how to thinkclearly about (cyber) security @alecmuffett www.alecmuffett.com green lane security www.greenlanesecurity.com v2.0 @alecmuffett www.greenlanesecurity.com
how to thinkclearly about security @alecmuffett www.greenlanesecurity.com
how to thinkclearly about cybersecurity @alecmuffett www.greenlanesecurity.com
...a bit toopolemical? @alecmuffett www.greenlanesecurity.com
1 there is a word cybersecurity @alecmuffett www.greenlanesecurity.com
2 this word is both a metaphor and a model for thinking about the challenges of information and network security @alecmuffett www.greenlanesecurity.com
3 this model,with perhaps one exception, is unsuited to describe the challenges of information and network security @alecmuffett www.greenlanesecurity.com
4 this model has been adopted by state actors as key to discussion and/or strategic consideration of information and network security @alecmuffett www.greenlanesecurity.com
5 strategy based upon this model tends to be misconceived, expensive, and of an illiberal nature @alecmuffett www.greenlanesecurity.com
6 unless diluted with other perspectives, this model is a lever for increased state control of information and network security that will harm the evolution of the field @alecmuffett www.greenlanesecurity.com
1 cybersecurity: what does it mean? @alecmuffett www.greenlanesecurity.com
UN TIL R ECE N TLY @alecmuffett www.greenlanesecurity.com
a long timeago in a novel far far away... @alecmuffett www.greenlanesecurity.com
virtual reality, a real virtuality @alecmuffett www.greenlanesecurity.com
cyberchildren “digital natives” @alecmuffett www.greenlanesecurity.com
digital, virtual =interesting, virtuous @alecmuffett www.greenlanesecurity.com
are we meantor predisposed to dislike ‘cyber’ ? @alecmuffett www.greenlanesecurity.com
2 what model does it represent? @alecmuffett www.greenlanesecurity.com
described as aspace @alecmuffett www.greenlanesecurity.com
people meet ina space @alecmuffett www.greenlanesecurity.com
wars are wagedin a space @alecmuffett www.greenlanesecurity.com
underlying assumption isthat cyberspace is sufficiently like realspace and much the same rules can apply @alecmuffett www.greenlanesecurity.com
3 themodel is a mostly-bad fit to reality? @alecmuffett www.greenlanesecurity.com
cyberspace is notlike realspace @alecmuffett www.greenlanesecurity.com
theft in realspace • if I steal your phone • you no longer have it • it is gone @alecmuffett www.greenlanesecurity.com
theft in cyberspace • if I steal your data • you still have it • unless I also destroy your copies • assuming you haven’t backed-up your data • you no longer have secrecy • not the same as “loss” @alecmuffett www.greenlanesecurity.com
later debate: is intellectual property theft actually theft (ie: crime) ... @alecmuffett www.greenlanesecurity.com
... or isit like copyright infringement and/or patent infringement (ie: typically a tort)? @alecmuffett www.greenlanesecurity.com
(ask a lawyer.pay him.) @alecmuffett www.greenlanesecurity.com
“An area ofInternet the size of Wales is dedicated to cybercrime!” @alecmuffett www.greenlanesecurity.com
social media asa country: Twitter @alecmuffett www.greenlanesecurity.com
@AlecMuffett ~ 1,662 followers @alecmuffett www.greenlanesecurity.com
@MailOnline ~61,024 followers @alecmuffett www.greenlanesecurity.com
@GuardianNews ~321,287 followers @alecmuffett www.greenlanesecurity.com
Can a casefor newspaper regulation to be applied to newspaper twitterers? @alecmuffett www.greenlanesecurity.com
@StephenFry ~3,965,799 followers @alecmuffett www.greenlanesecurity.com
Why regulate newspapers& journalists on Twitter, yet not regulate Stephen Fry? @alecmuffett www.greenlanesecurity.com
On Twitter everyone is precisely the same size 0 = no twitter account 1 = twitter account @alecmuffett www.greenlanesecurity.com
On Twitter everyone has equal capability tweet, or not-tweet, that is the question @alecmuffett www.greenlanesecurity.com
On Twitter some have much greater reach which is not the same thing as size* * especially not “size of Wales” @alecmuffett www.greenlanesecurity.com
graph theory → euclidean geometry → twitter @alecmuffett www.greenlanesecurity.com
a node/vertex/twitterer isa point - ie: of zero dimension - hence all twitterers are the same size @alecmuffett www.greenlanesecurity.com
a line/edge/follow isthat which joins two nodes/twitterers @alecmuffett www.greenlanesecurity.com
the degree ofa twitterer is the number of followers, the number of people with whom you communicate @alecmuffett www.greenlanesecurity.com
