

I think most people can accept that surveillance cameras should be used in public spaces. They may also be contributing to a general decrease in lawlessness in public spaces, especially in the UK where there are apparently up to 4 million. The question in my mind is always about what is done with the footage. I have fewer problems personally with government agency use of surveillance in a society where somebody watches the watchers than the use by ‘marketers’ of surveillance in shops and ‘semi-private’ places.

The argument against surveillance cameras being linked up is always the fallacy of the slippery slope. I suspect we should all just get used to being watched in public.

In any case, it is probably time for politicians in democratic countries to “Suck it up” and have an honest conversation with the public about privacy, both online and offline.

PS – Of course, when Google glass becomes a mass market item, your life and mine will be 720p movies for ourselves and other people. We won’t say, remember when you were “insert embarrassing event”, we’ll just play it from the memory…. Maybe Minority Report wasn’t so wrong after all – even if Tom Cruise starred. 🙂

 

 

Online trusted identities – a primer

“Trust is the currency of the new economy”

You may have heard recently about the efforts being promoted by the USA and Australia amongst others to promote trusted online identities. There are also significant efforts in the private sector to develop online trust systems.

Trust will be the currency of the new economy as it was in the mediaeval village. During the late 19th and early 20th Century, formal identity credentials gradually replaced more informal systems of identifying people that we interacted with. Increasing population and technology drove this change. It was simply impossible to know everybody that you might deal with and so societies began to rely on commonly used credentials such as drivers’ licences to prove identity and ‘place’ in society. Of course, drivers’ licences don’t say much if anything about reputation. But if you think about  high value financial transactions you establish your identity and then you give a mechanism to pay for the transaction. Although in most cases it wouldn’t matter who you are, it gives the vendor some comfort that the name on your driver’s licence is the same as on your credit card and makes it just that bit more difficult to commit fraud on the vendor if the credit card isn’t legit. However this isn’t the case with interbank lending. Most of this is done on a trust basis within the ‘club’ of banks and it is only at a later time that the financials are tallied up for the day.

You can’t trust who or what is on the other end of the keyboard just because of what they say

What is a trusted ID?

Most simply, trusted online identity systems are the online equivalent of a physical credential such as a drivers’ licence used to give evidence of identity online. They can (but don’t have to) also be the basis for online reputation. They may also say something about the rights of the credential holder, such as that they are a resident in a particular country.

Which countries are developing trusted identity systems

The program in the USA is called NSTIC – National Strategy for Trusted Identities in Cyberspace. In Australia, the Prime Ministers’ department has been investigating the possibility of a trusted identity system as part of its work on a cyber policy paper which was due to be released ‘early in 2012’. At the same time, Australia has undertaken a number of processes of service delivery reform, government 2.0 and e-health. All without necessarily solving the problem of identifying whom they are dealing with online. The USA has gone beyond the planning stage and announced that it will move forward on development. As I mentioned recently. NIST has announced grants for pilot projects in NSTIC.

Some countries have already implemented online identity systems simply by migrating their physical identity cards online and allowing these to be used as trusted online systems. A number of Asian countries including Malaysia, Hong Kong and Singapore have proportions of their online services available through such means. Estonia probably leads the world in online service delivery with around 90% of the population having access to an online ID card and around 98% of banking transactions being via the Internet. More information at the Estonia EU website. While NSTIC was issued by the USA government, it calls for the private sector to lead the development of an Identity Ecosystem that can replace passwords, allow people to prove online that they are who they claim to be, and enhance privacy.  A tall order which runs the risk of creating an oligopoly of identity systems driven by corporate interests and not one which suits users. It may be a signal of things to come that Citibank and Paypal have recently been accepted to lead development of the NSTIC. There are also a number of private sector initiatives which come at the issue from a different perspective. Beyond Paypal, Google Wallet and the recently announced Apple Passbook are interesting initiatives which give some of the attributes of a trusted identity.

Why might we want one?

As more services go online from both government and business and more people want to use them there will be an increased demand for a way of proving who you are online without having to repeat the process separately with each service provider. In some ways this is already happening when we use PayPal to buy products not only on eBay, where it originated but also on Wiggle.co.uk and many others. The problem is that different services need different levels of trust between the vendor and the purchaser. Thinking about a transaction in terms of risk… The majority of private sector transactions online carry equal risk for both the vendor and customer. In that the customer risks that he or she won’t get a product or service from the transaction and the vendor risks that they won’t get the cash. Here online escrow services such as Transpact, or PayPal can help.

