Gavin E L Hall recently completed an MA in Terrorism, International Crime & Global Security with a specialisation on Cyber Security and wrote a dissertation entitled “Does the United Kingdom’s Cyber Security Strategy Represent a Missed Opportunity?” and is seeking to develop conceptual understandings of the cyber-environment as a PhD candidate. He operates as a consultant on a range of Security Issues and offers bespoke analysis of corporate information risk management and security.
In 2011 the UK launched a Cyber Security Strategy with four core objectives. A detailed analysis of the arguments about how effective this has been can be found in my dissertation. My aim for this article is to translate the analysis into enhancing corporate understanding that will have relevance for business of all sizes in dealing with what is commonly termed the “Cyber-Threat”.
The threat to business is actually twofold. Firstly, their is a threat that originates from information management and, secondly, from crime that has some basis within the cyber-environment. I specifically don’t use the phrase Cyber-Crime as at the moment it has no actual meaning, as what does, or doesn’t, constitute has not been defined and the process is wholly subjective. For example, in the article http://www.mytrade.tv/2014/02/14/defeating-cyber-criminal/ the use of CryptoLocker is highlighted. Is this extortion or is this a cyber-crime?
Cyber-security has traditionally utilised the Information technology CIA (Confidentiality, Integrity, Availability) model for identifying cyber-threats and developing strategies for business to secure its hardware and data. Confidentiality is concerned with preventing the disclosure of information to unauthorised individuals or systems. Integrity concerns the actual data that a company holds on its databases or transmits maintaining its accuracy and consistency. Availability means that the system, or information, is available when needed. An intrusion, such as CryptoLocker, makes use of one of these threat vectors to target a weakness in a system. In the case of CryptoLocker then it should be apparent that this is a threat to availability as if no action is taken the after x amount of time then information relevant to the business to continue operating is not available.
This is the traditional debate that is put forward and the one that most people will be familiar with. If you are a manager, some-one with budget responsibility or a CEO then you are probably familiar with these arguments for funding from your IT departments and also nervous about the emptying of the company bank balance to pay for the latest superb-solution that will prevent these threats from reaching your company.
There is a cheaper and much more effective option. One that the UK government put into the Cyber Security Strategy as Objective #4 “The UK to have the cross-cutting knowledge, skills and capabilities to underpin all our cyber security objectives”. In short improve education in relation to threats from the cyber-environment.
For a business of any size this can be conceptualised as The Human Firewall.
The Human Firewall clearly identifies that ultimately we as humans are the first and last line of defence in protecting company systems and information. I would advise people to look at the yearly Verizon Data Breach Reports Executive Summaries the supply easy to understand figures that continually emphasis that over 80% of all cyber-intrusions globally could be prevented by good computer hygiene and minimal spending.
In practice this means that as a business you should ensure:
- The latest software updates for your system are installed and regularly checked to see that are installed on all computers. In your organisation who has responsibility for this? Is it the IT department, the individual, or do you sub-contract to a 3rd party (If so how to you monitor that they are doing what they say?)
- Do not open emails with spurious attachments, especially files that end in .exe and .zip with caution also for opening .pdf files.
Notice that the above two statements have a negligible actual cost but ensuring their proper implementation will negate almost all cyber-intrusion in your business. At the start of this article I highlighted a twofold threat. So far we have largely focused on the second element of the threat. It is now time to consider information management.
In the light of realising that we as humans are the most important element in ensuring the Cyber-security of our business the concept of The Human Firewall can be taken a stage further as we consider how information is managed. There are two strands to this as the threat is both internal and external so it is important to consider what an outsider could have access to but what information is available to employees.
I would strongly urge all decision-makers to familiarise themselves with the structure that their business utilises for managing information as opposed to just leaving it the IT department as in the words of a recent House of Commons Select Committee on E-Crime,
“The only sure way to protect your data [information] is not to collect [store] it in the first place”
Benjamin Franklin 1755
The above quote is often used but less often understood as for such a simple statement a lot is said by the words that is directly relevant to the world in 2014. A prevalent assumption exists that the world is changing and that this change is faster than at any previous point in history. For the purpose of this blog entry no challenge will be presented to the above assumption other than to highlight that the introduction of the telegram provided a significant technological leap in information communication and the industrial revolution in general involved significant transformation to the understanding of how tasks were undertaken in the world. We haven't even touched on some of the specific technological advancements, such as the crossbow, machine gun, dreadnought or airplane. But as we are told the world is changing at a fast pace and its unprecedented. It seems as though the motivation for such statements is to condition us, as citizens, to accept that change is going on and that we have to adapt and change with the times and as this is all happening so quickly don't be surprised if there are a few teething problems along the way.
