how to think clearly           about (cyber) security                    @alecmuffett                 www.alecmuffett.com ...
how to think clearly about                        security@alecmuffett                       www.greenlanesecurity.com
how to think clearly about                     cybersecurity@alecmuffett                      www.greenlanesecurity.com
why cybersecurity is rubbish@alecmuffett                        www.greenlanesecurity.com
...a bit too polemical?@alecmuffett                     www.greenlanesecurity.com
thesis:@alecmuffett             www.greenlanesecurity.com
1           there is a word cybersecurity@alecmuffett                    www.greenlanesecurity.com
2           this word is both a metaphor          and a model for thinking about           the challenges of information  ...
3 this model, with perhaps one exception, is unsuited to describe the challenges of     information and network security@a...
4       this model has been adopted by       state actors as key to discussion        and/or strategic consideration     o...
5       strategy based upon this model    tends to be misconceived, expensive,          and of an illiberal nature@alecmuf...
6   unless diluted with other perspectives,           this model is a lever for          increased state control of      i...
end thesis@alecmuffett                www.greenlanesecurity.com
thesis defence@alecmuffett                www.greenlanesecurity.com
1       cybersecurity: what does it mean?@alecmuffett                  www.greenlanesecurity.com
@alecmuffett   www.greenlanesecurity.com
UN                    TIL                        R   ECE                               N   TLY@alecmuffett            www....
a long time ago in a novel far far away...@alecmuffett                 www.greenlanesecurity.com
http://en.wikipedia.org/wiki/File:Neuromancer_(Book).jpg@alecmuffettwww.greenlanesecurity.com
cyberspace@alecmuffett                www.greenlanesecurity.com
not cybernetic@alecmuffett                www.greenlanesecurity.com
http://en.wikipedia.org/wiki/File:Sixmilliondollar1.jpg@alecmuffettwww.greenlanesecurity.com
virtual reality,               a real virtuality@alecmuffett                   www.greenlanesecurity.com
hackers movie                @alecmuffett   www.greenlanesecurity.com
http://en.wikipedia.org/wiki/File:Tron_poster.jpg@alecmuffettwww.greenlanesecurity.com
http://en.wikipedia.org/wiki/Internet-related_prefixes@alecmuffett                                                    cybe...
cyberpunk@alecmuffett               www.greenlanesecurity.com
http://en.wikipedia.org/wiki/File:Wargames.jpg@alecmuffettwww.greenlanesecurity.com
http://en.wikipedia.org/wiki/File:Hackersposter.jpg@alecmuffettwww.greenlanesecurity.com
http://en.wikipedia.org/wiki/File:The_Matrix_Poster.jpg@alecmuffettwww.greenlanesecurity.com
hollywood bandwagon@alecmuffett                  www.greenlanesecurity.com
cyber-everything!@alecmuffett                  www.greenlanesecurity.com
cybercrime@alecmuffett                www.greenlanesecurity.com
cybercriminals@alecmuffett                www.greenlanesecurity.com
cybersex@alecmuffett              www.greenlanesecurity.com
cyberchildren               “digital natives”@alecmuffett                  www.greenlanesecurity.com
cyberbullying@alecmuffett                   www.greenlanesecurity.com
cyberterrorists@alecmuffett                 www.greenlanesecurity.com
cyberattacks@alecmuffett                  www.greenlanesecurity.com
cyberwarfare@alecmuffett                  www.greenlanesecurity.com
cyberweapons@alecmuffett                  www.greenlanesecurity.com
cyberspies@alecmuffett                www.greenlanesecurity.com
cyberespionage@alecmuffett                www.greenlanesecurity.com
...and so forth@alecmuffett                 www.greenlanesecurity.com
AN OBSERVATION@alecmuffett                www.greenlanesecurity.com
word prefixes ...@alecmuffett                  www.greenlanesecurity.com
digital, virtual = interesting, virtuous@alecmuffett                  www.greenlanesecurity.com
virtual reality@alecmuffett                     www.greenlanesecurity.com
e-something = dull@alecmuffett                  www.greenlanesecurity.com
e-mail@alecmuffett            www.greenlanesecurity.com
iSomething@alecmuffett                www.greenlanesecurity.com
iPrefer this logo@alecmuffett                  www.greenlanesecurity.com
cyber = bad/profane?@alecmuffett                   www.greenlanesecurity.com
are we meant or predisposed                to dislike ‘cyber’ ?@alecmuffett                   www.greenlanesecurity.com
* “information superhighway”                was always boring@alecmuffett                  www.greenlanesecurity.com
pop(@stack);@alecmuffett              www.greenlanesecurity.com
2          what model does it represent?@alecmuffett                   www.greenlanesecurity.com
not cyber-space@alecmuffett                 www.greenlanesecurity.com
but cyber-space@alecmuffett                 www.greenlanesecurity.com
a near-tangible virtual world@alecmuffett                        www.greenlanesecurity.com
described as a space@alecmuffett                   www.greenlanesecurity.com
people meet in a space@alecmuffett                    www.greenlanesecurity.com
battles are fought in a space@alecmuffett                    www.greenlanesecurity.com
wars are waged in a space@alecmuffett                      www.greenlanesecurity.com
humans understand space@alecmuffett                    www.greenlanesecurity.com
underlying assumption is that  cyberspace is sufficiently like realspace    and much the same rules can apply@alecmuffett ...
alas...@alecmuffett             www.greenlanesecurity.com
3  the model is a mostly-bad fit to reality?@alecmuffett                 www.greenlanesecurity.com
cyberspace is not like realspace@alecmuffett                    www.greenlanesecurity.com
example 1: theft@alecmuffett                 www.greenlanesecurity.com
cyberspace theft is not commutative@alecmuffett                www.greenlanesecurity.com
theft in realspace               • if I steal your phone                • you no longer have it                 • it is go...
theft in cyberspace               • if I steal your data                • you still have it                  • unless I al...
later debate:           is intellectual property theft            actually theft (ie: crime) ...@alecmuffett              ...
