how to think clearly about cybersecurity v2

@alecmuffett

@alecmuffettwww.alecmuffett.com

green lane securitywww.greenlanesecurity.com

www.greenlanesecurity.com

how to think clearlyabout (cyber) security

v2.0

@alecmuffett www.greenlanesecurity.com

how to think clearly aboutsecurity


how to think clearly aboutcybersecurity


why cybersecurity is rubbish


...a bit too polemical?


thesis:


1there is a word cybersecurity


2this word is both a metaphor

and a model for thinking about the challenges of information

and network security


3this model, with perhaps one exception, is unsuited to describe the challenges of

information and network security


4this model has been adopted bystate actors as key to discussion and/or strategic consideration

of information and network security


5strategy based upon this model

tends to be misconceived, expensive,and of an illiberal nature


6unless diluted with other perspectives,

this model is a lever for increased state control of

information and network security that will harm the evolution of the field


end thesis


thesis defence


1cybersecurity: what does it mean?


UNTIL RECENTLY


a long time ago in a novel far far away...


http

://e

n.w

ikip

edia

.org

/wik

i/Fi

le:N

euro

man

cer_

(Boo

k).j

pg


cyberspace


not cybernetic


http

://e

n.w

ikip

edia

.org

/wik

i/Fi

le:S

ixm

illio

ndol

lar1

.jpg


virtual reality,a real virtuality


hack

ers

mov

ie


http

://e

n.w

ikip

edia

.org

/wik

i/Fi

le:T

ron_

post

er.j

pg


http

://e

n.w

ikip

edia

.org

/wik

i/In

tern

et-r

elat

ed_p

refi

xes

cyber-prefix


cyberpunk


http

://e

n.w

ikip

edia

.org

/wik

i/Fi

le:W

arga

mes

.jpg


http

://e

n.w

ikip

edia

.org

/wik

i/Fi

le:H

acke

rspo

ster

.jpg


http

://e

n.w

ikip

edia

.org

/wik

i/Fi

le:T

he_M

atri

x_Po

ster

.jpg


hollywood bandwagon


cyber-everything!


cybercrime


cybercriminals


cybersex


cyberchildren“digital natives”


cyberbullying


cyberterrorists


cyberattacks


cyberwarfare


cyberweapons


cyberspies


cyberespionage


...and so forth


AN OBSERVATION


word prefixes ...


digital, virtual = interesting, virtuous


virtual reality


e-something = dull


e-mail


iSomething


iPrefer this logo


cyber = bad/profane?


are we meant or predisposedto dislike ‘cyber’ ?


* “information superhighway”was always boring


pop(@stack);


2what model does it represent?


not cyber-space


but cyber-space


a near-tangible virtual world


described as a space


people meet in a space


battles are fought in a space


wars are waged in a space


humans understand space


underlying assumption is that cyberspace is sufficiently like realspace

and much the same rules can apply


alas...


3the model is a mostly-bad fit to reality?


cyberspace is not like realspace


example 1: theft


cyberspace theft is not commutative


theft in realspace•if I steal your phone

• you no longer have it• it is gone


theft in cyberspace•if I steal your data

• you still have it• unless I also destroy your copies

• assuming you haven’t backed-up your data

• you no longer have secrecy• not the same as “loss”


later debate:is intellectual property theftactually theft (ie: crime) ...


... or is it like copyright infringementand/or patent infringement

(ie: typically a tort)?


(ask a lawyer. pay him.)


example 2: cybersize


“An area of Internet the size of Walesis dedicated to cybercrime!”


social media as a country: Twitter


@AlecMuffett~ 1,662 followers


@MailOnline~61,024 followers


@GuardianNews ~321,287 followers


Can a case for newspaper regulationto be applied to newspaper twitterers?


@StephenFry~3,965,799 followers


Why regulate newspapers & journalists on Twitter,

yet not regulate Stephen Fry?


answer:


On Twittereveryone is precisely the same size

0 = no twitter account1 = twitter account


On Twittereveryone has equal capability

tweet, or not-tweet, that is the question


On Twittersome have much greater reachwhich is not the same thing as size*

* especially not “size of Wales”


a maths/compsci analogy:


wp:

dire

cted

_gra

ph


graph theory → euclidean geometry →

twitter


a node/vertex/twitterer is a point- ie: of zero dimension -

hence all twitterers are the same size


a line/edge/follow is thatwhich joins two nodes/twitterers


the degree of a twittereris the number of followers,

the number of people with whomyou communicate


the only metrics on twitter•volume

• number of tweets

•indegree• number of followers

•outdegree• number of people you follow


so which of these three metricsshould trigger state regulation

of your twitterfeed?


regulation?


if none, perhaps regulation shouldpertain to the author & his message

rather than the medium


if the medium is irrelevant and open,why discuss regulation of the medium

rather than of its users?


example 3: sovereignty


“Where are the boundaries ofBritish (or American, etc) Cyberspace?”


