Why Cybersecurity Is Rubbish

blank this page intentionally left blank @alecmuffett www.greenlanesecurity.com

how to think clearly about (cyber) security @alecmuffett www.alecmuffett.com green lane security www.greenlanesecurity.com@alecmuffett www.greenlanesecurity.com

how to think clearly about security@alecmuffett www.greenlanesecurity.com

how to think clearly about cybersecurity@alecmuffett www.greenlanesecurity.com

why cybersecurity is rubbish@alecmuffett www.greenlanesecurity.com

...a bit too polemical?@alecmuffett www.greenlanesecurity.com

thesis:@alecmuffett www.greenlanesecurity.com

1 there is a word cybersecurity@alecmuffett www.greenlanesecurity.com

2 this word is both a metaphor and a model for thinking about the challenges of information and network security@alecmuffett www.greenlanesecurity.com

3 this model, with perhaps one exception, is unsuited to describe the challenges of information and network security@alecmuffett www.greenlanesecurity.com

4 this model has been adopted by state actors as key to discussion and/or strategic consideration of information and network security@alecmuffett www.greenlanesecurity.com

5 strategy based upon this model tends to be misconceived, expensive, and of an illiberal nature@alecmuffett www.greenlanesecurity.com

6 unless diluted with other perspectives, this model provides a lever for greater state control over information and network security that will harm the evolution of the field@alecmuffett www.greenlanesecurity.com

end thesis@alecmuffett www.greenlanesecurity.com

thesis defence@alecmuffett www.greenlanesecurity.com

1 cybersecurity: what does it mean?@alecmuffett www.greenlanesecurity.com

@alecmuffett www.greenlanesecurity.com

a long time ago in a novel far far away...@alecmuffett www.greenlanesecurity.com

http://en.wikipedia.org/wiki/File:Neuromancer_(Book).jpg@alecmuffettwww.greenlanesecurity.com

cyberspace@alecmuffett www.greenlanesecurity.com

not cybernetic@alecmuffett www.greenlanesecurity.com

http://en.wikipedia.org/wiki/File:Sixmilliondollar1.jpg@alecmuffettwww.greenlanesecurity.com

virtual reality, a real virtuality@alecmuffett www.greenlanesecurity.com

hackers movie @alecmuffett www.greenlanesecurity.com

http://en.wikipedia.org/wiki/File:Tron_poster.jpg@alecmuffettwww.greenlanesecurity.com

spinoff words@alecmuffett www.greenlanesecurity.com

http://en.wikipedia.org/wiki/Internet-related_prefixes@alecmuffett cyber-prefixwww.greenlanesecurity.com

cyberpunk@alecmuffett www.greenlanesecurity.com

http://en.wikipedia.org/wiki/File:Wargames.jpg@alecmuffettwww.greenlanesecurity.com

http://en.wikipedia.org/wiki/File:Hackersposter.jpg@alecmuffettwww.greenlanesecurity.com

http://en.wikipedia.org/wiki/File:The_Matrix_Poster.jpg@alecmuffettwww.greenlanesecurity.com

cypher-punk ? PGP!@alecmuffett www.greenlanesecurity.com

cyber-everything!@alecmuffett www.greenlanesecurity.com

cybercrime@alecmuffett www.greenlanesecurity.com

cybercriminals@alecmuffett www.greenlanesecurity.com

cybersex@alecmuffett www.greenlanesecurity.com

cyberchildren “digital natives”@alecmuffett www.greenlanesecurity.com

cyberbullying@alecmuffett www.greenlanesecurity.com

cyberterrorists@alecmuffett www.greenlanesecurity.com

cyberattacks@alecmuffett www.greenlanesecurity.com

cyberwarfare@alecmuffett www.greenlanesecurity.com

cyberweapons@alecmuffett www.greenlanesecurity.com

cyberespionage@alecmuffett www.greenlanesecurity.com

...and so forth@alecmuffett www.greenlanesecurity.com

AN OBSERVATION@alecmuffett www.greenlanesecurity.com

word prefixes ...@alecmuffett www.greenlanesecurity.com

digital, virtual = interesting, virtuous@alecmuffett www.greenlanesecurity.com

virtual reality@alecmuffett www.greenlanesecurity.com

e-something = dull@alecmuffett www.greenlanesecurity.com

e-mail@alecmuffett www.greenlanesecurity.com

iSomething@alecmuffett www.greenlanesecurity.com

iPrefer this logo@alecmuffett www.greenlanesecurity.com

cyber = bad/profane?@alecmuffett www.greenlanesecurity.com

are we meant or predisposed to dislike ‘cyber’ ?@alecmuffett www.greenlanesecurity.com