... or is it like copyright infringement          and/or patent infringement               (ie: typically a tort)?@alecmuf...
(ask a lawyer. pay him.)@alecmuffett                      www.greenlanesecurity.com
example 2: cybersize@alecmuffett                   www.greenlanesecurity.com
“An area of Internet the size of Wales       is dedicated to cybercrime!”@alecmuffett                 www.greenlanesecurit...
social media as a country: Twitter@alecmuffett                   www.greenlanesecurity.com
@AlecMuffett               ~ 1,662 followers@alecmuffett                  www.greenlanesecurity.com
@MailOnline               ~61,024 followers@alecmuffett                  www.greenlanesecurity.com
@GuardianNews               ~321,287 followers@alecmuffett                  www.greenlanesecurity.com
Can a case for newspaper regulation   to be applied to newspaper twitterers?@alecmuffett                www.greenlanesecur...
@StephenFry               ~3,965,799 followers@alecmuffett                   www.greenlanesecurity.com
Why regulate newspapers & journalists               on Twitter,      yet not regulate Stephen Fry?@alecmuffett            ...
answer:@alecmuffett             www.greenlanesecurity.com
On Twitter      everyone is precisely the same size               0 = no twitter account                 1 = twitter accou...
On Twitter           everyone has equal capability     tweet, or not-tweet, that is the question@alecmuffett              ...
On Twitter          some have much greater reach         which is not the same thing as size*               * especially n...
a maths/compsci analogy:@alecmuffett                     www.greenlanesecurity.com
wp:directed_graph                    @alecmuffett   www.greenlanesecurity.com
graph theory →               euclidean geometry →                      twitter@alecmuffett                   www.greenlane...
a node/vertex/twitterer is a point          - ie: of zero dimension -   hence all twitterers are the same size@alecmuffett...
a line/edge/follow is that       which joins two nodes/twitterers@alecmuffett                 www.greenlanesecurity.com
the degree of a twitterer          is the number of followers,       the number of people with whom               you comm...
the only metrics on twitter               • volume                • number of tweets               • indegree             ...
so which of these three metrics          should trigger state regulation               of your twitterfeed?@alecmuffett   ...
regulation?@alecmuffett                 www.greenlanesecurity.com
if none, perhaps regulation should     pertain to the author & his message           rather than the medium@alecmuffett   ...
if the medium is irrelevant and open,   why discuss regulation of the medium          rather than of its users?@alecmuffet...
example 3: sovereignty@alecmuffett                    www.greenlanesecurity.com
“Where are the boundaries of  British (or American, etc) Cyberspace?”@alecmuffett                www.greenlanesecurity.com
(we will return to this)@alecmuffett                      www.greenlanesecurity.com
precis       society is still adjusting to the net@alecmuffett                     www.greenlanesecurity.com
4      what model has the state adopted?@alecmuffett                 www.greenlanesecurity.com
2012 - 1984 = 28@alecmuffett                  www.greenlanesecurity.com
@alecmuffett   www.greenlanesecurity.com
@alecmuffett   www.greenlanesecurity.com
if it is a place, it can be policed@alecmuffett                     www.greenlanesecurity.com
if it is a theatre, war can be prosecuted@alecmuffett                www.greenlanesecurity.com
EXPERIMENT@alecmuffett                www.greenlanesecurity.com
http://www.cpni.gov.uk/threats/cyber-threats/                                                  Cyberspace lies at the hear...
posit:               internet → communications@alecmuffett                     www.greenlanesecurity.com
replace:          cyberspace → telephoneworld                 cyber → phone@alecmuffett                 www.greenlanesecur...
http://dropsafe.crypticide.com/article/4933                                                Telephoneworld lies at the hear...
The UK must control master           Telephoneworld! Cyberspace!                  the Internet!@alecmuffett               ...
If cyberspace is communication...@alecmuffett                  www.greenlanesecurity.com
to control communication:               • you must define it               • ...and/or...               • you must inhibit...
to define communication               • propaganda                • a bad word in government lingo                • also m...
to inhibit communication               • censorship                • likewise a bad word@alecmuffett                      ...
it’s safest for government to pretend           that cyberspace is a space             filled with bad people@alecmuffett ...
metaphor drives perception@alecmuffett                      www.greenlanesecurity.com
land → army@alecmuffett                 www.greenlanesecurity.com
sea → navy@alecmuffett                www.greenlanesecurity.com
sky → air force@alecmuffett                 www.greenlanesecurity.com
cyberspace → currently up for grabs@alecmuffett                www.greenlanesecurity.com
to achieve mastery   the internet must be widely perceived      as a space which can be policed,       as a battleground i...
...but (first) what are its boundaries?@alecmuffett                   www.greenlanesecurity.com
“Where are the boundaries of            British (etc) Cyberspace?”@alecmuffett                   www.greenlanesecurity.com
depends on what you mean by:               “Boundary”                “British”@alecmuffett                www.greenlanesec...
is British Cyberspace the union of   every Briton’s ability to communicate?@alecmuffett                 www.greenlanesecur...
...then Stephen Fry is very large indeed.@alecmuffett                www.greenlanesecurity.com
is cyberspace the boundary of storage        of every and all Britons’ data?@alecmuffett                www.greenlanesecur...
...then British Cyberspace extends into  GMail and Facebook servers in the USA.@alecmuffett                www.greenlanese...
is British Cyberspace the sum over     digital/cyberactivities of all Britons?@alecmuffett                    www.greenlan...
...then the state seeks to limit        legal (or, currently non-criminal)          activities and reduce liberties       ...
Government is curiously unwilling     to clarify the matter of boundaries.@alecmuffett                  www.greenlanesecur...