the only metricson twitter • volume • number of tweets • indegree • number of followers • outdegree • number of people you follow @alecmuffett www.greenlanesecurity.com
so which ofthese three metrics should trigger state regulation of your twitterfeed? @alecmuffett www.greenlanesecurity.com
if none, perhapsregulation should pertain to the author & his message rather than the medium @alecmuffett www.greenlanesecurity.com
if the mediumis irrelevant and open, why discuss regulation of the medium rather than of its users? @alecmuffett www.greenlanesecurity.com
“Where are theboundaries of British (or American, etc) Cyberspace?” @alecmuffett www.greenlanesecurity.com
(we will returnto this) @alecmuffett www.greenlanesecurity.com
precis society is still adjusting to the net @alecmuffett www.greenlanesecurity.com
4 what model has the state adopted? @alecmuffett www.greenlanesecurity.com
2012 - 1984= 28 @alecmuffett www.greenlanesecurity.com
if it isa place, it can be policed @alecmuffett www.greenlanesecurity.com
if it isa theatre, war can be prosecuted @alecmuffett www.greenlanesecurity.com
http://www.cpni.gov.uk/threats/cyber-threats/ Cyberspace lies at the heart of modern society; it impacts our personal lives, our businesses and our essential services. Cyber security embraces both the public and the private sector and spans a broad range of issues related to national security, whether through terrorism, crime or industrial espionage. E-crime, or cyber-crime, whether relating to theft, hacking or denial of service to vital systems, has become a fact of life. The risk of industrial cyber espionage, in which one company makes active attacks on another, through cyberspace, to acquire high value information is also very real. Cyber terrorism presents challenges for the future. We have to be prepared for terrorists seeking to take advantage of our increasing internet dependency to attack or disable key systems. @alecmuffett www.greenlanesecurity.com
posit: internet → communications @alecmuffett www.greenlanesecurity.com
replace: cyberspace → telephoneworld cyber → phone @alecmuffett www.greenlanesecurity.com
http://dropsafe.crypticide.com/article/4933 Telephoneworld lies at the heart of modern society; it impacts our personal lives, our businesses and our essential services. Phone security embraces both the public and the private sector and spans a broad range of issues related to national security, whether through terrorism, crime or industrial espionage. E-crime, or phone-crime, whether relating to theft, hacking or denial of service to vital systems, has become a fact of life. The risk of industrial phone espionage, in which one company makes active attacks on another, through Telephoneworld, to acquire high value information is also very real. Phone terrorism presents challenges for the future. We have to be prepared for terrorists seeking to take advantage of our increasing communications dependency to attack or disable key systems. @alecmuffett www.greenlanesecurity.com
The UK mustcontrol master Telephoneworld! Cyberspace! the Internet! @alecmuffett www.greenlanesecurity.com
If cyberspace iscommunication... @alecmuffett www.greenlanesecurity.com
to control communication: • you must define it • ...and/or... • you must inhibit it @alecmuffett www.greenlanesecurity.com
to define communication • propaganda • a bad word in government lingo • also marketing & public relations @alecmuffett www.greenlanesecurity.com
to inhibit communication • censorship • likewise a bad word @alecmuffett www.greenlanesecurity.com
it’s safest forgovernment to pretend that cyberspace is a space filled with bad people @alecmuffett www.greenlanesecurity.com
sky → airforce @alecmuffett www.greenlanesecurity.com
to achieve mastery the internet must be widely perceived as a space which can be policed, as a battleground in which war may be prosecuted... @alecmuffett www.greenlanesecurity.com
...but (first) whatare its boundaries? @alecmuffett www.greenlanesecurity.com
“Where are theboundaries of British (etc) Cyberspace?” @alecmuffett www.greenlanesecurity.com
depends on whatyou mean by: “Boundary” “British” @alecmuffett www.greenlanesecurity.com
is British Cyberspacethe union of every Briton’s ability to communicate? @alecmuffett www.greenlanesecurity.com
...then Stephen Fryis very large indeed. @alecmuffett www.greenlanesecurity.com
is cyberspace theboundary of storage of every and all Britons’ data? @alecmuffett www.greenlanesecurity.com
