Security Professionalisation is an issue that all who are involved or care about societal resilience should be concerned about. I’ve just written an article for Security Solutions Magazine talking about the efforts that a new organisation, Security Professionals Australasia (SPA) is undertaking to work with the security industry and governments to improve the state of affairs.
The decision by the European Court of Justice to declare the Safe Harbour arrangements between the US and EU invalid will have interesting repercussions not only for European citizens and companies such as Facebook and Google, but also for countries that increasingly rely on selling services overseas like Australia and New Zealand.
The decision was made as result of a case brought by Austrian citizen Maximillian Schrems on the use of his data by Facebook and in particular the practices of the US government as revealed by Edward Snowden.
This judgment has the consequence that the Irish supervisory authority* is required to examine Mr Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook’s European subscribers to the United States should be suspended on the ground that that country does not afford an adequate level of protection of personal data. http://curia.europa.eu press release 6 October
*Facebook European HQ is in Ireland
Safe Harbour, is an agreement that had been in place since 2000. It was supposed to give the protections to private data collected by multinational companies on EU citizens wherever it was stored. This allowed Facebook to store EU citizens’ data in the US or wherever it was most efficient, but required them to treat it to the EU’s standards, rather than the more relaxed US standards.
The judgement is an indication of the deep unhappiness in Europe with the US’s cavalier approach to non-US citizen’s data. The US’s binary approach to citizen rights makes many non-US citizens bristle. It is like the Pax Romana of the Roman Empire 2000 years ago.
This decision will not ‘destroy cloud’ in Europe or elsewhere. However, it will require some reorganisation. In this, it will hurt second and third tier players more than Facebook, Amazon and Google.
Moreover, the decision will not seriously curb mass surveillance. The dirty little (not so) secret is that all countries spy on their citizens for mostly good reasons, including the Europeans. It’s just that the US is better at it than most others.
When the big players jostle, smaller countries feel the waves.
For Australian organisations, not only those who hold EU citizens’ data, this decision should cause them pause for thought. Organisations that do not take privacy seriously, or only respect the privacy of a subset of their stakeholders, need to rethink their approach, if only in terms of the reputational damage of a breech in markets like the EU.
The Internet becomes less than one – Time for an International Law of Cyberspace
The Internet has never been one network for all, As much as some might wish, it is a motley collection of many nets with a very minimal governance. The main effect of this decision is to further balkanise the Internet in a similar way to content geo-blocking and country firewalls.
Smaller countries like Australia and New Zealand should be concerned. We need to be able to trade on an even playing field in services. And that means having an Internet that is common to us and our competitors, both in terms of technology and policy. We need common laws governing cyberspace as much as we need trade barriers on physical goods like rice to be reduced.
This is the time that Australia, New Zealand and similar countries should be pushing hard diplomatically for an international ‘Law of Cyberspace’ which achieves the equivalent that the conventions on the Law of the Sea achieved for maritime commerce. It took 300 years for the Law of the Sea to come to pass and it’s still being updated – let’s hope that the law of cyberspace takes much, much less time.
The loss of 4 million records reminds agencies that good Cybersecurity is repetitive and boring
The US Government announced on 4 June that the private information of at least four million current and former government workers had been compromised.
The intrusion occurred in systems owned by the US Office of Personnel Management (OPM) which handles government security clearances. It was detected in April 2015, but in line with most other such intrusions, may have started in 2014.
The attack drew calls by politicians for legislation to strengthen the USA’s cyberdefences. The US blamed China for the breaches, though it is unclear how good their attribution information is.
The Boring but tremendously important bits
Reports from the New York Times indicated that OPM did not possess an inventory of all the computer servers and devices with access to its networks, and did not require anyone gaining access to information from the outside multifactor authentication. OPM also did not regularly scan for vulnerabilities in the system, and found that one third of computer systems that were supposed to be certified as safe for use last year were not “operating with a valid authorization.”
Let’s be clear here, the answer for Cybersecurity in organisations is good housekeeping!