5“...expensive, misconceived, illiberal...”@alecmuffett                www.greenlanesecurity.com
example quotes:@alecmuffett                www.greenlanesecurity.com
http://goo.gl/MXCsG - computerworld                                         The cost of cybercrime to the global          ...
http://goo.gl/nGPvW - computerworld                                        The annual cost of cybercrime is about         ...
http://goo.gl/A14px - symantec                                                  Symantec’s Math                           ...
http://goo.gl/qrmDn - detica                                              Cabinet Office                               “In...
http://goo.gl/eQcVS - itpro                                              ITpro                              Cyber criminal...
$1000bn vs: $388bn vs: $114bn?               £27bn vs: £1.9bn ?@alecmuffett                   www.greenlanesecurity.com
wtf?@alecmuffett          www.greenlanesecurity.com
http://goo.gl/AJMMX - cabinet office                                       @alecmuffett   www.greenlanesecurity.com
“the £27bn report”@alecmuffett                  www.greenlanesecurity.com
http://goo.gl/vKk3S - detica                                 The theft of Intellectual Property (IP) from business,       ...
This gave an overall figure for fiscal fraud by              cyber criminals of £2.2bn. p19@alecmuffett                   ...
Our total estimate for industrial espionage                        is £7.6bn p20@alecmuffett                            ww...
Overall, we estimate the most likely impact   [of online theft is] £1.3bn per annum, with the best           and worst cas...
Cyber crime      Economic impact               Identity theft       £1.7bn               Online fraud         £1.4bn      ...
@alecmuffett   www.greenlanesecurity.com
but...@alecmuffett            www.greenlanesecurity.com
“The proportion of IP actually stolen cannot at present be measured with any       degree of confidence” p16@alecmuffett  ...
“It is very hard to determine what proportion of industrial espionage       is due to cyber crime” p16@alecmuffett        ...
“Our assessments are necessarily basedon assumptions and informed judgements     rather than specific examples of cybercri...
also, do you remember...@alecmuffett                     www.greenlanesecurity.com
US: “malware is being introduced     at a rate of 55,000 pieces per day”@alecmuffett                 www.greenlanesecurity...
The UK version is...@alecmuffett                    www.greenlanesecurity.com
http://goo.gl/YwjT0                        You just have to look at some of the figures, in                       fact ove...
http://goo.gl/vK331                                            Symantec                                        “Global Int...
In 2009, Symantec created 2,895,802 new malicious code   signatures (figure 10). This is a 71 percent increase over 2008, ...
“code signatures” up 51%          therefore “malware” up 51% ?@alecmuffett                  www.greenlanesecurity.com
it doesn’t work like that.@alecmuffett                       www.greenlanesecurity.com
(hint: “polymorphic” malware)@alecmuffett                   www.greenlanesecurity.com
So: 55,000/day ?@alecmuffett                 www.greenlanesecurity.com
http://goo.gl/M09Ik                                     McAfee Threat Report:                                      Fourth ...
Malware Reaches Record NumbersMalicious code, in its seemingly infinite forms and ever expanding targets, is the largest t...
politicians & generals are using            glossy marketing reports                to bolster strategy?@alecmuffett      ...
UK Government response ?@alecmuffett                     www.greenlanesecurity.com
2011: “£640m over 4 years”@alecmuffett                      www.greenlanesecurity.com
OCSIA                     Office of                 Cyber Security and               Information Assurance@alecmuffett    ...
£640m               • cyberinvestment breakdown                • operational capabilities 65%                • critical in...
“...but the US is spending                $9bn* on cybersecurity;               are we spending enough?”                  ...
Of the £640m           9% (£58m) goes to cybercrime                65% (£416m) goes to               operational capabilit...
do the proportions reflect                 the perceived threats?@alecmuffett                       www.greenlanesecurity....
6 harmful to evolution of network security@alecmuffett                www.greenlanesecurity.com
there is clearly some reality                     to cybersecurity@alecmuffett                        www.greenlanesecurit...
CNI: Critical National Infrastructure@alecmuffett                  www.greenlanesecurity.com
CNI Events@alecmuffett                www.greenlanesecurity.com
1941: Battle of the Atlantic@alecmuffett                        www.greenlanesecurity.com
1943: Dambusters@alecmuffett                 www.greenlanesecurity.com
Gulf Wars: Iraq Power Stations@alecmuffett                    www.greenlanesecurity.com
...pursuant to an invasion, or             with a kinetic component@alecmuffett                     www.greenlanesecurity....
“The Enemy will crash our systems             and then bomb us”@alecmuffett                 www.greenlanesecurity.com
@alecmuffett   www.greenlanesecurity.com
Maybe-CNI Events               • 2007: Estonia                • no banks, services, food               • 2009: Russia/Ukra...
Non-CNI Events               • 2011: Aurora/GMail                • espionage                 • who died?                 •...
Nonetheless there is clearly           some risk of being blindsided@alecmuffett                    www.greenlanesecurity....
there is land-war@alecmuffett                  www.greenlanesecurity.com
there is sea-war@alecmuffett                  www.greenlanesecurity.com
there is air-war@alecmuffett                  www.greenlanesecurity.com
so there is cyber-war...   but it should not dominate all strategy@alecmuffett                 www.greenlanesecurity.com
compare: air supremacy@alecmuffett                    www.greenlanesecurity.com
military cybersecurity?@alecmuffett                     www.greenlanesecurity.com
You might ask:          where’s the harm in overall        cyberspace/security philosophy?@alecmuffett                  ww...
If not to the exclusion of all others?@alecmuffett                   www.greenlanesecurity.com
1) expansion of the state@alecmuffett                      www.greenlanesecurity.com
What’s a politician more likely       to tell the public?            1) “you’re on your own”        2) “we’re sorting it o...
Who is better to be responsible for a family’s cybersecurity?               1) the family members                2) state ...
