How To Think Clearly About Cybersecurity v2

how to think clearly
about (cyber) security
@alecmuffett
www.alecmuffett.com

green lane security
www.greenlanesecurity.com
v2.0
@alecmuffett www.greenlanesecurity.com

how to think clearly about
security


how to think clearly about
cybersecurity


why cybersecurity is rubbish


...a bit too polemical?


thesis:


1
there is a word cybersecurity


2
this word is both a metaphor
and a model for thinking about
the challenges of information
and network security


3
this model, with perhaps one exception,
is unsuited to describe the challenges of
information and network security


4
this model has been adopted by
state actors as key to discussion
and/or strategic consideration
of information and network security


5
strategy based upon this model
tends to be misconceived, expensive,
and of an illiberal nature


6
unless diluted with other perspectives,
this model is a lever for
increased state control of
information and network security
that will harm the evolution of the field


end thesis


thesis defence


1
cybersecurity: what does it mean?


UN
TIL
R ECE
N TLY


a long time ago in a novel far far away...


http://en.wikipedia.org/wiki/File:Neuromancer_(Book).jpg

@alecmuffett

cyberspace


not cybernetic


http://en.wikipedia.org/wiki/File:Sixmilliondollar1.jpg

@alecmuffett

virtual reality,
a real virtuality


hackers movie


http://en.wikipedia.org/wiki/File:Tron_poster.jpg

@alecmuffett

http://en.wikipedia.org/wiki/Internet-related_prefixes

@alecmuffett
cyber-prefix


cyberpunk


http://en.wikipedia.org/wiki/File:Wargames.jpg

@alecmuffett

http://en.wikipedia.org/wiki/File:Hackersposter.jpg

@alecmuffett

http://en.wikipedia.org/wiki/File:The_Matrix_Poster.jpg

@alecmuffett

hollywood bandwagon


cyber-everything!


cybercrime


cybercriminals


cybersex


cyberchildren
“digital natives”


cyberbullying


cyberterrorists


cyberattacks


cyberwarfare


cyberweapons


cyberspies


cyberespionage


...and so forth


AN OBSERVATION


word prefixes ...


digital, virtual = interesting, virtuous


virtual reality


e-something = dull


e-mail


iSomething


iPrefer this logo


cyber = bad/profane?


are we meant or predisposed
to dislike ‘cyber’ ?


* “information superhighway”
was always boring


pop(@stack);


2
what model does it represent?


not cyber-space


but cyber-space


a near-tangible virtual world


described as a space


people meet in a space


battles are fought in a space


wars are waged in a space


humans understand space


underlying assumption is that
cyberspace is sufficiently like realspace
and much the same rules can apply


alas...


3
the model is a mostly-bad fit to reality?


cyberspace is not like realspace


example 1: theft


cyberspace theft is not commutative


theft in realspace
• if I steal your phone
• you no longer have it
• it is gone


theft in cyberspace
• if I steal your data
• you still have it
• unless I also destroy your copies
• assuming you haven’t backed-up your data
• you no longer have secrecy
• not the same as “loss”


later debate:
is intellectual property theft
actually theft (ie: crime) ...


... or is it like copyright infringement
and/or patent infringement
(ie: typically a tort)?


(ask a lawyer. pay him.)


example 2: cybersize


“An area of Internet the size of Wales
is dedicated to cybercrime!”


social media as a country: Twitter


@AlecMuffett
~ 1,662 followers


@MailOnline
~61,024 followers


@GuardianNews
~321,287 followers


Can a case for newspaper regulation
to be applied to newspaper twitterers?


@StephenFry
~3,965,799 followers


Why regulate newspapers & journalists
on Twitter,
yet not regulate Stephen Fry?


answer:


On Twitter
everyone is precisely the same size
0 = no twitter account
1 = twitter account


On Twitter
everyone has equal capability
tweet, or not-tweet, that is the question


On Twitter
some have much greater reach
which is not the same thing as size*

* especially not “size of Wales”


a maths/compsci analogy:


wp:directed_graph


graph theory →
euclidean geometry →
twitter


a node/vertex/twitterer is a point
- ie: of zero dimension -
hence all twitterers are the same size


a line/edge/follow is that
which joins two nodes/twitterers


the degree of a twitterer
is the number of followers,
the number of people with whom
you communicate


the only metrics on twitter
• volume
• number of tweets
• indegree
• number of followers
• outdegree
• number of people you follow


so which of these three metrics
should trigger state regulation
of your twitterfeed?


regulation?


if none, perhaps regulation should
pertain to the author & his message
rather than the medium


if the medium is irrelevant and open,
why discuss regulation of the medium
rather than of its users?


example 3: sovereignty


“Where are the boundaries of
British (or American, etc) Cyberspace?”


(we will return to this)


precis
society is still adjusting to the net


4
what model has the state adopted?