Assess the business impact levels for your systems
Scan your logs
There are more things like application whitelisting, but get those right and your organisation can do better than the US Government. The Australian Signals Directorate has published a number of guides for government agencies to help them mitigate all but the most targeted intrusions. They are worth checking out. http://www.asd.gov.au/publications/protect/top_4_mitigations.htm
The answer is not more power for intelligence and law enforcement
Let’s keep it simple
Assess the business impact levels for your systems
Scan your logs
If you have to call the guys/girls in dark suits from government agencies, you’ve lost the fight. Just like in the real world, if you have to call the cops, something’s really wrong with your security.
Attribution is so so hard in the cyber, you have to be very lucky and have deep pockets to go after the crims.
Better to build your fence higher than those around you, but encourage your partners to build their fences higher too, because security is only as good as the weakest link.
Where might government focus its resources?
Rather than spending money on dealing with hacked systems after they happen. Government would be far better off providing good advice, encouraging education of cyber professionals and encouraging software and hardware developers to manufacture secure code and systems.
Some commentators are complaining about how long it took the US to disclose the breach. At least the US has fessed up. In Australia, where there are no mandatory disclosure rules, it seems unlikely that a government agency would admit to this, despite the obvious importance of this to the victims who lost their personal data.
I repeat my call for mandatory data breach notification for all public and private organisations in all OECD countries.
Many Australian state and territory governments have created shared services functions for their ICT and human resources functions. The issue is that if the wrong people get access as they did in the US OPM, then they potentially have access to everything.
Much has been made of the potential savings available to governments from centralising their data functions. Whilst this may be the case in the short term, like outsourcing, the return on investment over the long term is very much unproven. Shared services ICT functions aggregate data and create honeypots for organised criminals and national espionage groups. It is true that with shared services, ICT functions are able to afford more staff, the question is whether this advantage truly outweighs the dependencies on data that are created and the increased attractiveness of the target.
It is a question as to whether decreasing the value of a system by decreasing its attractiveness ie by decentralising, can be used to affect business impact levels. However it certainly makes intuitive sense, in that you should be able to maintain the relative risk of a system by splitting it into multiple separate systems whilst giving the organisation its operating requirements in terms of integrity of system and availability – see everybody’s happy!
When I was running Protective Security Policy, my team and I tried to address this with policies about aggregation of data and Business Impact Levels. Business impact levels are an excellent way of approaching agency cybersecurity on a holistic and strategic basis. The reason is that they take into account not only the confidentiality of information, but also its availability and accessibility. This allows the whole organisation to have a discussion about what they are willing to live with.
Human Resources information like that compromised in the OPM hack becomes useless if the right people can’t access it easily and keep it up to date. In the case of OPM, the organisation faces a significant problem in trying to do its job in managing clearances, which requires the information to have good availability against the traditional security argument, to lock things down.
Organisations need to fulfil their function, the confidentiality of information is always secondary to the primary mission in the minds of the executive.
Agency security advisers often find that they lose arguments on the basis of $$$, particularly in these times of shrinking government budget.
The way to make the argument is to do so on the basis not of security, but finance.
Accountants understand risk, they just talk about it differently. Any CISO worth their salt needs to talk in terms of value, efficiency and reputation for the organisation they represent. Otherwise, they might as well be talking Cantonese to a Mandarin speaker.
Here’s a collection of links, which might be useful
The siege in a chocolate shop in Sydney’s CBD ended early this morning AEST. Three people died, including one purported to be the gunman Haron Monis.
There will necessarily be intense scrutiny on the forces used to resolve a violent event. However, it is important to remember that they do not happen in isolation.
The factors that lead us to these events are always complex and often have geo-political, sociological and psychological underpinnings. In this case, the gunman, was a convicted criminal and seems to have latched on to the idea of violent jihad to justify his own failings.
This is the time for cool heads. It is far more effective and efficient to invest in efforts which counter radicalism before it descends into violence. To that end, we should remember the quiet work of those who enfranchise the disenfranchised and seek to strengthen social cohesion.
It is these people, who make our way of life so great.
