Ron Kelson Pierluigi Paganini
by Ron Kelson – Vice Chair ICT Gozo Malta Project, Pierluigi Paganini – Director and CISO of Bit4ID, Italy and Benjamin Gittins – CTO Synaptic Laboratories Ltd.
Cyber security, civil liberties, our common welfare and the stability of Nations.
How bad is the cyber security situation really? If we have a serious security problem, how do we get ourselves out of this mess? In particular, what can I do to improve my situation and protect those I care about?
This is the fourth article in this series that quotes cyber security insiders to progressively answer these important questions. In the first week’s article we learnt that according to the U.S. National Security Agency (NSA) Information Assurance Directorate (IAD):
“There is no such thing as ‘secure’ anymore”.
Worse, critical aspects of today’s mainstream civilian cyber security ecosystem foundations are fundamentally flawed at the conceptual design, architecture and implementation levels. (See Synaptic Labs’ free 2012 “Annual Cyber Security Reports” online for the full blow-by-blow disclosure.) In the second article, we explored why weak cyber security is one of the most serious (inter)national security challenges we face today. We learnt how computers used in industrial systems can be hacked, and reprogrammed to make room sized power generators jump up and down, emit smoke, and shake themselves to pieces. We also learnt how “it is possible to contaminate the database upon which banking operates. [As] there is no gold standard, no dollar bills, so if you can just contaminate the data in one large bank, you could cause global banking to collapse.” Last week we looked at the perverse economic incentives favouring cybercrime. We also explored how inadequate resourcing (training and application of cyber security best practices) continue to expose our communities to cyber fraud, costing victims more than $388 billion worldwide in 2010-2011 and even bankrupting companies.
Last week in our discussion concerning “duty of care” in (cyber) risk management, we mentioned how occasionally we hear some security experts/vendors point the blame for poor security at users. Clearly better training of end-users and business managers would help reduce our collective risk. That said, we all know our software is unreliable and requires constant security patching. According to Brian Snow, former Technical Director of the U.S. NSA IAD (code making directorate):
“There are problems today in cyber security practice that impact the community as a whole, and we need to solve those problems soon. They are pervasive, ongoing, and getting worse, not better.” … “Right now, the community at large is applying the wrong or inadequate engineering practices, and taking a lot of short cuts. This adds greatly to our collective security risks.” Ultimately, this joint duty of cyber care must be shared between Governments, vendors, employers and employees.
This week we talk about that 8000 pound elephant sitting in the room; we will recall how systematically poor governance decisions around the world has undermined the community and resulted in severe risks to National, Regional and Global stability.
Between 1970 and 2000, individuals and organizations concerned with protecting their personal privacy and corporate secrets were engaged in heated discussions with governments around the world. They wanted the response-ability to employ high assurance security techniques and technologies to safeguard their legitimate interests, and the legitimate interests of their stakeholders. i.e. The ability to defend their domain. During that period of time, policies and legislation discouraged or outright prevented the private sector from building genuinely secure computing systems for the civilian community. The Australian Government – Department of Defence – Defense Signals Directorate website ( http://dsd.gov.au ) openly promotes their mission statement as: “Reveal Their Secrets – Protect our Own”. Unfortunately in the past, in practice, most Governments around the world defined “Their Secrets” as the private or sensitive data of any person or organisation not part of their own Government. To ensure easy *covert* access to historically unprecedented amounts of sensitive data Governments around the world systematically undermined and prohibited effective civilian cyber security. Not surprisingly, this made it possible for any malicious actor on the Internet to trivially exploit cyber vulnerabilities which should have been avoidable. Predictably this “Total Information Awareness” style policy has caused untold financial and personal damage to the global community, and now is undermining their own country’s economic stability.
Around 2000, the political environment in the West changed in favour of stronger civilian cyber security. Today, civilian ICT organizations have had 12 years to change their development practices… for the most part they have not. Generally speaking, the destructive momentum of low assurance (safety and security) development practices continued throughout the entire ICT industry. As a direct consequence, cyber fraud has cost victims more than $388 billion worldwide in 2010-2011 alone. Feelings of powerlessness and lack of justice continue to be felt by its victims worldwide.
Today Western Governments openly acknowledge that weak cyber security places the stability of (their) nations at risk. Increasingly the Information Assurance Directorates (IAD) of intelligence organisations are proactively supporting and empowering their civilian communities to protect their legitimate interests. Indeed, Governments are now making it extremely clear that there are many economic and social benefits to high assurance security and safety.