The significant problem that arises is the knowledge and understanding of the significant majority of the populous (I would guesstimated 99.9% of the global population) is insufficient to comprehend how these changes will affect their traditional understanding of their own lives and right to privacy. The situation is further compounded as without this knowledge then the ability to provide oversight is minimal.
Consider the two following big questions for information security:
- Where does jurisdiction lie in the internet? Is it with where a company decides to have its HQ, where it does the bulk of its business, anywhere it conducts business, where its servers are stored or as the United States would like, with the United States?
(See the recent article from Independent on the Google case in the UK High Court for more information.)
- Is the internet neutral and should we strive towards Net Neutrality? You search for some information, Google (most probably) decides via an algorithm what answers it will display for you. Therefore, you don't actually get a response to your search query but rather a Google approves response to your search query. Consider the offline parallel you go into the library and ask the librarian what information they have on 'subject X'. The librarian has political leanings or maybe some pressure to promote a publishers books as they help fund the library so the results and information provided to you are not a true reflection of the information available but rather what is institutionally acceptable to the provider. Does it actually matter if the internet is not neutral?
(Forbes recently had a good review of both of the above situations utilising Verizon v. FCC as a case study, which is worthy of further reading.)
At present even if an individual is sufficiently aware and motivated to attempt to provide oversight then they have no guarantee of receiving a response that is devoid of influence or that a ready made excuse for inaction is not present in terms of its not our jurisdiction argument.
Now that your brains are ticking over with some of the potential problems consider the following two scenarios and how you would approach them.
1) You live in Dundee and are considering your position on Scottish Independence. How would you go about forming your opinion?
2) You live in Dundee and are considering your position on how Google collects and uses data. How would you go about forming your opinion?
Is it possible that if you utilised an internet search engine to provide your with information that you thought was relevant then the results could be skewed in a certain direction?
For example, Google has decided that an independent Scotland would enable it to establish an operations centre which would have significant tax advantages. Would the search algorithm be tweaked to provide pro independence results more favourably than unionist ones? Such levels of control happen in large parts of the world, in fact it could be argued that the Western 'free use model' is in the minority.
China is a long standing friend of controlling what its populous can or can't view on the internet. Iran, Libya, Syria and others have restricted access to the internet and specific sites in recent years. Is that far fetched to believe that private companies, with responsibilities to shareholders and profit margins, do not have the potential to act in a similar self-interested manner?
Google has been used as a euphemism for the majority of this article as it is the significant player in data collection. It also uses the information it collects via Google Now by taking the data garnished from your search history and suggesting nearby options based on your searches, much like the way cookies are used to help provide targeted advertising, such as Facebook starts displaying trainer advertisements just after you search for a new pair of trainers.
During this process information that is personal to the individual is taken and used by a corporation for their benefit (sales or advertising revenue). Does this differ from a traditional shopping environment? Well only the most attentive salesperson, or perhaps one working solely on commission as opposed to a minimum wage zombie, is likely to attempt to try and lead you away from one particular selection to another brand that the store is trying to push at the moment. Actual when you think about it like this how much of the advice and feedback we receive offline could actually be considered neutral? Therefore, are we making unfair demands of the online world for neutrality, or is it that the populous at the whole is yet to make the conceptual leap that the information being provided is done so at a cost. The cost being the impartiality of the advice and the questionable targeted advertising (a modern equivalent to subliminal?) techniques being employed. Furthermore, are we as citizens happy with this level of our personal data usage, or would we like more or less?
Consider a further example, Google graduates from scanning your search history for potentially profitable information about yourself and begins to mine the contents of your 'private communications' (chat or message/email). Is this any different to utilising your search history, your information and your data for profit? People object more to the later but is it really any different to the former? Or are our expectations of privacy too high? A recent article in The Guardian examines the issue in depth and is well worth a look.
The world is changing. As a citizen it is our responsibility to ensure that the future of our liberty is safeguarded and that we do not sleepwalk into an oppressed world. The quest for control is inherent in the state system and countries are increasingly restricting the freedom of the internet. It is imperative that we do not give up liberty as the quest for increased security on the internet gains further traction in the coming decade.