Governments at all levels must lead in these efforts. Politicians must remember, whatever their political colour, that radicalism is a complex societal issue, not a sound bite. Else we descend into barbarism.
As a society, we must remember that the work of all members of the civil society needs to be focussed on countering radicalism.
This event received so much coverage precisely because it is uncommon in Australia
Just remember that the reason this event received so much coverage in the media is precisely because it is so rare. And of course, it was across the road from the HQ of one of the big Australian TV channels.
Yet, at the same time across the world, six people died, one was wounded, and the gunman escaped in a shooting in Philadelphia. In that case, it seems that the gunman is a mentally disturbed ex soldier.
Yet, although it was reported, multiple shootings are depressingly common in the US. They are even more common in parts of Africa, and often the reports don’t even make it beyond the local news.
It all comes back to risk and societal resilience, because when citizens are allowed to panic, governments start using extreme measures in our names. Professionalism in risk and security is about understanding the difference between perception and reality and taking an evidence based approach to dealing with the issues.
In this part, we talk about some approaches to the trusted insider problem.
Organisations are asking “How can we stop employees becoming the next Edward Snowden?”
I think we should question is why aren’t there more people like Edward Snowden? I think it is worth noting that the NSA is huge with an unconfirmed staff count in the order of 30,000-40,000. One or even ten ‘rogue insiders’ is as a percentage very small – even though the damage to the USA and its allies has been very significant.
Organisations, including intelligence organisations, develop very rigorous and reliable procedures to ensure that people who shouldn’t be trusted don’t join their organisations. Good recruitment practices which exclude people who won’t fit and don’t let people become insiders in the first place are the best defence. However, one of the hardest issues to manage is to deal with people who gradually become disgruntled after they’ve been working in an organisation for a while.
Of course, organisations can use infosec procedures such as internal surveillance mechanisms and information compartmentalisation. These can reduce the consequences wrought by trusted insiders. However these mechanisms can inhibit the rest of the employee body from working at their full potential. It also can affect staff morale if not carefully marketed. Interestingly SIG attendees were told that the Attorney-General’s Department was considering the possibility of a continuous disclosure regime for security clearances which would in real or near real time provide information to security officials about whether employees were undertaking activities which might raise eyebrows.
A Sharing economy model?
Considering an organisational ‘sharing economy’ model when considering the trusted insider threat might help. The employee/employer relationship is one of mutual benefit. It can be also one of mutual harm.
Employees work for their organisation and their identity becomes entwined in the reputation and identity of that organisation. As mentioned previously, the trusted insider that does the wrong thing by their organisation does so for a number of reasons. The most dangerous reason has always been those who are motivated not by money or greed, but by a grievance or revenge.
If we extrapolate using the NSA/Snowden example…. The NSA has built up an impressive reputation over many years for technical excellence. But maybe some of its employees believed the propaganda of their employer. More importantly, it would seem that NSA’s management failed to completely disabuse their employees of the fact that intelligence agencies live in a grey world and do things that are morally grey. Consequently people working inside the NSA seem to have been surprised when they found that some of the things it was doing were dark. Unfortunately for the NSA, brilliant people became disillusioned and turned against it.
This explanation is probably not the whole answer. However a couple of thoughts arise both of which may help to prevent future events:
is it possible to develop an internal organisational market for the reputation of the organisation?
A meaningful alternative chain of reporting to vent frustrations is vital.
A market of organisational reputation
Many private and public organisations organisations spend significant sums to monitor their public relations posture. There is benefit in understanding what the organisation thinks about itself as well. An anonymous reporting mechanism can allow an organisation to get some information about whether it is ‘on the nose’. Such data might also be combined with metrics such as the number of relevant social media postings.
An alternative chain of reporting
Both USA and Australia now have whistle-blower mechanisms for their intelligence services. In Australia, the Inspector-General of Intelligence and Security performs this role.
Many organisations both in the private and public sector could consider the benefits of taking on aspects of this system. It obviously doesn’t work perfectly, but it certainly contributes to the protection of the intelligence agencies from trusted insiders.