Governments and the civilian community as a whole must invest, develop, deploy and maintain strong information security techniques and best practices to protect the legitimate interests of all stakeholders.
Today, strong security is no longer seen as an economic burden. The official UK Government position published in their Cyber Security Strategy (2011) is:
“We will turn the threat into opportunity and make strong cyber security a positive for all UK businesses and part of the UK’s competitive advantage.”
On the other side of the equation, the proposed amendment to the EU Data Protection Law published on 26 Jan 2012 states:
“Companies found to have mishandled any personal data they hold – be it of their customers, suppliers or their own employees – will face “penalties of up to €1 million or up to 2% of the global annual turnover of a company.”
As we move forward, national and regional cyber strategies must balance the harmonic aspects of cyber defense and cyber offense. Recently Ross Anderson, the well known Professor in Security Engineering at the University of Cambridge, has openly published that he feels that some Governments are too preoccupied with building their cyber attack capabilities. You might ask: Why is this a problem? Cyber attacks rely on the existence of exploitable cyber vulnerabilities. An effective cyber defensive posture would be to discover those exploitable vulnerabilities, notify the ICT vendors (and charge them a large fine for discovering their faults), and ensure that patches are globally applied as fast as possible. The problem? Patching vulnerabilities then eliminates the ability to exploit that vulnerability in a cyber attack against your adversary…
Each intelligence community will have to decide for themselves: is it better to expose their own country to attacks that exploit known cyber vulnerabilities so they can attack others, or is it it better to protect the millions of Government, enterprise and personal computing systems in their country and let go of the attack capability against a few targets?
Are Nations going to invest in the ability to inflict pain, or will they invest in advancing the collective protection of the global community?
The stakes are high. A mistake on this point will expose all of us to unnecessary high risks and unnecessary pain.
We now briefly bring our attention to that other 8000 pound elephant also crammed in the room; the need for new cyber safety and security foundations. The US NSA Information Assurance Directorate (IAD) is calling the Civilian and Government ICT security industries to make radical changes to the way they design and develop their security technologies. According to a rare public statement made by Debora A. Plunket, Director of the US NSA IAD:
“There is no such thing as `secure’ anymore. … We have to, again, assume that all the components of our system are not safe, and make sure we’re adjusting accordingly.”
In the same way that the Global community has almost completely abandoned political dictatorships due to the dangers of having a `single point of failure’ in their architecture, the community at large must ultimately abandon security systems with single points of trust/security failure. Unfortunately, secure cyber-security foundations based on a system of checks-and-balances, as called for by the US NSA IAD and others, are not widely available today. Synaptic Laboratories Limited is one example of a company that has taken up the gauntlet, and has several projects under development to address these specific issues.
In closing, each of us has the ability to respond right now to protect our collective interests. According to Brian Snow (U.S. NSA IAD): “Each of us has the responsibility:
Working individually and collectively, applying “duty of care” and striving to protect the legitimate interests of all stakeholders, we can, and will, work our way out of this cyber mess. It might be true that there are seven billion people in the world and counting. It might be true (as the U.K. and U.S. Governments say) that our shared cyber problems can not be solved by one person or even one country. Nevertheless, what you do on a day-to-day basis makes a difference, and we need you on board. We look forward to working with you to secure (y)our world.
You can find all articles in this series online at www.independent.com.mt, and shortly in the news section at www.ictgozomalta.eu . You can find full citations to all materials referenced in this article, and related cyber security materials including Brian Snow’s presentation, at tinyurl.com/SynapticLabsAnnualReports2012 . Co-author Pierluigi Paganini, Director and CISO of Bit4ID, Italy has 20+ years of security experience and has many years of in-depth investigative cyber security journalism on important cyber events. Find his blog at: securityaffairs.co . ICT Gozo Malta is a joint collaboration between the Gozo Business Chamber and Synaptic Labs, part funded by the Ministry for Gozo, Eco Gozo Project, and a prize winner in the 2012 Malta Government National Enterprise Innovation Awards. www.ictgozomalta.eu has links to free cyber awareness resources for all age groups. To promote Maltese ICT to the world, we encourage all ICT Professionals to register on the online ICT GM Skills Register and keep aware of developments, both in Cyber Security and other ICT R&D initiatives in Malta and Gozo. For further details contact David Pace at email@example.com .