“information superhighway” was always boring@alecmuffett www.greenlanesecurity.com

pop(@stack);@alecmuffett www.greenlanesecurity.com

2 what model does it represent?@alecmuffett www.greenlanesecurity.com

not cyber-space@alecmuffett www.greenlanesecurity.com

but cyber-space@alecmuffett www.greenlanesecurity.com

a near-tangible virtual world@alecmuffett www.greenlanesecurity.com

described as a space@alecmuffett www.greenlanesecurity.com

people meet in a space@alecmuffett www.greenlanesecurity.com

battles are fought in a space@alecmuffett www.greenlanesecurity.com

wars are waged in a space@alecmuffett www.greenlanesecurity.com

humans understand space@alecmuffett www.greenlanesecurity.com

underlying assumption is that cyberspace is sufficiently like realspace and much the same rules can apply@alecmuffett www.greenlanesecurity.com

but, alas...@alecmuffett www.greenlanesecurity.com

3 the model is a mostly-bad fit to reality?@alecmuffett www.greenlanesecurity.com

cyberspace is not like realspace@alecmuffett www.greenlanesecurity.com

example 1: theft@alecmuffett www.greenlanesecurity.com

cyberspace theft is not commutative@alecmuffett www.greenlanesecurity.com

theft in realspace • if I steal your phone • you no longer have it • it is gone@alecmuffett www.greenlanesecurity.com

theft in cyberspace • if I steal your data • you still have it • unless I also destroy your copies • assuming you haven’t backed-up your data • you no longer have secrecy • not the same as “loss”@alecmuffett www.greenlanesecurity.com

later debate: is intellectual property theft actually theft (ie: crime) ...@alecmuffett www.greenlanesecurity.com

... or is it like copyright infringement and/or patent infringement (ie: typically a tort)?@alecmuffett www.greenlanesecurity.com

(ask a lawyer. pay him.)@alecmuffett www.greenlanesecurity.com

example 2: cybersize@alecmuffett www.greenlanesecurity.com

social media as a medium: Twitter@alecmuffett www.greenlanesecurity.com

@AlecMuffett ~ 1300 followers@alecmuffett www.greenlanesecurity.com

@MailOnline ~29,000 followers@alecmuffett www.greenlanesecurity.com

@GuardianNews ~223,000 followers@alecmuffett www.greenlanesecurity.com

Can a case for newspaper regulation to be applied to newspaper twitterers?@alecmuffett www.greenlanesecurity.com

@StephenFry ~3,120,000 followers@alecmuffett www.greenlanesecurity.com

Why regulate newspapers & journalists on Twitter, yet not regulate Stephen Fry?@alecmuffett www.greenlanesecurity.com

On Twitter everyone is the same size 0 = no twitter account 1 = twitter account@alecmuffett www.greenlanesecurity.com

On Twitter everyone has equal capability tweet, or not-tweet, that is the question@alecmuffett www.greenlanesecurity.com