2) interference in evolution/education@alecmuffett                 www.greenlanesecurity.com
karmic cycle               • technologies change                • people complain               • problems arise          ...
people always complain,                but they use and learn.@alecmuffett                     www.greenlanesecurity.com
3) tunnel vision@alecmuffett                  www.greenlanesecurity.com
eg: an alternative spending model@alecmuffett                  www.greenlanesecurity.com
...it’s actually a terrible idea -         do not share this with people...@alecmuffett                     www.greenlanes...
if we’re worried about viruses...@alecmuffett                   www.greenlanesecurity.com
why not make anti-virus/anti-malware          available on the NHS?@alecmuffett              www.greenlanesecurity.com
free at the point of use@alecmuffett                      www.greenlanesecurity.com
distributed to all citizens@alecmuffett                        www.greenlanesecurity.com
pick what is suitable for your needs@alecmuffett                   www.greenlanesecurity.com
run “flu jab”-like information campaigns@alecmuffett                www.greenlanesecurity.com
no huge centralised IT project@alecmuffett                    www.greenlanesecurity.com
a great idea,             to the extent limited by          bureaucracy, goals and targets@alecmuffett                   w...
ie: this specific idea would be doomed...@alecmuffett                www.greenlanesecurity.com
...and any Government project      to lead security would be likewise?@alecmuffett                  www.greenlanesecurity....
But if you could address security    efficiently, in a distributed manner...@alecmuffett                   www.greenlanese...
then why instead spend               taxpayer money centrally?@alecmuffett                      www.greenlanesecurity.com
Perhaps cybersecurity isn’t actually        about protecting the public?@alecmuffett                  www.greenlanesecurit...
Perhaps it’s about Government spending?@alecmuffett               www.greenlanesecurity.com
But that would mean it’s rubbish.@alecmuffett                  www.greenlanesecurity.com
QED@alecmuffett         www.greenlanesecurity.com
discuss?@alecmuffett              www.greenlanesecurity.com
@alecmuffett@alecmuffett                  www.greenlanesecurity.com
Upcoming SlideShare
Loading in …5
×

How To Think Clearly About Cybersecurity v2

4,804 views

Published on

also known as...

Published in: Technology, Business

How To Think Clearly About Cybersecurity v2

  1. 1. how to think clearly about (cyber) security @alecmuffett www.alecmuffett.com green lane security www.greenlanesecurity.com v2.0@alecmuffett www.greenlanesecurity.com
  2. 2. how to think clearly about security@alecmuffett www.greenlanesecurity.com
  3. 3. how to think clearly about cybersecurity@alecmuffett www.greenlanesecurity.com
  4. 4. why cybersecurity is rubbish@alecmuffett www.greenlanesecurity.com
  5. 5. ...a bit too polemical?@alecmuffett www.greenlanesecurity.com
  6. 6. thesis:@alecmuffett www.greenlanesecurity.com
  7. 7. 1 there is a word cybersecurity@alecmuffett www.greenlanesecurity.com
  8. 8. 2 this word is both a metaphor and a model for thinking about the challenges of information and network security@alecmuffett www.greenlanesecurity.com
  9. 9. 3 this model, with perhaps one exception, is unsuited to describe the challenges of information and network security@alecmuffett www.greenlanesecurity.com
  10. 10. 4 this model has been adopted by state actors as key to discussion and/or strategic consideration of information and network security@alecmuffett www.greenlanesecurity.com
  11. 11. 5 strategy based upon this model tends to be misconceived, expensive, and of an illiberal nature@alecmuffett www.greenlanesecurity.com
  12. 12. 6 unless diluted with other perspectives, this model is a lever for increased state control of information and network security that will harm the evolution of the field@alecmuffett www.greenlanesecurity.com
  13. 13. end thesis@alecmuffett www.greenlanesecurity.com
  14. 14. thesis defence@alecmuffett www.greenlanesecurity.com
  15. 15. 1 cybersecurity: what does it mean?@alecmuffett www.greenlanesecurity.com
  16. 16. @alecmuffett www.greenlanesecurity.com
  17. 17. UN TIL R ECE N TLY@alecmuffett www.greenlanesecurity.com
  18. 18. a long time ago in a novel far far away...@alecmuffett www.greenlanesecurity.com
  19. 19. http://en.wikipedia.org/wiki/File:Neuromancer_(Book).jpg@alecmuffettwww.greenlanesecurity.com
  20. 20. cyberspace@alecmuffett www.greenlanesecurity.com
  21. 21. not cybernetic@alecmuffett www.greenlanesecurity.com
  22. 22. http://en.wikipedia.org/wiki/File:Sixmilliondollar1.jpg@alecmuffettwww.greenlanesecurity.com
  23. 23. virtual reality, a real virtuality@alecmuffett www.greenlanesecurity.com
  24. 24. hackers movie @alecmuffett www.greenlanesecurity.com
  25. 25. http://en.wikipedia.org/wiki/File:Tron_poster.jpg@alecmuffettwww.greenlanesecurity.com
  26. 26. http://en.wikipedia.org/wiki/Internet-related_prefixes@alecmuffett cyber-prefixwww.greenlanesecurity.com
  27. 27. cyberpunk@alecmuffett www.greenlanesecurity.com
  28. 28. http://en.wikipedia.org/wiki/File:Wargames.jpg@alecmuffettwww.greenlanesecurity.com
  29. 29. http://en.wikipedia.org/wiki/File:Hackersposter.jpg@alecmuffettwww.greenlanesecurity.com
  30. 30. http://en.wikipedia.org/wiki/File:The_Matrix_Poster.jpg@alecmuffettwww.greenlanesecurity.com
  31. 31. hollywood bandwagon@alecmuffett www.greenlanesecurity.com
  32. 32. cyber-everything!@alecmuffett www.greenlanesecurity.com
  33. 33. cybercrime@alecmuffett www.greenlanesecurity.com