(we will return to this)


precissociety is still adjusting to the net


4what model has the state adopted?


2012 - 1984 = 28


if it is a place, it can be policed


if it is a theatre, war can be prosecuted


EXPERIMENT


http

://w

ww

.cpn

i.go

v.uk

/thr

eats

/cyb

er-t

hrea

ts/

Cyberspace lies at the heart of modern society; it impacts our personal lives, our businesses and our essential services. Cyber security embraces both the public and the private sector and spans a broad range of issues related to national security, whether through terrorism, crime or industrial espionage.

E-crime, or cyber-crime, whether relating to theft, hacking or denial of service to vital systems, has become a fact of life. The risk of industrial cyber espionage, in which one company makes active attacks on another, through cyberspace, to acquire high value information is also very real. Cyber terrorism presents challenges for the future. We have to be prepared for terrorists seeking to take advantage of our increasing internet dependency to attack or disable key systems.


posit:internet → communications


replace:cyberspace → telephoneworld

cyber → phone


http

://d

rops

afe.

cryp

tici

de.c

om/a

rtic

le/4

933

Telephoneworld lies at the heart of modern society; it impacts our personal lives, our businesses and our essential services. Phone security embraces both the public and the private sector and spans a broad range of issues related to national security, whether through terrorism, crime or industrial espionage.

E-crime, or phone-crime, whether relating to theft, hacking or denial of service to vital systems, has become a fact of life. The risk of industrial phone espionage, in which one company makes active attacks on another, through Telephoneworld, to acquire high value information is also very real. Phone terrorism presents challenges for the future. We have to be prepared for terrorists seeking to take advantage of our increasing communications dependency to attack or disable key systems.


The UK must control master Telephoneworld! Cyberspace!

the Internet!


If cyberspace is communication...


to control communication:•you must define it•...and/or...•you must inhibit it


to define communication•propaganda

• a bad word in government lingo• also marketing & public relations


to inhibit communication•censorship

• likewise a bad word


it’s safest for government to pretendthat cyberspace is a space

filled with bad people


metaphor drives perception


land → army


sea → navy


sky → air force


cyberspace → currently up for grabs


to achieve masterythe internet must be widely perceived

as a space which can be policed,as a battleground in which war

may be prosecuted...


...but (first) what are its boundaries?


“Where are the boundaries ofBritish (etc) Cyberspace?”


depends on what you mean by:“Boundary”

“British”


is British Cyberspace the union ofevery Briton’s ability to communicate?


...then Stephen Fry is very large indeed.


is cyberspace the boundary of storageof every and all Britons’ data?


...then British Cyberspace extends into GMail and Facebook servers in the USA.


is British Cyberspace the sum overdigital/cyberactivities of all Britons?


...then the state seeks to limitlegal (or, currently non-criminal)

activities and reduce libertiesof only its citizenry


Government is curiously unwillingto clarify the matter of boundaries.


5

“...expensive, misconceived, illiberal...”


example quotes:


http

://g

oo.g

l/M

XCsG

- c

ompu

terw

orld

The cost of cybercrime to the global economy is estimated at $1 trillion

[US General Keith] Alexander stated and malware is being introduced at a rate of

55,000 pieces per day, or one per second.


http

://g

oo.g

l/nG

PvW

- c

ompu

terw

orld

The annual cost of cybercrime is about $388 billion, including money and time lost, said Brian Tillett, chief security

strategist at Symantec. That’s about $100 billion more than the global black market

trade in heroin, cocaine and marijuana combined, he said.


http

://g

oo.g

l/A1

4px

- sy

man

tec

Symantec’s Math•$388bn =

• $114bn “cost” + • $274bn “lost time”


http

://g

oo.g

l/qr

mD

n -

deti

ca

Cabinet Office“In our most-likely scenario, we estimate the cost of cyber crime to the UK to be

£27bn per annum”


http

://g

oo.g

l/eQ

cVS

- it

pro

ITproCyber criminals will cost the UK economy

an estimated £1.9 billion in 2011, according to a Symantec report.


$1000bn vs: $388bn vs: $114bn?

£27bn vs: £1.9bn ?


wtf?


http

://g

oo.g

l/AJ

MM

X -

cabi

net

offi

ce


“the £27bn report”


http

://g

oo.g

l/vK

k3S

- de

tica

The theft of Intellectual Property (IP) from business, which has the greatest economic impact of any type of cyber crime is estimated to be £9.2bn per annum. p18


This gave an overall figure for fiscal fraud by cyber criminals of £2.2bn. p19


Our total estimate for industrial espionage is £7.6bn p20


Overall, we estimate the most likely impact [of online theft is] £1.3bn per annum, with the best

and worst case estimates £1.0bn and £2.7bn respectively. p21


Cyber crime Economic impact

Identity theft £1.7bn

Online fraud £1.4bn

Scareware & fake AV £30m

p18


but...