Where this doesn’t work well is where there complexity to the transaction.  The banking or government services sector are key areas where this is the case. Here the vendor must know their customer. One area might be analysing whether a customer can pay for a service on credit. Another is in applying for a passport, you need to prove that you are a citizen and pay a fee. However, the intrinsic value of the passport is far greater than the face value, as shown by the black market price. The result to the government if it issues the passport to the wrong person is not the value of the nominal fee, but closer to the black market value of the passport.

As a result, we are at an impasse online, in order for more ‘high trust’ services to go online the community has to have more trust that people are who they say they are.

Who might need a trusted identity?

If you take the Estonian example, 90% of the population. Most of us carry around some form of identity on our persons that we can present if required. In some countries, it’s the law that a citizen must carry their identity card around with them. In Australia and Canada and other countries, it’s a bit more relaxed. In the end the question will be whether a trusted id is used by customers and required by vendors. This will be influenced by whether there are alternative ways of conveying trust between people and institutions which are independent of the concept of identity in the traditional sense of the word

Next time:

What are the security and safety implications of a trusted identity and a discussion of about social footprint and whether this may overtake government efforts

 

Visualising organisational resilience

Resilience

I’ve been trying to summarise organisational resilience into a form that can be visualised for some of the people who I’m working with. The key has been to summarise the thinking on resilience as succinctly as possible.

Apart from the diagram you can see, the text below attempts to give concise answers to the following questions

  1. What is it (Resilience)?
  2. Why should my organisation care about resilience?
  3. Why is detailed planning not working anymore (if it ever did)?
  4. What’s the recipe for resilience?
  5. How does an organisation develop these characteristics?
  6. Resilience before and after (a crisis)
  7. How does nature do resilience?

 

Resilience in a mindmap

Visualising resilience is itself an exercise in complexity

The diagram should be A3, so You can download a pdf version here resilience in a mindmap PDF

Let me take you on a journey …

What is it?

Resilience is about the ability to adapt for the future and to survive. Whether that is for an organisation, country or an individual.
What seems sometimes forgotten is that the adaptation is best done before a crisis!
And here Resilience is more an organisational strategic management strategy, and not a security protocol. In this sense, Resilience is the ‘why’ to Change Management’s ‘how’

Why should my organisation care about resilience?

Research shows that the average rate of turnover of large organisations is accelerating. from around 35 years in 1965 to around 15 years in 1995. Organisations that want to stick around need to adapt with the changing environment.

Organisations know that they need to change to survive, but today’s urgency overrides the vague need to do something about a long term problem.  For this reason, crises can be the  catalyst for change.

Resilience is about dealing with organisational inertia, because the environment will change. The more successful an organisation has been in the past, the more difficult it will be to make change and so it becomes susceptible to abrupt failure. Miller coined the term ‘Icarus Paradox‘ to describe the effect and wrote a book by the same name. Icarus was the fictional Greek character who with his son made wings made from feathers and wax, but died when he flew too close to the sun and the wax melted, causing the feathers to fall out of the wings.

It is possible that Eastman Kodak is the best example of this trait. An organisation that was very successful between 1880 and 2007, Kodak failed to make the transition to digital and to move out of film fast enough.

Why is detailed planning not working?

Simply put, the world is too complex and the outliers becoming more common

  1. increasing connectedness – interdependencies leading to increasing brittleness of society/organisations  – just in time process management – risks, in rare instances, may become highly correlated even if they have shown independence in the past
  2.  speed of communication forces speedier decisionmaking
  3. increasing complexity compounds the effect of any variability in data and therefore the uncertainty for decisionmakers
  4. biology –  we build systems with an optimism bias. Almost all humans are more optimistic about their future than statistically possible. We plan for a future which is better than it is and do not recognise the chances of outlier events correct. Additionally, we plan using (somewhat biased) rational thought, but respond to crises with our emotions.

So if

  • we can’t predict the outlier events and
  • this makes most strategy less useful– especially that which is written and gathers dust without being lived ,

maybe we can be more resilient when we run into the outliers. What Taleb calls the Black Swans in the book of the same name.

Taleb’s book is available from Book Depository and is well worth the read, even if he can’t help repeating himself and dropping hints about fabulous wealth.

What’s the recipe for resilience?

Bad news, there isn’t a hard recipe for a resilient organisation, just like there isn’t one for a successful company, but they all seem to share some common attributes such as:

  • Agility and the ability to recover quickly from an event and,
  • an awareness of their changing environment and the willingness to evolve with it amongst others.

How does an organisation develop these characteristics?

It is a combination of many things –

  • developing an organisational culture which recognises these attributes which is supported and facilitated from the top of the organisation;
  • partnering with other organisations to increase their knowledge and reach when an event comes; and
  • Lastly engaging in the debate and learning about best practices

 Resilience before and after (a crisis)

But is resilience just one set of behaviours or a number.  When we think of resilient organisations and communities, our minds tend to go to the brave community / people / organisation that rose up after a high consequence event and overcame adversity. These people and organisations persist in the face of natural and manmade threats. Numerous examples include New York after the September 2001 events; Brisbane after the floods in 2011; and the Asian Tsunami in 2004.