Mr Snowden has claimedthat “he had raised alarms at multiple levels about the NSA’s broad collection of phone, email and Internet connections.” However, this is disputed by the USA. Whatever the truth of the matter, it seems that Snowden felt he wasn’t being listened to. So maybe the take-home from this aspect is that the ‘alternate chain’ of reporting needs to have big teeth to make changes where there are real problems identified. Balancing natural justice against the consequences of a breach is incredibly important. Not only for the individual concerned, but for the organisation itself, because you know people in organisations gossip about each other!
This is of course a governance issue, and this makes it very tricky to get right – this is where Resilience Outcomes Australia can help your organisation, because resilience and longevity of organisations is what we do.
Helping organisations protect themselves against trusted insiders
I attended the Security in Government (SIG) conference in Canberra earlier this month. I am somewhat biased, but I think that SIG is probably the best annual security related gathering in Australia.
If you compare it to a lot of international gatherings SIG certainly holds its own. Although, the US and German conferences in particular have glitz and size, the quality of the discussion and the more intimate nature is refreshing. SIG, as you may have guessed is primarily targeted at government, but there are good lessons for all organisations to be had there. Ok, enough of the fanboy …
The 2014 SIG theme was the ‘trusted insider’. Whilst the discussions were often very good, I wondered whether there are additional approaches to reducing the problem of the trusted insider. These approaches focus more on the relationship between employees and their organisations.
Who are the trusted insiders?
A trusted insider is somebody who uses their privileged access to cause harm to their employer or their interests. I’ll be a bit controversial here and note that, whether these people are traitors, spies or whistle-blowers depends somewhat on perspective. In any case these people evoke strong almost visceral emotions in many people.
Why are organisations so concerned about the trusted insider?
Despite fears about rogue hackers attacking organisations from the outside, the trusted insider is still considered the biggest threat to an organisation. In Australia and overseas, trusted insiders ‘going rogue’ have caused the significant damage to national security, government agencies and private organisations. The harm done can be from loss of secrets, money or even life.
Secrets: The most glaring examples in the information security space have probably come out of the USA in recent times. People like Edward Snowden and Chelsea (Bradley) Manning spring to mind in the national security sphere. However, some Swiss banks have also been stung by Bradley Birkenfield whom some in those establishments might call a trusted insider and the US tax agency would call a whistle-blower!
Money: Fraud is probably the most significant threat to private organisations from trusted insiders, particularly those in the finance and insurance industry. Sometimes the size of an event can be enormous, such as when $2billion was lost in 2011 through ‘unauthorised transactions’ in a Swiss bank.
Life and property: Whilst we often focus on loss of information confidentiality, trusted insiders were also responsible for assassinating the Indian Prime Minister Indira Gandhi in the 1980s and shooting fellow soldiers in the USA and Afghanistan in the last decade. There have also been a number of cases of ‘issue motivated’ insiders harming organisations by damaging plant and equipment.
What motivates the trusted insider? C.R.I.M.E.S.
The motivations of trusted insiders are varied, however they broadly fit under the standard drivers of criminal behaviour as described by the mnemonic ‘crimes’.
Coercion – being forced, blackmailed or intimated
Revenge – for a real or perceived wrong, it could be about disaffection and or a grudge
Ideology – radicalisation or advancement of an ideology /religious objective
Money – for cash, profit, dosh, moolah – whatever you call it, and/or
Exhilaration or Ego– for the excitement or because they think that they are in someway cleverer than their compatriots – Christopher Cook seemed driven by the excitement..
The USA’s “worst intelligence disaster” was Robert Hanssen, who might be described as an egomaniac.
Sex and personal relationships. The combination of sex and coercion is a lethal one.
Of course, some are also mentally fragile and may not have a motivation that is exactly clear to others.
End of part 1
In the coming part, we talk about some approaches to the trusted insider problem.
One of the most important aspects of resilience in the information age is understanding the environment in which we exist. Resilience is adaptability in a changing environment, the more we understand that change, the less painful it is. Here are a few current issues that might help your cyber resilience.