“The proportion of IP actually stolen cannot at present be measured with any

degree of confidence” p16


“It is very hard to determinewhat proportion of industrial espionage

is due to cyber crime” p16


“Our assessments are necessarily based on assumptions and informed judgements

rather than specific examples of cybercrime, or from data of a classified

or commercially sensitive origin” p5


also, do you remember...


US: “malware is being introducedat a rate of 55,000 pieces per day”


The UK version is...


http

://g

oo.g

l/Yw

jT0

You just have to look at some of the figures, in fact over 50%, just about 51% of the malicious

software threats that have been ever identified, were identified in 2009.

Theresa May, Today Programme, Oct 2010


http

://g

oo.g

l/vK

331

Symantec “Global Internet

Security Threat Report- Trends for 2009”


In 2009, Symantec created 2,895,802 new malicious code signatures (figure 10). This is a 71 percent increase over

2008, when 1,691,323 new malicious code signatures were added. Although the percentage increase in signatures added is less than the 139 percent increase from 2007 to 2008, the overall number of malicious code signatures by the end of

2009 grew to 5,724,106. This means that of all the malicious code signatures created by Symantec, 51

percent of that total was created in 2009. This is slightly less than 2008, when approximately 60 percent of all

signatures at the time were created.


“code signatures” up 51%therefore “malware” up 51% ?


it doesn’t work like that.


(hint: “polymorphic” malware)


So: 55,000/day ?


http

://g

oo.g

l/M

09Ik

McAfee Threat Report:Fourth Quarter 2010


Malware Reaches Record Numbers

Malicious code, in its seemingly infinite forms and ever expanding targets, is the largest threat that McAfee Labs combats daily. We have seen its functionality increase every

year. We have seen its sophistication increase every year. We have seen the platforms it targets evolve every year with increasingly clever ways of stealing data. In 2010

McAfee Labs identified more than 20 million new pieces of malware.

Stop. We’ll repeat that figure.

More than 20 million new pieces of malware appearing last year means that we identify nearly 55,000 malware threats every day. That figure is up from 2009. That

figure is up from 2008. That figure is way up from 2007. Of the almost 55 million pieces of malware McAfee Labs has identified and protected

against, 36 percent of it was written in 2010!


politicians & generals are usingglossy marketing reports

to bolster strategy?


UK Government response ?


2011: “£640m over 4 years”


OCSIAOffice of

Cyber Security andInformation Assurance


£640m•cyberinvestment breakdown

• operational capabilities 65% • critical infrastructure 20% • cybercrime 9% • reserve and baseline 5%


“...but the US is spending $9bn* on cybersecurity;

are we spending enough?”- Audience Member, BCS Meeting Cyber Challenges of 2012

* Actually closer to $11bn


Of the £640m

9% (£58m) goes to cybercrime

65% (£416m) goes to operational capabilities


do the proportions reflectthe perceived threats?


6harmful to evolution of network security


there is clearly some realityto cybersecurity


CNI: Critical National Infrastructure


CNI Events


1941: Battle of the Atlantic


1943: Dambusters


Gulf Wars: Iraq Power Stations


...pursuant to an invasion, orwith a kinetic component


“The Enemy will crash our systemsand then bomb us”


Maybe-CNI Events•2007: Estonia

• no banks, services, food

•2009: Russia/Ukraine Gas• people freezing


Non-CNI Events•2011: Aurora/GMail

• espionage• who died?• what service was lost?• where did a bomb go off?


Nonetheless there is clearly some risk of being blindsided


there is land-war


there is sea-war


there is air-war


so there is cyber-war...but it should not dominate all strategy


compare: air supremacy


military cybersecurity?


You might ask:where’s the harm in overall

cyberspace/security philosophy?


If not to the exclusion of all others?


1) expansion of the state


What’s a politician more likely to tell the public?

1) “you’re on your own”2) “we’re sorting it out for you”


Who is better to be responsiblefor a family’s cybersecurity?

1) the family members2) state cyber-police


2) interference in evolution/education


karmic cycle•technologies change

• people complain

•problems arise• people complain

•problems get fixed• people complain


people always complain,but they use and learn.


3) tunnel vision


eg: an alternative spending model


...it’s actually a terrible idea -do not share this with people...


if we’re worried about viruses...


why not make anti-virus/anti-malware available on the NHS?


free at the point of use


distributed to all citizens


pick what is suitable for your needs


run “flu jab”-like information campaigns


no huge centralised IT project


a great idea,to the extent limited by

bureaucracy, goals and targets


ie: this specific idea would be doomed...


...and any Government projectto lead security would be likewise?


But if you could address security efficiently, in a distributed manner...


then why instead spendtaxpayer money centrally?


Perhaps cybersecurity isn’t actuallyabout protecting the public?


Perhaps it’s about Government spending?


But that would mean it’s rubbish.


QED


discuss?


@alecmuffett

how to think clearly about cybersecurity v2

Technology

network securitythat

cyber security

challenges of information

green lane security

state actors

real virtuality

virtual reality

untilr ece n