On Twitter some have much greater reach which is not the same thing as size@alecmuffett www.greenlanesecurity.com

a maths/compsci analogy:@alecmuffett www.greenlanesecurity.com

graph theory → euclidean geometry → twitter@alecmuffett www.greenlanesecurity.com

wp:directed_graph @alecmuffett www.greenlanesecurity.com

a node/vertex/twitterer is a point and is of zero dimension; hence all twitterers are the same size@alecmuffett www.greenlanesecurity.com

a line/edge/follow is that which joins two nodes/twitterers@alecmuffett www.greenlanesecurity.com

the degree of a twitterer is the number of followers, the number of people with whom you communicate@alecmuffett www.greenlanesecurity.com

the only metrics on twitter • volume • number of tweets • indegree • number of followers • outdegree • number of people you follow@alecmuffett www.greenlanesecurity.com

so which of these three metrics should trigger state regulation of your twitterfeed - regulation of what you may say?@alecmuffett www.greenlanesecurity.com

if none, perhaps regulation should pertain to the author & his message rather than the medium@alecmuffett www.greenlanesecurity.com

if the medium is irrelevant and open, why discuss regulation of the medium rather than of its users?@alecmuffett www.greenlanesecurity.com

example 3: sovereignty@alecmuffett www.greenlanesecurity.com

“Where are the boundaries of British (or American, etc) Cyberspace?”@alecmuffett www.greenlanesecurity.com

(we will return to this)@alecmuffett www.greenlanesecurity.com

precis society is still adjusting to the net@alecmuffett www.greenlanesecurity.com

4 what model has the state adopted?@alecmuffett www.greenlanesecurity.com

2011 - 1984 = 27@alecmuffett www.greenlanesecurity.com

if it is a place, it can be policed@alecmuffett www.greenlanesecurity.com

if it is a theatre, war can be prosecuted@alecmuffett www.greenlanesecurity.com

EXPERIMENT@alecmuffett www.greenlanesecurity.com

Cyberspace lies at the heart of modern society; it impacts our personalhttp://www.cpni.gov.uk/threats/cyber-threats/ lives, our businesses and our essential services. Cyber security embraces both the public and the private sector and spans a broad range of issues related to national security, whether through terrorism, crime or industrial espionage. E-crime, or cyber-crime, whether relating to theft, hacking or denial of service to vital systems, has become a fact of life. The risk of industrial cyber espionage, in which one company makes active attacks on another, through cyberspace, to acquire high value information is also very real. Cyber terrorism presents challenges for the future. We have to be prepared for terrorists seeking to take advantage of our increasing internet dependency to attack or disable key systems. CPNI works with the Cabinet Office and lead Government departments and agencies to drive forward the UKs cyber security programme to counter these threats. @alecmuffett www.greenlanesecurity.com

posit: internet → communications@alecmuffett www.greenlanesecurity.com

so replace: cyberspace → telephoneworld cyber → phone@alecmuffett www.greenlanesecurity.com

Telephoneworld lies at the heart of modern society; it impacts ourhttp://dropsafe.crypticide.com/article/4933 personal lives, our businesses and our essential services. Phone security embraces both the public and the private sector and spans a broad range of issues related to national security, whether through terrorism, crime or industrial espionage. E-crime, or phone-crime, whether relating to theft, hacking or denial of service to vital systems, has become a fact of life. The risk of industrial phone espionage, in which one company makes active attacks on another, through Telephoneworld, to acquire high value information is also very real. Phone terrorism presents challenges for the future. We have to be prepared for terrorists seeking to take advantage of our increasing communications dependency to attack or disable key systems. CPNI works with the Cabinet Office and lead Government departments and agencies to drive forward the UKs phone security programme to counter these threats. @alecmuffett www.greenlanesecurity.com

The UK should dominate Telephoneworld Cyberspace!@alecmuffett www.greenlanesecurity.com

If cyberspace is communication...@alecmuffett www.greenlanesecurity.com

to control communication: • you must define it • ...and/or... • you must inhibit it@alecmuffett www.greenlanesecurity.com

to define communication • propaganda • a bad word in government lingo • also marketing & public relations@alecmuffett www.greenlanesecurity.com

to inhibit communication • censorship • likewise a bad word@alecmuffett www.greenlanesecurity.com

it’s safer for government to pretend that cyberspace is a space filled with bad people@alecmuffett www.greenlanesecurity.com

metaphor drives perception@alecmuffett www.greenlanesecurity.com

land → army@alecmuffett www.greenlanesecurity.com

sea → navy@alecmuffett www.greenlanesecurity.com

sky → air force@alecmuffett www.greenlanesecurity.com

cyberspace → up for grabs@alecmuffett www.greenlanesecurity.com

to achieve dominance the internet must be widely perceived as a space which can be policed, as a battleground in which war may be prosecuted...@alecmuffett www.greenlanesecurity.com