  34. 34. cybercriminals@alecmuffett www.greenlanesecurity.com
  35. 35. cybersex@alecmuffett www.greenlanesecurity.com
  36. 36. cyberchildren “digital natives”@alecmuffett www.greenlanesecurity.com
  37. 37. cyberbullying@alecmuffett www.greenlanesecurity.com
  38. 38. cyberterrorists@alecmuffett www.greenlanesecurity.com
  39. 39. cyberattacks@alecmuffett www.greenlanesecurity.com
  40. 40. cyberwarfare@alecmuffett www.greenlanesecurity.com
  41. 41. cyberweapons@alecmuffett www.greenlanesecurity.com
  42. 42. cyberspies@alecmuffett www.greenlanesecurity.com
  43. 43. cyberespionage@alecmuffett www.greenlanesecurity.com
  44. 44. ...and so forth@alecmuffett www.greenlanesecurity.com
  45. 45. AN OBSERVATION@alecmuffett www.greenlanesecurity.com
  46. 46. word prefixes ...@alecmuffett www.greenlanesecurity.com
  47. 47. digital, virtual = interesting, virtuous@alecmuffett www.greenlanesecurity.com
  48. 48. virtual reality@alecmuffett www.greenlanesecurity.com
  49. 49. e-something = dull@alecmuffett www.greenlanesecurity.com
  50. 50. e-mail@alecmuffett www.greenlanesecurity.com
  51. 51. iSomething@alecmuffett www.greenlanesecurity.com
  52. 52. iPrefer this logo@alecmuffett www.greenlanesecurity.com
  53. 53. cyber = bad/profane?@alecmuffett www.greenlanesecurity.com
  54. 54. are we meant or predisposed to dislike ‘cyber’ ?@alecmuffett www.greenlanesecurity.com
  55. 55. * “information superhighway” was always boring@alecmuffett www.greenlanesecurity.com
  56. 56. pop(@stack);@alecmuffett www.greenlanesecurity.com
  57. 57. 2 what model does it represent?@alecmuffett www.greenlanesecurity.com
  58. 58. not cyber-space@alecmuffett www.greenlanesecurity.com
  59. 59. but cyber-space@alecmuffett www.greenlanesecurity.com
  60. 60. a near-tangible virtual world@alecmuffett www.greenlanesecurity.com
  61. 61. described as a space@alecmuffett www.greenlanesecurity.com
  62. 62. people meet in a space@alecmuffett www.greenlanesecurity.com
  63. 63. battles are fought in a space@alecmuffett www.greenlanesecurity.com
  64. 64. wars are waged in a space@alecmuffett www.greenlanesecurity.com
  65. 65. humans understand space@alecmuffett www.greenlanesecurity.com
  66. 66. underlying assumption is that cyberspace is sufficiently like realspace and much the same rules can apply@alecmuffett www.greenlanesecurity.com
  67. 67. alas...@alecmuffett www.greenlanesecurity.com
  68. 68. 3 the model is a mostly-bad fit to reality?@alecmuffett www.greenlanesecurity.com
  69. 69. cyberspace is not like realspace@alecmuffett www.greenlanesecurity.com
  70. 70. example 1: theft@alecmuffett www.greenlanesecurity.com
  71. 71. cyberspace theft is not commutative@alecmuffett www.greenlanesecurity.com
  72. 72. theft in realspace • if I steal your phone • you no longer have it • it is gone@alecmuffett www.greenlanesecurity.com
  73. 73. theft in cyberspace • if I steal your data • you still have it • unless I also destroy your copies • assuming you haven’t backed-up your data • you no longer have secrecy • not the same as “loss”@alecmuffett www.greenlanesecurity.com
  74. 74. later debate: is intellectual property theft actually theft (ie: crime) ...@alecmuffett www.greenlanesecurity.com
  75. 75. ... or is it like copyright infringement and/or patent infringement (ie: typically a tort)?@alecmuffett www.greenlanesecurity.com
  76. 76. (ask a lawyer. pay him.)@alecmuffett www.greenlanesecurity.com
  77. 77. example 2: cybersize@alecmuffett www.greenlanesecurity.com
  78. 78. “An area of Internet the size of Wales is dedicated to cybercrime!”@alecmuffett www.greenlanesecurity.com
  79. 79. social media as a country: Twitter@alecmuffett www.greenlanesecurity.com
  80. 80. @AlecMuffett ~ 1,662 followers@alecmuffett www.greenlanesecurity.com
  81. 81. @MailOnline ~61,024 followers@alecmuffett www.greenlanesecurity.com
  82. 82. @GuardianNews ~321,287 followers@alecmuffett www.greenlanesecurity.com
  83. 83. Can a case for newspaper regulation to be applied to newspaper twitterers?@alecmuffett www.greenlanesecurity.com
  84. 84. @StephenFry ~3,965,799 followers@alecmuffett www.greenlanesecurity.com
  85. 85. Why regulate newspapers & journalists on Twitter, yet not regulate Stephen Fry?@alecmuffett www.greenlanesecurity.com
  86. 86. answer:@alecmuffett www.greenlanesecurity.com
  87. 87. On Twitter everyone is precisely the same size 0 = no twitter account 1 = twitter account@alecmuffett www.greenlanesecurity.com
  88. 88. On Twitter everyone has equal capability tweet, or not-tweet, that is the question@alecmuffett www.greenlanesecurity.com
  89. 89. On Twitter some have much greater reach which is not the same thing as size* * especially not “size of Wales”@alecmuffett www.greenlanesecurity.com
  90. 90. a maths/compsci analogy:@alecmuffett www.greenlanesecurity.com
  91. 91. wp:directed_graph @alecmuffett www.greenlanesecurity.com
  92. 92. graph theory → euclidean geometry → twitter@alecmuffett www.greenlanesecurity.com
  93. 93. a node/vertex/twitterer is a point - ie: of zero dimension - hence all twitterers are the same size@alecmuffett www.greenlanesecurity.com
  94. 94. a line/edge/follow is that which joins two nodes/twitterers@alecmuffett www.greenlanesecurity.com
  95. 95. the degree of a twitterer is the number of followers, the number of people with whom you communicate@alecmuffett www.greenlanesecurity.com
  96. 96. the only metrics on twitter • volume • number of tweets • indegree • number of followers • outdegree • number of people you follow@alecmuffett www.greenlanesecurity.com
  97. 97. so which of these three metrics should trigger state regulation of your twitterfeed?@alecmuffett www.greenlanesecurity.com