Cyber Security Summit – Stanford November 2013
In the shadow of the Snowden revelations about the US and UK, security experts and leaders from more than 40 countries have been at Stanford University in California, USA for a gathering on cyber security.
If you have a sense of irony, you may have listened to the debate on Syria and comparing that to the NSA / Snowden / Internet debate.
– US Secretary of State John Kerry has recently made broad and I think reasonable statements saying that
President Assad had lost the moral authority to rule Syria.
– However that same test can be made against the USA.
The USA has lost its moral authority to control the Internet
through the activities of the NSA and other government agencies. The full text of Secretary Kerry’s Syria speech can be found here via usembassy.gov. Of course although the USA is the biggest culprit here, the UK, Canada, Australia and NZ have all been shown up.
China was prominently represented at the conference. The Minister of State Council Information spoke about China’s problems. In his speech Cal Mingzhao said that in the first six months of 2013, 20,000 websites were hacked and 8 million servers compromised. According to Minister Mingzhao this indicated a rise of 14% year on year.
It is good to read that Scott Charney ex US Department of Justice and current Microsoft VP on privacy and security is publicly calling for the US to show more information about what it collects and what happens to that data. Few sensible people disagree that the US and its allies should use maximum efforts against terrorists.
The US has lost support because it has strayed away from its stated goal of combatting terrorists and towards industrial espionage and employed tactics which compromise the majority in the pursuit of this goal such as the backdooring of encryption algorithms.
In other news
The Canadian Office of the Superintendent of Financial Institutions has released a ‘Cyber-Security Self Assessment Guidance for Canadian financial institutions, but which provides some good advice to any organisation looking for a template to help them.
Unlike the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) Preliminary Cybersecurity Framework, which was released for public comment on October 22, 2013, the Guidance does not prescribe a common language or mechanism for financial institutions to control and manage cyber security risk nor does it expressly build on existing standards, guidance and best practices for managing cyber security risk. In fact, in the Guidance, OSFI indicates that it “does not currently plan to establish specific guidance for the control and management of cyber risk.”
Rather, the Guidance sets forth an 11-page self-assessment template that sets out “desirable properties and characteristics of cyber security practices that could be considered by a FRFI when assessing the adequacy of its cyber security framework and when planning enhancements to its framework.” Of course if you’re a Canadian bank trying to do business in the US..
I can just imagine it – “Our little Johnny fixes our firewall whilst we sit him on the potty…..” But seriously, of course keeping kids safe online is important in the same way as keeping them safe in the real world, but maybe they should learn to read first.
Over-classification in government continues to restrict information sharing according to a report by the US Department of Defense Inspector General.
Balance in Information Security
I’ve written previously about over-classification and why it needs to be actively countered in large organisations in the private sector and more importantly government. Getting the balance right in information security is critical to mission success.
There are a few key findings from the Inspector General’s report which will be no surprise for anybody who’s worked in a classified environment. The review sampled emails and documents classified by the US Defense Department and found:
100% of the emails reviewed were incorrectly classified or marked
Around 70% of the sample material (documents/ files) had ‘classification discrepancies’
I’d like to say its better in Australia, but I’m not confident. What is more interesting from a security perspective is the over-classification of material. The report states
“we do not believe that those instances concealed violations of law, inefficiency, or administrative error; prevented embarrassment to a person, organization, or agency; restrained competition; or prevented or delayed the release of information not requiring protection in the interest of national security.”
Well they would say that wouldn’t they. But leaving my cynic’s hat off for the moment… Ok one passing comment – there is a difference between the organisational approach which tries not to conceal and the approach of individuals or groups within an organisation.
Unfortunately, the report doesn’t make very many recommendations that will bring about change. In typical public servant speak, it says
We recommend that the Under Secretary of Defense for Intelligence and for Acquisition, Technology, and Logistics carry out the recommendations outlined in this report and continue to leverage the new Defense Security Enterprise, especially with regard to ensuring that Original Classification Authorities are fully engaged and accountable.
In any case, the report does acknowledge that
over-classification could unnecessarily restrict information sharing.
Hooray! Admittedly, a bit softer than I would like, but still important.