...then British Cyberspaceextends into GMail and Facebook servers in the USA. @alecmuffett www.greenlanesecurity.com
is British Cyberspacethe sum over digital/cyberactivities of all Britons? @alecmuffett www.greenlanesecurity.com
...then the stateseeks to limit legal (or, currently non-criminal) activities and reduce liberties of only its citizenry @alecmuffett www.greenlanesecurity.com
Government is curiouslyunwilling to clarify the matter of boundaries. @alecmuffett www.greenlanesecurity.com
http://goo.gl/MXCsG - computerworld The cost of cybercrime to the global economy is estimated at $1 trillion [US General Keith] Alexander stated and malware is being introduced at a rate of 55,000 pieces per day, or one per second. @alecmuffett www.greenlanesecurity.com
http://goo.gl/nGPvW - computerworld The annual cost of cybercrime is about $388 billion, including money and time lost, said Brian Tillett, chief security strategist at Symantec. That’s about $100 billion more than the global black market trade in heroin, cocaine and marijuana combined, he said. @alecmuffett www.greenlanesecurity.com
http://goo.gl/A14px - symantec Symantec’s Math • $388bn = • $114bn “cost” + • $274bn “lost time” @alecmuffett www.greenlanesecurity.com
http://goo.gl/qrmDn - detica Cabinet Office “In our most-likely scenario, we estimate the cost of cyber crime to the UK to be £27bn per annum” @alecmuffett www.greenlanesecurity.com
http://goo.gl/eQcVS - itpro ITpro Cyber criminals will cost the UK economy an estimated £1.9 billion in 2011, according to a Symantec report. @alecmuffett www.greenlanesecurity.com
$1000bn vs: $388bnvs: $114bn? £27bn vs: £1.9bn ? @alecmuffett www.greenlanesecurity.com
http://goo.gl/vKk3S - detica The theft of Intellectual Property (IP) from business, which has the greatest economic impact of any type of cyber crime is estimated to be £9.2bn per annum. p18 @alecmuffett www.greenlanesecurity.com
This gave anoverall figure for fiscal fraud by cyber criminals of £2.2bn. p19 @alecmuffett www.greenlanesecurity.com
Our total estimatefor industrial espionage is £7.6bn p20 @alecmuffett www.greenlanesecurity.com
Overall, we estimatethe most likely impact [of online theft is] £1.3bn per annum, with the best and worst case estimates £1.0bn and £2.7bn respectively. p21 @alecmuffett www.greenlanesecurity.com
Cyber crime Economic impact Identity theft £1.7bn Online fraud £1.4bn Scareware & fake AV £30m p18 @alecmuffett www.greenlanesecurity.com
“The proportion ofIP actually stolen cannot at present be measured with any degree of confidence” p16 @alecmuffett www.greenlanesecurity.com
“It is veryhard to determine what proportion of industrial espionage is due to cyber crime” p16 @alecmuffett www.greenlanesecurity.com
“Our assessments arenecessarily based on assumptions and informed judgements rather than specific examples of cybercrime, or from data of a classified or commercially sensitive origin” p5 @alecmuffett www.greenlanesecurity.com
also, do youremember... @alecmuffett www.greenlanesecurity.com
US: “malware isbeing introduced at a rate of 55,000 pieces per day” @alecmuffett www.greenlanesecurity.com
The UK versionis... @alecmuffett www.greenlanesecurity.com
http://goo.gl/YwjT0 You just have to look at some of the figures, in fact over 50%, just about 51% of the malicious software threats that have been ever identified, were identified in 2009. Theresa May, Today Programme, Oct 2010 @alecmuffett www.greenlanesecurity.com
http://goo.gl/vK331 Symantec “Global Internet Security Threat Report - Trends for 2009” @alecmuffett www.greenlanesecurity.com
In 2009, Symanteccreated 2,895,802 new malicious code signatures (figure 10). This is a 71 percent increase over 2008, when 1,691,323 new malicious code signatures were added. Although the percentage increase in signatures added is less than the 139 percent increase from 2007 to 2008, the overall number of malicious code signatures by the end of 2009 grew to 5,724,106. This means that of all the malicious code signatures created by Symantec, 51 percent of that total was created in 2009. This is slightly less than 2008, when approximately 60 percent of all signatures at the time were created. @alecmuffett www.greenlanesecurity.com
“code signatures” up51% therefore “malware” up 51% ? @alecmuffett www.greenlanesecurity.com
it doesn’t worklike that. @alecmuffett www.greenlanesecurity.com
http://goo.gl/M09Ik McAfee Threat Report: Fourth Quarter 2010 @alecmuffett www.greenlanesecurity.com