2012 - 1984 = 28


if it is a place, it can be policed


if it is a theatre, war can be prosecuted


EXPERIMENT


http://www.cpni.gov.uk/threats/cyber-threats/

Cyberspace lies at the heart of modern society; it impacts our personal
lives, our businesses and our essential services. Cyber security embraces
both the public and the private sector and spans a broad range of issues
related to national security, whether through terrorism, crime or industrial
espionage.

E-crime, or cyber-crime, whether relating to theft, hacking or denial of
service to vital systems, has become a fact of life. The risk of industrial
cyber espionage, in which one company makes active attacks on
another, through cyberspace, to acquire high value information is also
very real.

Cyber terrorism presents challenges for the future. We have to be
prepared for terrorists seeking to take advantage of our increasing
internet dependency to attack or disable key systems.


posit:
internet → communications


replace:
cyberspace → telephoneworld
cyber → phone


http://dropsafe.crypticide.com/article/4933

Telephoneworld lies at the heart of modern society; it impacts our
personal lives, our businesses and our essential services. Phone security
embraces both the public and the private sector and spans a broad range
of issues related to national security, whether through terrorism, crime or
industrial espionage.

E-crime, or phone-crime, whether relating to theft, hacking or denial of
service to vital systems, has become a fact of life. The risk of industrial
phone espionage, in which one company makes active attacks on
another, through Telephoneworld, to acquire high value information is
also very real.

Phone terrorism presents challenges for the future. We have to be
prepared for terrorists seeking to take advantage of our increasing
communications dependency to attack or disable key systems.


The UK must control master
Telephoneworld! Cyberspace!
the Internet!


If cyberspace is communication...


to control communication:
• you must define it
• ...and/or...
• you must inhibit it


to define communication
• propaganda
• a bad word in government lingo
• also marketing & public relations


to inhibit communication
• censorship
• likewise a bad word


it’s safest for government to pretend
that cyberspace is a space
filled with bad people


metaphor drives perception


land → army


sea → navy


sky → air force


cyberspace → currently up for grabs


to achieve mastery
the internet must be widely perceived
as a space which can be policed,
as a battleground in which war
may be prosecuted...


...but (first) what are its boundaries?


“Where are the boundaries of
British (etc) Cyberspace?”


depends on what you mean by:
“Boundary”
“British”


is British Cyberspace the union of
every Briton’s ability to communicate?


...then Stephen Fry is very large indeed.


is cyberspace the boundary of storage
of every and all Britons’ data?


...then British Cyberspace extends into
GMail and Facebook servers in the USA.


is British Cyberspace the sum over
digital/cyberactivities of all Britons?


...then the state seeks to limit
legal (or, currently non-criminal)
activities and reduce liberties
of only its citizenry


Government is curiously unwilling
to clarify the matter of boundaries.


5

“...expensive, misconceived, illiberal...”


example quotes:


http://goo.gl/MXCsG - computerworld

The cost of cybercrime to the global
economy is estimated at $1 trillion
[US General Keith] Alexander stated and
malware is being introduced at a rate of
55,000 pieces per day,
or one per second.


http://goo.gl/nGPvW - computerworld

The annual cost of cybercrime is about
$388 billion, including money and time
lost, said Brian Tillett, chief security
strategist at Symantec. That’s about $100
billion more than the global black market
trade in heroin, cocaine and marijuana
combined, he said.


http://goo.gl/A14px - symantec

Symantec’s Math
• $388bn =
• $114bn “cost” +
• $274bn “lost time”


http://goo.gl/qrmDn - detica

Cabinet Office
“In our most-likely scenario, we estimate
the cost of cyber crime to the UK to be
£27bn per annum”


http://goo.gl/eQcVS - itpro

ITpro
Cyber criminals will cost the UK economy
an estimated £1.9 billion in 2011,
according to a Symantec report.


$1000bn vs: $388bn vs: $114bn?

£27bn vs: £1.9bn ?


wtf?


http://goo.gl/AJMMX - cabinet office


“the £27bn report”


http://goo.gl/vKk3S - detica

The theft of Intellectual Property (IP) from business,
which has the greatest economic impact of any type of
cyber crime is estimated to be £9.2bn per annum. p18


This gave an overall figure for fiscal fraud by
cyber criminals of £2.2bn. p19


Our total estimate for industrial espionage
is £7.6bn p20


Overall, we estimate the most likely impact
[of online theft is] £1.3bn per annum, with the best
and worst case estimates £1.0bn and
£2.7bn respectively. p21


Cyber crime Economic impact

Identity theft £1.7bn

Online fraud £1.4bn

Scareware & fake AV £30m

p18

but...


“The proportion of IP actually stolen
cannot at present be measured with any
degree of confidence” p16


“It is very hard to determine
what proportion of industrial espionage
is due to cyber crime” p16


“Our assessments are necessarily based
on assumptions and informed judgements
rather than specific examples of
cybercrime, or from data of a classified
or commercially sensitive origin” p5


also, do you remember...