In this information age where as the Snowden revelations keep showing us, the US and allies have access to huge swathes of information, but they can’t use it effectively to defend themselves or their allies.
The answer to this problem is not gathering more information! The 9/11 Report and scores of others keep telling us that we have the information in our databases, but we don’t use it effectively.
I’m not sure what the best analogy is here, maybe its a person who’s brain is not connected to their muscles properly. They can see and hear everything, but they rarely succeed in reacting to any of these stimuli. The problem with this analogy is that somebody with locked in syndrome desperately wants to make his limbs move. I’m not sure this is the case with intelligence agencies and sharing information.
This does seem to be the curse of too much information and not enough brainpower to analyse it and use it properly. Especially when you are looking for the terrorist needle in a haystack. Over-classification is a key issue in the fight against fast evolving terrorist organisations.
The Four Corners program that aired tonight “In Google We Trust” was interesting if a little alarmist as these things sometimes are. But it did make some good points about privacy in the information age.
There was an interesting piece of information about the NSW Police licence plate tracking technology which has been installed on about 200 police vehicles and has contributed to a database of several million pictures of cars, numberplates and associated metadata.
Whilst the NSW Police were willing to explain what the technology did, they were unwilling to explain how it was being used or what protections were placed on the data.
Comments by Danny O’Brien from the Electronic Frontier Foundation emphasising that data held for non-US citizens by US corporations has none of the protections that one might otherwise expect, despite the protestations of Google, Microsoft, Apple and others.
The assertion that Australian authorities might be using this to circumvent Australian laws by getting the US authorities to ‘retrieve’ Australians’ data and hand it over to Australian authorities.
Revelations that a broad number of agencies including Australia Post and the RSPCA (yes the dog and cat people) were able to access Australians’ metadata with no legal oversight and little administrative control.
The poignant comment by one of the commentators that when information becomes available, people find a way of using it before actually thinking whether they should. This was followed by the question of whether in a democracy the government should know as much about you as it can, or whether there should be limits?
As an aside, it would seem that the US has been telling fibs when it said that the NSA PRISM system was just used to catch terrorists and that there was no economic espionage undertaken. The Brazilians are rightfully annoyed after the latest Snowden leaks reported in the Wall Street Journal show that the NSA targeted the Brazilian national oil company Petrobas. The article states
In the past, the U.S. has harshly criticized Chinese hackers, for example, for allegedly engaging in industrial espionage. But the new allegations at the very least showed the NSA using corporate targets for training purposes. One of the slides presented on the show listed three reasons for spying—one was “economic.”
Have the NSA and GCHQ been building vulnerabilities into commercial encryption products?
If this is true, another argument for open source software has been made. Articles in the New York Times and the Guardian alleged that the N.S.A. has been deliberately weakening the international encryption standards adopted by developers. One goal in the agency’s 2013 budget request was to “influence policies, standards and specifications for commercial public key technologies,” .
The problem with this approach is that the NSA and GCHQ have two roles and it would seem that they have failed to balance them. This is the question of intelligence equities. These organisations are charged to reveal the secrets of their enemies, but also to protect the information of their countries. By building back doors into software and hardware being sold to unsuspecting customers, they are doing what they have accused the Chinese of doing.
Moreover the fact that these backdoor vulnerabilities exist, mean that others can find and use them, not just NSA and GCHQ but also other cyber criminals.
It is the ultimate hubris to think that NSA and GCHQ are the only ones capable of discovering and exploiting these vulnerabilities. “If you want to keep a secret, you must also hide it from yourself.” George Orwell, 1984 . No organisation as large as the NSA can do this forever.
The USA tried under President Clinton to make all manufacturers insert a hardware ‘clipper’ chip into their devices, but the backlash was such that the US government withdrew support for the idea. What this information is telling us is that the NSA didn’t give up and found alternative means to realise the concept.
The only logical conclusion from this revelation is that the signals intelligence agencies are unable to both reveal the enemies’ secrets and protect those of their citizens at the same time. They should be split. The information assurance role should come under the control of the trade, infrastructure and industry portfolios.