However there is another set of actions which are more difficult in many ways to achieve. This is the capacity to mitigate the high consequence, low likelihood events or the creeping disaster before a crisis is experienced. The US behaved admirably in responding to the 9/11 terrorist disaster after it had occurred, but as the 9/11 Commission Report notes, terrorists had attempted on numerous occasions to bring down the World Trade Center and come quite close to succeeding.

In this thought may be one of the best argument for blue sky research. Serendipity – wondering through the universe with your eyes open to observe what’s happening around you, rather than head down and focussed only on one task – is this the secret to innovation?

How does nature do resilience ?

Life becomes resilient in that it is replicated wildly so that many copies exist, so that if some number fail, life can continue. Individual creatures carry DNA, which is all that needs to be replicated. Those creatures compete with each other and the environment to become more and more efficient. An individual creature may or may not be resilient, but the DNA is almost immortal.

How an organisation achieves this is the challenge that every management team needs to address. Over the next posts I will expand more

😉

back to top

In cyberspace, if you don’t share, you don’t survive

This might seem a brave call when talking about cyber-security threat information. But the truth is that the cyber world forces a new paradigm on security. The tools that are familiar in the offline world for providing elements of security, such as obscurity, tend to benefit the attackers rather than the defenders, because the very advantages of the online world, things like search and constant availability are also the online world’s greatest weaknesses. What matters most in the online world is not what you know, but how fast you know and make use of the information you have.

I’ve been reading the Cyber Security Task Force: Public-Private Information Sharing report, and I think its worth promoting what it says. It presents a call to action for government and companies in the US to improve information-sharing to prevent the increasing risks from cyber attacks on organisations, both public and private. The work was clearly done with a view to helping the passage of legislation being proposed in the USA, however..

 Most, if not all the findings made could be extrapolated to every advanced democracy around the world. 

 If you are familiar with this field, much of what has been written will not be new, as we have been calling for the sorts of measures that are proposed in the report since at least 2002. That does not mean that the authors haven’t made a valuable contribution, because they have made recommendations about how to solve the problem. Specifically they recommend removing legislative impediments to sharing whilst maintaining protections on personal information.

According to the authors: From October 2011 through February 2012, over 50,000 cyber attacks on private and government networks were reported to the Department of Homeland Security (DHS), with 86 of those attacks taking place on critical infrastructure networks. As they rightly point out, the number reported represents a tiny fraction of the total occurrences.

As is the case in many areas of security, the lack of an evidence base is at the core of the problem, because it creates a cycle where there is resistance to change and adaptation to fix the problems efficiently and effectively.

 Of course, the other thing that happens is that organisations don’t support an even level of focus or resourcing on the problem, because, most of the time, like an iceberg, the bit of the problem that you can ‘see’ is comparatively small.

To make matters worse, new research is telling us that we are optimistically biased when making predictions about the future. That is, people generally underestimate the likelihood of negative events. So without ‘hard’ data, and given the choice of underestimating the size of a problem or overestimating it, humans that make decisions in organisations and governments are likely to underestimate the likelihood of bad things happening. You can find out more about the optimism bias in a talk by Tali Sharot on TED.com

The cost differential to organisations when they don’t build in cyber security, are unable to mitigate risks and then need to recover from cyber attacks is significant. This cost is felt most by the organisations affected, but its effects are passed across an economy.

So what can be done to break this cycle of complacency? Government and industry experts have long spoken about the need for better sharing of information about cyberthreats. I was talking in public fora about this ten years ago.

The devil is in the detail in the ‘what’ and the ‘how’. Inside the ‘what’ is also the ‘who’. I’ll explain below

What should be shared, who should do the sharing – and with whom?

Both government and industry, whilst they generally enthusiastically agree that there should be sharing, think that the other party should be doing more of it and then come up with any number of excuses as to why they can’t! For those who are fans of iconic 80’s TV, it reminds me of the Yes Minister episode where the PM wants to have a policy of promoting women and in cabinet each minister enthusiastically agrees that it should be done, whilst explaining why it wouldn’t be possible in his department. In government, the spooks will tell you that they have ‘concerns’ with sharing, ie they want to spy on other countries and don’t want to give up any potential tools. It’s no better in industry, companies don’t have an incentive to share specific data, because their competitors might get some kind of advantage.