Malware Reaches RecordNumbers Malicious code, in its seemingly infinite forms and ever expanding targets, is the largest threat that McAfee Labs combats daily. We have seen its functionality increase every year. We have seen its sophistication increase every year. We have seen the platforms it targets evolve every year with increasingly clever ways of stealing data. In 2010 McAfee Labs identified more than 20 million new pieces of malware. Stop. We’ll repeat that figure. More than 20 million new pieces of malware appearing last year means that we identify nearly 55,000 malware threats every day. That figure is up from 2009. That figure is up from 2008. That figure is way up from 2007. Of the almost 55 million pieces of malware McAfee Labs has identified and protected against, 36 percent of it was written in 2010! @alecmuffett www.greenlanesecurity.com
politicians & generalsare using glossy marketing reports to bolster strategy? @alecmuffett www.greenlanesecurity.com
OCSIA Office of Cyber Security and Information Assurance @alecmuffett www.greenlanesecurity.com
£640m • cyberinvestment breakdown • operational capabilities 65% • critical infrastructure 20% • cybercrime 9% • reserve and baseline 5% @alecmuffett www.greenlanesecurity.com
“...but the USis spending $9bn* on cybersecurity; are we spending enough?” - Audience Member, BCS Meeting Cyber Challenges of 2012 * Actually closer to $11bn @alecmuffett www.greenlanesecurity.com
Of the £640m 9% (£58m) goes to cybercrime 65% (£416m) goes to operational capabilities @alecmuffett www.greenlanesecurity.com
do the proportionsreflect the perceived threats? @alecmuffett www.greenlanesecurity.com
6 harmful toevolution of network security @alecmuffett www.greenlanesecurity.com
there is clearlysome reality to cybersecurity @alecmuffett www.greenlanesecurity.com
1941: Battle ofthe Atlantic @alecmuffett www.greenlanesecurity.com
Gulf Wars: IraqPower Stations @alecmuffett www.greenlanesecurity.com
...pursuant to aninvasion, or with a kinetic component @alecmuffett www.greenlanesecurity.com
“The Enemy willcrash our systems and then bomb us” @alecmuffett www.greenlanesecurity.com
Maybe-CNI Events • 2007: Estonia • no banks, services, food • 2009: Russia/Ukraine Gas • people freezing @alecmuffett www.greenlanesecurity.com
Non-CNI Events • 2011: Aurora/GMail • espionage • who died? • what service was lost? • where did a bomb go off? @alecmuffett www.greenlanesecurity.com
Nonetheless there isclearly some risk of being blindsided @alecmuffett www.greenlanesecurity.com
so there iscyber-war... but it should not dominate all strategy @alecmuffett www.greenlanesecurity.com
You might ask: where’s the harm in overall cyberspace/security philosophy? @alecmuffett www.greenlanesecurity.com
If not tothe exclusion of all others? @alecmuffett www.greenlanesecurity.com
1) expansion ofthe state @alecmuffett www.greenlanesecurity.com
What’s a politicianmore likely to tell the public? 1) “you’re on your own” 2) “we’re sorting it out for you” @alecmuffett www.greenlanesecurity.com
Who is betterto be responsible for a family’s cybersecurity? 1) the family members 2) state cyber-police @alecmuffett www.greenlanesecurity.com
2) interference inevolution/education @alecmuffett www.greenlanesecurity.com
karmic cycle • technologies change • people complain • problems arise • people complain • problems get fixed • people complain @alecmuffett www.greenlanesecurity.com
...it’s actually aterrible idea - do not share this with people... @alecmuffett www.greenlanesecurity.com
if we’re worriedabout viruses... @alecmuffett www.greenlanesecurity.com
why not makeanti-virus/anti-malware available on the NHS? @alecmuffett www.greenlanesecurity.com
free at thepoint of use @alecmuffett www.greenlanesecurity.com
pick what issuitable for your needs @alecmuffett www.greenlanesecurity.com
run “flu jab”-likeinformation campaigns @alecmuffett www.greenlanesecurity.com
a great idea, to the extent limited by bureaucracy, goals and targets @alecmuffett www.greenlanesecurity.com
ie: this specificidea would be doomed... @alecmuffett www.greenlanesecurity.com
...and any Governmentproject to lead security would be likewise? @alecmuffett www.greenlanesecurity.com
But if youcould address security efficiently, in a distributed manner... @alecmuffett www.greenlanesecurity.com
then why insteadspend taxpayer money centrally? @alecmuffett www.greenlanesecurity.com
Perhaps it’s aboutGovernment spending? @alecmuffett www.greenlanesecurity.com
But that wouldmean it’s rubbish. @alecmuffett www.greenlanesecurity.com