...but what are its boundaries?@alecmuffett www.greenlanesecurity.com

“Where are the boundaries of British (etc) Cyberspace?”@alecmuffett www.greenlanesecurity.com

depends on what you mean by: “Boundary” “British”@alecmuffett www.greenlanesecurity.com

is British Cyberspace the union of every Briton’s ability to communicate?@alecmuffett www.greenlanesecurity.com

...then Stephen Fry is very large indeed.@alecmuffett www.greenlanesecurity.com

is cyberspace the boundary of storage of every and all Britons’ data?@alecmuffett www.greenlanesecurity.com

...then British Cyberspace extends into GMail and Facebook servers in the USA.@alecmuffett www.greenlanesecurity.com

is British Cyberspace the sum over digital/cyberactivities of all Britons?@alecmuffett www.greenlanesecurity.com

...then the State seeks to constrain legal (or, non-criminal) activities and amend/remove civil rights.@alecmuffett www.greenlanesecurity.com

Government is curiously unwilling to clarify this matter.@alecmuffett www.greenlanesecurity.com

5 “expensive, misconceived and illiberal”@alecmuffett www.greenlanesecurity.com

key, critical, strategic quotes:@alecmuffett www.greenlanesecurity.com

http://goo.gl/MXCsG - computerworld The cost of cybercrime to the global economy is estimated at $1 trillion [US General Keith] Alexander stated and malware is being introduced at a rate of 55,000 pieces per day, or one per second. @alecmuffett www.greenlanesecurity.com

http://goo.gl/nGPvW - computerworld The annual cost of cybercrime is about $388 billion, including money and time lost, said Brian Tillett, chief security strategist at Symantec. That’s about $100 billion more than the global black market trade in heroin, cocaine and marijuana combined, he said. @alecmuffett www.greenlanesecurity.com

http://goo.gl/A14px - symantec Symantec Sums • $388bn = • $114bn “cost” + • $274bn “lost time” @alecmuffett www.greenlanesecurity.com

http://goo.gl/qrmDn - detica In our most-likely scenario, we estimate the cost of cyber crime to the UK to be £27bn per annum. @alecmuffett www.greenlanesecurity.com

http://goo.gl/eQcVS - itpro Cyber criminals will cost the UK economy an estimated £1.9 billion in 2011, according to a Symantec report. @alecmuffett www.greenlanesecurity.com

$1000bn vs: $388bn vs: $114bn? £27bn vs: £1.9bn ?@alecmuffett www.greenlanesecurity.com

wtf?@alecmuffett www.greenlanesecurity.com

http://goo.gl/AJMMX - cabinet office @alecmuffett www.greenlanesecurity.com

“the £27bn report”@alecmuffett www.greenlanesecurity.com

http://goo.gl/vKk3S - detica The theft of Intellectual Property (IP) from business, which has the greatest economic impact of any type of cyber crime is estimated to be £9.2bn per annum. p18 @alecmuffett www.greenlanesecurity.com

This gave an overall figure for fiscal fraud by cyber criminals of £2.2bn. p19@alecmuffett www.greenlanesecurity.com

Our total estimate for industrial espionage is £7.6bn p20@alecmuffett www.greenlanesecurity.com

Overall, we estimate the most likely impact [of online theft is] £1.3bn per annum, with the best and worst case estimates £1.0bn and £2.7bn respectively. p21@alecmuffett www.greenlanesecurity.com

Cyber crime Economic impact Identity theft £1.7bn Online fraud £1.4bn Scareware & fake AV £30m p18@alecmuffett www.greenlanesecurity.com

but...@alecmuffett www.greenlanesecurity.com

“The proportion of IP actually stolen cannot at present be measured with any degree of confidence”@alecmuffett www.greenlanesecurity.com