The UK has developed perhaps the most mature approach to this. UK organisations have been subject to a number of significant cyber attacks and government officials attempt to ‘share what is shareable’. The ability to do this may be because of the close relationship between the UK government and industry, developed initially during the time of the Troubles in Ireland and has been maintained in one form or other through the terrorism crises of this Century. It remains to be seen whether the government will be able to maintain these relationships and UK industry will see value in them as the UK and Europe struggle with short-termism brought on by the fiscal situation.

Australia has also attempted to share what is shareable, however as the government computer emergency response team sits directly within a department of state this is very difficult. It seems that the CERT does not have a clear mission. Is it an arbiter of cyber-policy and information disseminator, or an operational organisation that facilitates information exchange on cyber issues between government and industry?

This quandary has not been solved completely by any G20 country. Indeed, it will never be solved, it is a journey without end. It is possible that New Zealand has come closest, but this seems to be because of the small size of the country and the ability to develop individual relationships between key people in industry and government. Another country that is doing reasonably well is South Korea – mainly because it has to, it has the greatest percentage of broadband users of any country and North Korea just a telephone line away. The Korean Internet security agency – KISA brings together industry development, Internet policy, personal information protection, government security, incident prevention and response under one umbrella.

For larger countries, I am of the view that a national CERT should be a quasi-government organisation that is controlled by a board comprised of:

  • companies that are subject to attack (including critical infrastructure);
  • network providers;
  • government security and
  • government policy agencies.

In this way, the CERT would strive to serve the country more fully. There would be more incentive from government to share information with industry and industry to share information with government. With this template, it is possible to create a national cyber-defence strategy that benefits all parts of the society and provides defence-in-depth to those parts of the community that we are most dependent on, ie the critical infrastructure and government.

Ensuring two-way information flow within the broader community and with industry has the potential to provide direct benefits for national cyber-security and for the community more broadly. Firstly, by helping business and the community to protect itself. Secondly, for government, telecommunications providers and the critical infrastructure in the development of sentinel systems in the community, which like the proverbial canary in the coalmine, signal danger if they are compromised. Thirdly, by improving the evidence base through increased quality and quantity of incident reporting – which is so often overlooked.

Governments can easily encourage two-way communication by ‘sharing first’. Industry often questions the value of information exchanges, because they turn up to these events at their own expense and some government bigwig opens and says ‘let there be sharing’ and then there is silence, because the operatives from the three letter security agencies don’t have the seniority to share anything and the senior ones don’t understand the technical issues. I am not the first person to say that in many cases (I think 90%), technical details that can assist organisations to protect their networks do not need to include the sensitive ‘sources and methods’ discussion. By that I mean, if a trust relationship exists or is developed between organisations in government and industry and one party passes a piece of information to the other and says “Do x and be protected from y damage”, then the likelihood of the receiving party to undertake the action depends on how much they trust the provider. Sources and methods information are useful to help determine trustworthiness, but they are not intrinsically essential (usually) to fixing the problem.

As the Public-Private Information Sharing report suggests, many of the complex discussions about information classification/ over-classification and national security clearances can be left behind. Don’t get me wrong; having developed the Australian Government’s current protective security policy framework, I think there is a vital place for security clearances and information classification. However, I think that it is vastly over-rated in a speed of light environment where the winner is not the side with the most information, but the side that can operationalise it most quickly and effectively. Security clearances and information classification get in the way of this and potentially deliver more benefit to the enemy by stopping the good guys from getting the right information in time. We come back to the question of balancing confidentiality, integrity and availability – the perishable nature of sensitive information is greater than ever.

How should cyber threat information be shared?

This brings me to the next area of concern. There is also a problem with how information is shared between industry and government, or more importantly the speed with which it is shared. In an era when cyber attacks are automated, the defence systems are still primarily manual and amazingly, in some cases rely on paper based systems to exchange threat signatures. There is an opportunity for national CERTs to significantly improve the current systems to share unclassified information about threats automatically. Ideally these systems would be designed so that threat information goes out to organisations from the national CERT and information about possible data breaches returns immediately to be analysed.

Of course, the other benefit of well-designed automated systems could be that they automatically strip customer private information out of any communications, as with the sources and methods info, peoples’ details are not important (spear phishing being an exception). In most cases, I’d rather have a machine automatically removing my private details than some representative of my ‘friendly’ telecommunications provider or other organisation.

These things are all technically possible, the impediments are only organisational. Isn’t it funny, people are inherrently optimistic, but don’t trust each other. Its surprising civilisation has got this far.

CERTs – Computer Emergency Response Teams


References

1How Dopamine Enhances an Optimism Bias in Humans. Sharot, T; Guitart-Masip, M; Korn, c; Chowdhury, R; Dolan, R. CURRENT BIOLOGY. July 2012. www.cell.com

2 Yes Minister Series 3, EP 1 – “Equal Opportunities” 1982