US: “malware is being introduced
at a rate of 55,000 pieces per day”


The UK version is...


http://goo.gl/YwjT0

You just have to look at some of the figures, in
fact over 50%, just about 51% of the malicious
software threats that have been ever identified,
were identified in 2009.

Theresa May, Today Programme, Oct 2010


http://goo.gl/vK331

Symantec
“Global Internet
Security Threat Report
- Trends for 2009”


In 2009, Symantec created 2,895,802 new malicious code
signatures (figure 10). This is a 71 percent increase over
2008, when 1,691,323 new malicious code signatures were
added. Although the percentage increase in signatures added
is less than the 139 percent increase from 2007 to 2008, the
overall number of malicious code signatures by the end of
2009 grew to 5,724,106. This means that of all the
malicious code signatures created by Symantec, 51
percent of that total was created in 2009. This is slightly
less than 2008, when approximately 60 percent of all
signatures at the time were created.


“code signatures” up 51%
therefore “malware” up 51% ?


it doesn’t work like that.


(hint: “polymorphic” malware)


So: 55,000/day ?


http://goo.gl/M09Ik

McAfee Threat Report:
Fourth Quarter 2010


Malware Reaches Record Numbers

Malicious code, in its seemingly infinite forms and ever expanding targets, is the largest
threat that McAfee Labs combats daily. We have seen its functionality increase every
year. We have seen its sophistication increase every year. We have seen the platforms
it targets evolve every year with increasingly clever ways of stealing data. In 2010
McAfee Labs identified more than 20 million new pieces of malware.

Stop. We’ll repeat that figure.

More than 20 million new pieces of malware appearing last year means that we
identify nearly 55,000 malware threats every day. That figure is up from 2009. That
figure is up from 2008. That figure is way up from 2007. Of the almost 55 million
pieces of malware McAfee Labs has identified and protected
against, 36 percent of it was written in 2010!


politicians & generals are using
glossy marketing reports
to bolster strategy?


UK Government response ?


2011: “£640m over 4 years”


OCSIA
Office of
Cyber Security and
Information Assurance


£640m
• cyberinvestment breakdown
• operational capabilities 65%
• critical infrastructure 20%
• cybercrime 9%
• reserve and baseline 5%


“...but the US is spending
$9bn* on cybersecurity;
are we spending enough?”
- Audience Member,
BCS Meeting Cyber Challenges of 2012

* Actually closer to $11bn


Of the £640m

9% (£58m) goes to cybercrime

65% (£416m) goes to
operational capabilities


do the proportions reflect
the perceived threats?


6
harmful to evolution of network security


there is clearly some reality
to cybersecurity


CNI: Critical National Infrastructure


CNI Events


1941: Battle of the Atlantic


1943: Dambusters


Gulf Wars: Iraq Power Stations


...pursuant to an invasion, or
with a kinetic component


“The Enemy will crash our systems
and then bomb us”


Maybe-CNI Events
• 2007: Estonia
• no banks, services, food
• 2009: Russia/Ukraine Gas
• people freezing


Non-CNI Events
• 2011: Aurora/GMail
• espionage
• who died?
• what service was lost?
• where did a bomb go off?


Nonetheless there is clearly
some risk of being blindsided


there is land-war


there is sea-war


there is air-war


so there is cyber-war...
but it should not dominate all strategy


compare: air supremacy


military cybersecurity?


You might ask:
where’s the harm in overall
cyberspace/security philosophy?


If not to the exclusion of all others?


1) expansion of the state


What’s a politician more likely
to tell the public?

1) “you’re on your own”
2) “we’re sorting it out for you”


Who is better to be responsible
for a family’s cybersecurity?

1) the family members
2) state cyber-police


2) interference in evolution/education


karmic cycle
• technologies change
• people complain
• problems arise
• people complain
• problems get fixed
• people complain


people always complain,
but they use and learn.


3) tunnel vision


eg: an alternative spending model


...it’s actually a terrible idea -
do not share this with people...


if we’re worried about viruses...


why not make anti-virus/anti-malware
available on the NHS?


free at the point of use


distributed to all citizens


pick what is suitable for your needs


run “flu jab”-like information campaigns


no huge centralised IT project


a great idea,
to the extent limited by
bureaucracy, goals and targets


ie: this specific idea would be doomed...


...and any Government project
to lead security would be likewise?


But if you could address security
efficiently, in a distributed manner...


then why instead spend
taxpayer money centrally?


Perhaps cybersecurity isn’t actually
about protecting the public?


Perhaps it’s about Government spending?


But that would mean it’s rubbish.


QED


discuss?


@alecmuffett


How To Think Clearly About Cybersecurity v2

More Related Content

Similar to How To Think Clearly About Cybersecurity v2

Recently uploaded

How To Think Clearly About Cybersecurity v2