“It is very hard to determine what proportion of industrial espionage is due to cybercrime”@alecmuffett www.greenlanesecurity.com

“Our assessments are necessarily basedon assumptions and informed judgements rather than specific examples of cybercrime, or from data of a classified or commercially sensitive origin”@alecmuffett www.greenlanesecurity.com

also, do you remember...@alecmuffett www.greenlanesecurity.com

“malware is being introduced at a rate of 55,000 pieces per day”@alecmuffett www.greenlanesecurity.com

Compare...@alecmuffett www.greenlanesecurity.com

http://goo.gl/YwjT0 You just have to look at some of the figures, in fact over 50%, just about 51% of the malicious software threats that have been ever identified, were identified in 2009. Theresa May, Today Programme, Oct 2010 @alecmuffett www.greenlanesecurity.com

http://goo.gl/vK331 Symantec “Global Internet Security Threat Report - Trends for 2009” @alecmuffett www.greenlanesecurity.com

In 2009, Symantec created 2,895,802 new malicious code signatures (figure 10). This is a 71 percent increase over 2008, when 1,691,323 new malicious code signatures wereadded. Although the percentage increase in signatures addedis less than the 139 percent increase from 2007 to 2008, the overall number of malicious code signatures by the end of 2009 grew to 5,724,106. This means that of all the malicious code signatures created by Symantec, 51 percent of that total was created in 2009. This is slightly less than 2008, when approximately 60 percent of all signatures at the time were created.@alecmuffett www.greenlanesecurity.com

“code signatures” up 51% therefore “malware” up 51% ?@alecmuffett www.greenlanesecurity.com

it doesn’t work like that.@alecmuffett www.greenlanesecurity.com

(“polymorphic” malware)@alecmuffett www.greenlanesecurity.com

So: 55,000/day ?@alecmuffett www.greenlanesecurity.com

http://goo.gl/M09Ik McAfee Threat Report: Fourth Quarter 2010 @alecmuffett www.greenlanesecurity.com

Malware Reaches Record NumbersMalicious code, in its seemingly infinite forms and ever expanding targets, is the largest threat that McAfee Labs combats daily. We have seen its functionality increase everyyear. We have seen its sophistication increase every year. We have seen the platforms it targets evolve every year with increasingly clever ways of stealing data. In 2010 McAfee Labs identified more than 20 million new pieces of malware. Stop. We’ll repeat that figure. More than 20 million new pieces of malware appearing last year means that weidentify nearly 55,000 malware threats every day. That figure is up from 2009. That figure is up from 2008. That figure is way up from 2007. Of the almost 55 million pieces of malware McAfee Labs has identified and protected against, 36 percent of it was written in 2010!@alecmuffett www.greenlanesecurity.com

politicians & generals are using glossy marketing reports to bolster strategy@alecmuffett www.greenlanesecurity.com

government response ?@alecmuffett www.greenlanesecurity.com

“£640m over 4 years”@alecmuffett www.greenlanesecurity.com

OCSIA Office of Cyber Security and Information Assurance@alecmuffett www.greenlanesecurity.com

£640m • cyberinvestment breakdown • operational capabilities 65% • critical infrastructure 20% • cybercrime 9% • reserve and baseline 5%@alecmuffett www.greenlanesecurity.com

“...but the US is spending $9bn* on cybersecurity; are we spending enough?” - Audience Member, BCS Meeting Cyber Challenges of 2012 * Actually closer to $11bn@alecmuffett www.greenlanesecurity.com

Of the £640m 9% (£58m) goes to cybercrime 65% (£416m) goes to operational capabilities@alecmuffett www.greenlanesecurity.com

maybe the proportions reflect the actually perceived threats?@alecmuffett www.greenlanesecurity.com

6 harmful to evolution of network security@alecmuffett www.greenlanesecurity.com

there is clearly some reality to cybersecurity@alecmuffett www.greenlanesecurity.com