  98. 98. regulation?@alecmuffett www.greenlanesecurity.com
  99. 99. if none, perhaps regulation should pertain to the author & his message rather than the medium@alecmuffett www.greenlanesecurity.com
  100. 100. if the medium is irrelevant and open, why discuss regulation of the medium rather than of its users?@alecmuffett www.greenlanesecurity.com
  101. 101. example 3: sovereignty@alecmuffett www.greenlanesecurity.com
  102. 102. “Where are the boundaries of British (or American, etc) Cyberspace?”@alecmuffett www.greenlanesecurity.com
  103. 103. (we will return to this)@alecmuffett www.greenlanesecurity.com
  104. 104. precis society is still adjusting to the net@alecmuffett www.greenlanesecurity.com
  105. 105. 4 what model has the state adopted?@alecmuffett www.greenlanesecurity.com
  106. 106. 2012 - 1984 = 28@alecmuffett www.greenlanesecurity.com
  107. 107. @alecmuffett www.greenlanesecurity.com
  108. 108. @alecmuffett www.greenlanesecurity.com
  109. 109. if it is a place, it can be policed@alecmuffett www.greenlanesecurity.com
  110. 110. if it is a theatre, war can be prosecuted@alecmuffett www.greenlanesecurity.com
  111. 111. EXPERIMENT@alecmuffett www.greenlanesecurity.com
  112. 112. http://www.cpni.gov.uk/threats/cyber-threats/ Cyberspace lies at the heart of modern society; it impacts our personal lives, our businesses and our essential services. Cyber security embraces both the public and the private sector and spans a broad range of issues related to national security, whether through terrorism, crime or industrial espionage. E-crime, or cyber-crime, whether relating to theft, hacking or denial of service to vital systems, has become a fact of life. The risk of industrial cyber espionage, in which one company makes active attacks on another, through cyberspace, to acquire high value information is also very real. Cyber terrorism presents challenges for the future. We have to be prepared for terrorists seeking to take advantage of our increasing internet dependency to attack or disable key systems. @alecmuffett www.greenlanesecurity.com
  113. 113. posit: internet → communications@alecmuffett www.greenlanesecurity.com
  114. 114. replace: cyberspace → telephoneworld cyber → phone@alecmuffett www.greenlanesecurity.com
  115. 115. http://dropsafe.crypticide.com/article/4933 Telephoneworld lies at the heart of modern society; it impacts our personal lives, our businesses and our essential services. Phone security embraces both the public and the private sector and spans a broad range of issues related to national security, whether through terrorism, crime or industrial espionage. E-crime, or phone-crime, whether relating to theft, hacking or denial of service to vital systems, has become a fact of life. The risk of industrial phone espionage, in which one company makes active attacks on another, through Telephoneworld, to acquire high value information is also very real. Phone terrorism presents challenges for the future. We have to be prepared for terrorists seeking to take advantage of our increasing communications dependency to attack or disable key systems. @alecmuffett www.greenlanesecurity.com
  116. 116. The UK must control master Telephoneworld! Cyberspace! the Internet!@alecmuffett www.greenlanesecurity.com
  117. 117. If cyberspace is communication...@alecmuffett www.greenlanesecurity.com
  118. 118. to control communication: • you must define it • ...and/or... • you must inhibit it@alecmuffett www.greenlanesecurity.com
  119. 119. to define communication • propaganda • a bad word in government lingo • also marketing & public relations@alecmuffett www.greenlanesecurity.com
  120. 120. to inhibit communication • censorship • likewise a bad word@alecmuffett www.greenlanesecurity.com
  121. 121. it’s safest for government to pretend that cyberspace is a space filled with bad people@alecmuffett www.greenlanesecurity.com
  122. 122. metaphor drives perception@alecmuffett www.greenlanesecurity.com
  123. 123. land → army@alecmuffett www.greenlanesecurity.com
  124. 124. sea → navy@alecmuffett www.greenlanesecurity.com
  125. 125. sky → air force@alecmuffett www.greenlanesecurity.com
  126. 126. cyberspace → currently up for grabs@alecmuffett www.greenlanesecurity.com
  127. 127. to achieve mastery the internet must be widely perceived as a space which can be policed, as a battleground in which war may be prosecuted...@alecmuffett www.greenlanesecurity.com
  128. 128. ...but (first) what are its boundaries?@alecmuffett www.greenlanesecurity.com
  129. 129. “Where are the boundaries of British (etc) Cyberspace?”@alecmuffett www.greenlanesecurity.com
  130. 130. depends on what you mean by: “Boundary” “British”@alecmuffett www.greenlanesecurity.com
  131. 131. is British Cyberspace the union of every Briton’s ability to communicate?@alecmuffett www.greenlanesecurity.com
  132. 132. ...then Stephen Fry is very large indeed.@alecmuffett www.greenlanesecurity.com
  133. 133. is cyberspace the boundary of storage of every and all Britons’ data?@alecmuffett www.greenlanesecurity.com
  134. 134. ...then British Cyberspace extends into GMail and Facebook servers in the USA.@alecmuffett www.greenlanesecurity.com
  135. 135. is British Cyberspace the sum over digital/cyberactivities of all Britons?@alecmuffett www.greenlanesecurity.com
  136. 136. ...then the state seeks to limit legal (or, currently non-criminal) activities and reduce liberties of only its citizenry@alecmuffett www.greenlanesecurity.com
  137. 137. Government is curiously unwilling to clarify the matter of boundaries.@alecmuffett www.greenlanesecurity.com