CNI: Critical National Infrastructure@alecmuffett www.greenlanesecurity.com

CNI Events@alecmuffett www.greenlanesecurity.com

1941: Battle of the Atlantic@alecmuffett www.greenlanesecurity.com

1943: Dambusters@alecmuffett www.greenlanesecurity.com

Gulf Wars: Iraq Power Stations@alecmuffett www.greenlanesecurity.com

...pursuant to an invasion, or with a kinetic component@alecmuffett www.greenlanesecurity.com

The [Enemy] will crash our systems and then bomb us.@alecmuffett www.greenlanesecurity.com

Maybe-CNI Events • 2007: Estonia • no banks, services, food • 2009: Russia/Ukraine Gas • people freezing@alecmuffett www.greenlanesecurity.com

Non-CNI Events • 2011: Aurora/GMail • espionage • who died?@alecmuffett www.greenlanesecurity.com

Nonetheless there is clearly some risk of being blindsided@alecmuffett www.greenlanesecurity.com

there is land-war@alecmuffett www.greenlanesecurity.com

there is sea-war@alecmuffett www.greenlanesecurity.com

there is air-war@alecmuffett www.greenlanesecurity.com

so there is cyber-war, but it should not dominate all strategy@alecmuffett www.greenlanesecurity.com

compare: air supremacy@alecmuffett www.greenlanesecurity.com

You might ask: where’s the harm in cyber/space/security philosophy?@alecmuffett www.greenlanesecurity.com

If not to the exclusion of all others?@alecmuffett www.greenlanesecurity.com

1) expansion of the state@alecmuffett www.greenlanesecurity.com

What’s a politician more likely to tell the public? 1) “you’re on your own” 2) “we’re sorting it out for you”@alecmuffett www.greenlanesecurity.com

Who is better to be responsible for a family’s cybersecurity? 1) the family members 2) state cyber-police@alecmuffett www.greenlanesecurity.com

2) interference in evolution/education@alecmuffett www.greenlanesecurity.com

karmic cycle • technologies change • people complain • problems arise • people complain • problems get fixed • people complain@alecmuffett www.greenlanesecurity.com

people always complain, but they use and learn.@alecmuffett www.greenlanesecurity.com

3) tunnel vision@alecmuffett www.greenlanesecurity.com

let me present an alternative spending model@alecmuffett www.greenlanesecurity.com

...it’s actually a terrible idea - but bear with me for a moment...@alecmuffett www.greenlanesecurity.com

if we’re worried about viruses...@alecmuffett www.greenlanesecurity.com

why not make anti-virus/anti-malware available on the NHS?@alecmuffett www.greenlanesecurity.com

free at the point of use@alecmuffett www.greenlanesecurity.com

distributed to all citizens@alecmuffett www.greenlanesecurity.com

pick what is suitable for your needs@alecmuffett www.greenlanesecurity.com

run “flu jab”-like information campaigns@alecmuffett www.greenlanesecurity.com

no huge centralised IT project@alecmuffett www.greenlanesecurity.com

a great idea, to the extent limited by bureaucracy, goals and targets@alecmuffett www.greenlanesecurity.com

ie: this specific idea would be doomed...@alecmuffett www.greenlanesecurity.com

...and any Government project to lead security would be likewise?@alecmuffett www.greenlanesecurity.com

But if you could address security in a distributed manner...@alecmuffett www.greenlanesecurity.com

then why instead spend all that taxpayer money centrally?@alecmuffett www.greenlanesecurity.com

Perhaps cybersecurity isn’t actually about protecting the public?@alecmuffett www.greenlanesecurity.com

But that would mean it’s rubbish.@alecmuffett www.greenlanesecurity.com

fin @alecmuffett@alecmuffett www.greenlanesecurity.com

http://dropsafe.crypticide.com	334
http://www.skepticule.co.uk	259
http://feeds2.feedburner.com	144
http://lanyrd.com	7
http://us-w1.rockmelt.com	4
http://www.slideshare.net	2
http://skeprec.blogspot.co.uk	2
http://ranksit.com	1

Why Cybersecurity Is Rubbish

by alecmuffett

Accessibility

Categories

Upload Details

Usage Rights

8 Embeds 753

Statistics

Why Cybersecurity Is Rubbish Presentation Transcript