  138. 138. 5“...expensive, misconceived, illiberal...”@alecmuffett www.greenlanesecurity.com
  139. 139. example quotes:@alecmuffett www.greenlanesecurity.com
  140. 140. http://goo.gl/MXCsG - computerworld The cost of cybercrime to the global economy is estimated at $1 trillion [US General Keith] Alexander stated and malware is being introduced at a rate of 55,000 pieces per day, or one per second. @alecmuffett www.greenlanesecurity.com
  141. 141. http://goo.gl/nGPvW - computerworld The annual cost of cybercrime is about $388 billion, including money and time lost, said Brian Tillett, chief security strategist at Symantec. That’s about $100 billion more than the global black market trade in heroin, cocaine and marijuana combined, he said. @alecmuffett www.greenlanesecurity.com
  142. 142. http://goo.gl/A14px - symantec Symantec’s Math • $388bn = • $114bn “cost” + • $274bn “lost time” @alecmuffett www.greenlanesecurity.com
  143. 143. http://goo.gl/qrmDn - detica Cabinet Office “In our most-likely scenario, we estimate the cost of cyber crime to the UK to be £27bn per annum” @alecmuffett www.greenlanesecurity.com
  144. 144. http://goo.gl/eQcVS - itpro ITpro Cyber criminals will cost the UK economy an estimated £1.9 billion in 2011, according to a Symantec report. @alecmuffett www.greenlanesecurity.com
  145. 145. $1000bn vs: $388bn vs: $114bn? £27bn vs: £1.9bn ?@alecmuffett www.greenlanesecurity.com
  146. 146. wtf?@alecmuffett www.greenlanesecurity.com
  147. 147. http://goo.gl/AJMMX - cabinet office @alecmuffett www.greenlanesecurity.com
  148. 148. “the £27bn report”@alecmuffett www.greenlanesecurity.com
  149. 149. http://goo.gl/vKk3S - detica The theft of Intellectual Property (IP) from business, which has the greatest economic impact of any type of cyber crime is estimated to be £9.2bn per annum. p18 @alecmuffett www.greenlanesecurity.com
  150. 150. This gave an overall figure for fiscal fraud by cyber criminals of £2.2bn. p19@alecmuffett www.greenlanesecurity.com
  151. 151. Our total estimate for industrial espionage is £7.6bn p20@alecmuffett www.greenlanesecurity.com
  152. 152. Overall, we estimate the most likely impact [of online theft is] £1.3bn per annum, with the best and worst case estimates £1.0bn and £2.7bn respectively. p21@alecmuffett www.greenlanesecurity.com
  153. 153. Cyber crime Economic impact Identity theft £1.7bn Online fraud £1.4bn Scareware & fake AV £30m p18@alecmuffett www.greenlanesecurity.com
  154. 154. @alecmuffett www.greenlanesecurity.com
  155. 155. but...@alecmuffett www.greenlanesecurity.com
  156. 156. “The proportion of IP actually stolen cannot at present be measured with any degree of confidence” p16@alecmuffett www.greenlanesecurity.com
  157. 157. “It is very hard to determine what proportion of industrial espionage is due to cyber crime” p16@alecmuffett www.greenlanesecurity.com
  158. 158. “Our assessments are necessarily basedon assumptions and informed judgements rather than specific examples of cybercrime, or from data of a classified or commercially sensitive origin” p5@alecmuffett www.greenlanesecurity.com
  159. 159. also, do you remember...@alecmuffett www.greenlanesecurity.com
  160. 160. US: “malware is being introduced at a rate of 55,000 pieces per day”@alecmuffett www.greenlanesecurity.com
  161. 161. The UK version is...@alecmuffett www.greenlanesecurity.com
  162. 162. http://goo.gl/YwjT0 You just have to look at some of the figures, in fact over 50%, just about 51% of the malicious software threats that have been ever identified, were identified in 2009. Theresa May, Today Programme, Oct 2010 @alecmuffett www.greenlanesecurity.com
  163. 163. http://goo.gl/vK331 Symantec “Global Internet Security Threat Report - Trends for 2009” @alecmuffett www.greenlanesecurity.com
  164. 164. In 2009, Symantec created 2,895,802 new malicious code signatures (figure 10). This is a 71 percent increase over 2008, when 1,691,323 new malicious code signatures wereadded. Although the percentage increase in signatures addedis less than the 139 percent increase from 2007 to 2008, the overall number of malicious code signatures by the end of 2009 grew to 5,724,106. This means that of all the malicious code signatures created by Symantec, 51 percent of that total was created in 2009. This is slightly less than 2008, when approximately 60 percent of all signatures at the time were created.@alecmuffett www.greenlanesecurity.com
  165. 165. “code signatures” up 51% therefore “malware” up 51% ?@alecmuffett www.greenlanesecurity.com
  166. 166. it doesn’t work like that.@alecmuffett www.greenlanesecurity.com
  167. 167. (hint: “polymorphic” malware)@alecmuffett www.greenlanesecurity.com
  168. 168. So: 55,000/day ?@alecmuffett www.greenlanesecurity.com
  169. 169. http://goo.gl/M09Ik McAfee Threat Report: Fourth Quarter 2010 @alecmuffett www.greenlanesecurity.com
  170. 170. Malware Reaches Record NumbersMalicious code, in its seemingly infinite forms and ever expanding targets, is the largest threat that McAfee Labs combats daily. We have seen its functionality increase everyyear. We have seen its sophistication increase every year. We have seen the platforms it targets evolve every year with increasingly clever ways of stealing data. In 2010 McAfee Labs identified more than 20 million new pieces of malware. Stop. We’ll repeat that figure. More than 20 million new pieces of malware appearing last year means that weidentify nearly 55,000 malware threats every day. That figure is up from 2009. That figure is up from 2008. That figure is way up from 2007. Of the almost 55 million pieces of malware McAfee Labs has identified and protected against, 36 percent of it was written in 2010!@alecmuffett www.greenlanesecurity.com
  171. 171. politicians & generals are using glossy marketing reports to bolster strategy?@alecmuffett www.greenlanesecurity.com
  172. 172. UK Government response ?@alecmuffett www.greenlanesecurity.com
  173. 173. 2011: “£640m over 4 years”@alecmuffett www.greenlanesecurity.com
  174. 174. OCSIA Office of Cyber Security and Information Assurance@alecmuffett www.greenlanesecurity.com
  175. 175. £640m • cyberinvestment breakdown • operational capabilities 65% • critical infrastructure 20% • cybercrime 9% • reserve and baseline 5%@alecmuffett www.greenlanesecurity.com
  176. 176. “...but the US is spending $9bn* on cybersecurity; are we spending enough?” - Audience Member, BCS Meeting Cyber Challenges of 2012 * Actually closer to $11bn@alecmuffett www.greenlanesecurity.com
  177. 177. Of the £640m 9% (£58m) goes to cybercrime 65% (£416m) goes to operational capabilities@alecmuffett www.greenlanesecurity.com
  178. 178. do the proportions reflect the perceived threats?@alecmuffett www.greenlanesecurity.com
  179. 179. 6 harmful to evolution of network security@alecmuffett www.greenlanesecurity.com
  180. 180. there is clearly some reality to cybersecurity@alecmuffett www.greenlanesecurity.com
  181. 181. CNI: Critical National Infrastructure@alecmuffett www.greenlanesecurity.com
  182. 182. CNI Events@alecmuffett www.greenlanesecurity.com
  183. 183. 1941: Battle of the Atlantic@alecmuffett www.greenlanesecurity.com
  184. 184. 1943: Dambusters@alecmuffett www.greenlanesecurity.com
  185. 185. Gulf Wars: Iraq Power Stations@alecmuffett www.greenlanesecurity.com
  186. 186. ...pursuant to an invasion, or with a kinetic component@alecmuffett www.greenlanesecurity.com
  187. 187. “The Enemy will crash our systems and then bomb us”@alecmuffett www.greenlanesecurity.com
  188. 188. @alecmuffett www.greenlanesecurity.com
  189. 189. Maybe-CNI Events • 2007: Estonia • no banks, services, food • 2009: Russia/Ukraine Gas • people freezing@alecmuffett www.greenlanesecurity.com
  190. 190. Non-CNI Events • 2011: Aurora/GMail • espionage • who died? • what service was lost? • where did a bomb go off?@alecmuffett www.greenlanesecurity.com
  191. 191. Nonetheless there is clearly some risk of being blindsided@alecmuffett www.greenlanesecurity.com
  192. 192. there is land-war@alecmuffett www.greenlanesecurity.com
  193. 193. there is sea-war@alecmuffett www.greenlanesecurity.com
  194. 194. there is air-war@alecmuffett www.greenlanesecurity.com
  195. 195. so there is cyber-war... but it should not dominate all strategy@alecmuffett www.greenlanesecurity.com
  196. 196. compare: air supremacy@alecmuffett www.greenlanesecurity.com
  197. 197. military cybersecurity?@alecmuffett www.greenlanesecurity.com
  198. 198. You might ask: where’s the harm in overall cyberspace/security philosophy?@alecmuffett www.greenlanesecurity.com
  199. 199. If not to the exclusion of all others?@alecmuffett www.greenlanesecurity.com
  200. 200. 1) expansion of the state@alecmuffett www.greenlanesecurity.com
  201. 201. What’s a politician more likely to tell the public? 1) “you’re on your own” 2) “we’re sorting it out for you”@alecmuffett www.greenlanesecurity.com
  202. 202. Who is better to be responsible for a family’s cybersecurity? 1) the family members 2) state cyber-police@alecmuffett www.greenlanesecurity.com
  203. 203. 2) interference in evolution/education@alecmuffett www.greenlanesecurity.com
  204. 204. karmic cycle • technologies change • people complain • problems arise • people complain • problems get fixed • people complain@alecmuffett www.greenlanesecurity.com
  205. 205. people always complain, but they use and learn.@alecmuffett www.greenlanesecurity.com
  206. 206. 3) tunnel vision@alecmuffett www.greenlanesecurity.com
  207. 207. eg: an alternative spending model@alecmuffett www.greenlanesecurity.com
  208. 208. ...it’s actually a terrible idea - do not share this with people...@alecmuffett www.greenlanesecurity.com
  209. 209. if we’re worried about viruses...@alecmuffett www.greenlanesecurity.com
  210. 210. why not make anti-virus/anti-malware available on the NHS?@alecmuffett www.greenlanesecurity.com
  211. 211. free at the point of use@alecmuffett www.greenlanesecurity.com
  212. 212. distributed to all citizens@alecmuffett www.greenlanesecurity.com
  213. 213. pick what is suitable for your needs@alecmuffett www.greenlanesecurity.com
  214. 214. run “flu jab”-like information campaigns@alecmuffett www.greenlanesecurity.com
  215. 215. no huge centralised IT project@alecmuffett www.greenlanesecurity.com
  216. 216. a great idea, to the extent limited by bureaucracy, goals and targets@alecmuffett www.greenlanesecurity.com
  217. 217. ie: this specific idea would be doomed...@alecmuffett www.greenlanesecurity.com
  218. 218. ...and any Government project to lead security would be likewise?@alecmuffett www.greenlanesecurity.com
  219. 219. But if you could address security efficiently, in a distributed manner...@alecmuffett www.greenlanesecurity.com
  220. 220. then why instead spend taxpayer money centrally?@alecmuffett www.greenlanesecurity.com
  221. 221. Perhaps cybersecurity isn’t actually about protecting the public?@alecmuffett www.greenlanesecurity.com
  222. 222. Perhaps it’s about Government spending?@alecmuffett www.greenlanesecurity.com
  223. 223. But that would mean it’s rubbish.@alecmuffett www.greenlanesecurity.com
  224. 224. QED@alecmuffett www.greenlanesecurity.com
  225. 225. discuss?@alecmuffett www.greenlanesecurity.com
  226. 226. @alecmuffett@alecmuffett www.greenlanesecurity.com

×