The document discusses the concept of "cybersecurity" and argues that the common model of viewing cyberspace as a physical space is flawed and has been adopted by states in a way that is misguided. It asserts that this model promotes expensive and illiberal security strategies and greater state control over communication if not balanced with other perspectives. The document aims to critique the dominant metaphor of "cybersecurity" and suggest alternative ways of thinking about information and network security.
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
How To Think Clearly About Cybersecurity v1
1. blank
this page intentionally left blank
@alecmuffett www.greenlanesecurity.com
2. how to think clearly
about (cyber) security
@alecmuffett
www.alecmuffett.com
green lane security
www.greenlanesecurity.com
@alecmuffett www.greenlanesecurity.com
3. how to think clearly about
security
@alecmuffett www.greenlanesecurity.com
4. how to think clearly about
cybersecurity
@alecmuffett www.greenlanesecurity.com
8. 1
there is a word cybersecurity
@alecmuffett www.greenlanesecurity.com
9. 2
this word is both a metaphor
and a model for thinking about
the challenges of information
and network security
@alecmuffett www.greenlanesecurity.com
10. 3
this model, with perhaps one exception,
is unsuited to describe the challenges of
information and network security
@alecmuffett www.greenlanesecurity.com
11. 4
this model has been adopted by
state actors as key to discussion
and/or strategic consideration
of information and network security
@alecmuffett www.greenlanesecurity.com
12. 5
strategy based upon this model
tends to be misconceived, expensive,
and of an illiberal nature
@alecmuffett www.greenlanesecurity.com
13. 6
unless diluted with other perspectives,
this model provides a lever for
greater state control over
information and network security
that will harm the evolution of the field
@alecmuffett www.greenlanesecurity.com
73. theft in realspace
• if I steal your phone
• you no longer have it
• it is gone
@alecmuffett www.greenlanesecurity.com
74. theft in cyberspace
• if I steal your data
• you still have it
• unless I also destroy your copies
• assuming you haven’t backed-up your data
• you no longer have secrecy
• not the same as “loss”
@alecmuffett www.greenlanesecurity.com
75. later debate:
is intellectual property theft
actually theft (ie: crime) ...
@alecmuffett www.greenlanesecurity.com
76. ... or is it like copyright infringement
and/or patent infringement
(ie: typically a tort)?
@alecmuffett www.greenlanesecurity.com
77. (ask a lawyer. pay him.)
@alecmuffett www.greenlanesecurity.com
92. a node/vertex/twitterer is a point
and is of zero dimension;
hence all twitterers are the same size
@alecmuffett www.greenlanesecurity.com
93. a line/edge/follow is that
which joins two nodes/twitterers
@alecmuffett www.greenlanesecurity.com
94. the degree of a twitterer
is the number of followers,
the number of people with whom
you communicate
@alecmuffett www.greenlanesecurity.com
95. the only metrics on twitter
• volume
• number of tweets
• indegree
• number of followers
• outdegree
• number of people you follow
@alecmuffett www.greenlanesecurity.com
96. so which of these three metrics
should trigger state regulation
of your twitterfeed -
regulation of what you may say?
@alecmuffett www.greenlanesecurity.com
97. if none, perhaps regulation should
pertain to the author & his message
rather than the medium
@alecmuffett www.greenlanesecurity.com
98. if the medium is irrelevant and open,
why discuss regulation of the medium
rather than of its users?
@alecmuffett www.greenlanesecurity.com
110. Cyberspace lies at the heart of modern society; it impacts our personal
http://www.cpni.gov.uk/threats/cyber-threats/
lives, our businesses and our essential services. Cyber security embraces
both the public and the private sector and spans a broad range of issues
related to national security, whether through terrorism, crime or industrial
espionage.
E-crime, or cyber-crime, whether relating to theft, hacking or denial of
service to vital systems, has become a fact of life. The risk of industrial
cyber espionage, in which one company makes active attacks on
another, through cyberspace, to acquire high value information is also
very real.
Cyber terrorism presents challenges for the future. We have to be
prepared for terrorists seeking to take advantage of our increasing
internet dependency to attack or disable key systems.
CPNI works with the Cabinet Office and lead Government departments and
agencies to drive forward the UK's cyber security programme to counter
these threats.
@alecmuffett www.greenlanesecurity.com
111. posit:
internet → communications
@alecmuffett www.greenlanesecurity.com
113. Telephoneworld lies at the heart of modern society; it impacts our
http://dropsafe.crypticide.com/article/4933
personal lives, our businesses and our essential services. Phone security
embraces both the public and the private sector and spans a broad range
of issues related to national security, whether through terrorism, crime or
industrial espionage.
E-crime, or phone-crime, whether relating to theft, hacking or denial of
service to vital systems, has become a fact of life. The risk of industrial
phone espionage, in which one company makes active attacks on
another, through Telephoneworld, to acquire high value information is
also very real.
Phone terrorism presents challenges for the future. We have to be
prepared for terrorists seeking to take advantage of our increasing
communications dependency to attack or disable key systems.
CPNI works with the Cabinet Office and lead Government departments and
agencies to drive forward the UK's phone security programme to counter
these threats.
@alecmuffett www.greenlanesecurity.com
114. The UK should dominate Telephoneworld
Cyberspace!
@alecmuffett www.greenlanesecurity.com
115. If cyberspace is communication...
@alecmuffett www.greenlanesecurity.com
116. to control communication:
• you must define it
• ...and/or...
• you must inhibit it
@alecmuffett www.greenlanesecurity.com
117. to define communication
• propaganda
• a bad word in government lingo
• also marketing & public relations
@alecmuffett www.greenlanesecurity.com
118. to inhibit communication
• censorship
• likewise a bad word
@alecmuffett www.greenlanesecurity.com
119. it’s safer for government to pretend
that cyberspace is a space
filled with bad people
@alecmuffett www.greenlanesecurity.com
123. sky → air force
@alecmuffett www.greenlanesecurity.com
124. cyberspace → up for grabs
@alecmuffett www.greenlanesecurity.com
125. to achieve dominance
the internet must be widely perceived
as a space which can be policed,
as a battleground in which war
may be prosecuted...
@alecmuffett www.greenlanesecurity.com
126. ...but what are its boundaries?
@alecmuffett www.greenlanesecurity.com
127. “Where are the boundaries of
British (etc) Cyberspace?”
@alecmuffett www.greenlanesecurity.com
128. depends on what you mean by:
“Boundary”
“British”
@alecmuffett www.greenlanesecurity.com
129. is British Cyberspace the union of
every Briton’s ability to communicate?
@alecmuffett www.greenlanesecurity.com
130. ...then Stephen Fry is very large indeed.
@alecmuffett www.greenlanesecurity.com
131. is cyberspace the boundary of storage
of every and all Britons’ data?
@alecmuffett www.greenlanesecurity.com
132. ...then British Cyberspace extends into
GMail and Facebook servers in the USA.
@alecmuffett www.greenlanesecurity.com
133. is British Cyberspace the sum over
digital/cyberactivities of all Britons?
@alecmuffett www.greenlanesecurity.com
134. ...then the State seeks to constrain
legal (or, non-criminal) activities
and amend/remove civil rights.
@alecmuffett www.greenlanesecurity.com
135. Government is curiously unwilling
to clarify this matter.
@alecmuffett www.greenlanesecurity.com
136. 5
“expensive, misconceived and illiberal”
@alecmuffett www.greenlanesecurity.com
138. http://goo.gl/MXCsG - computerworld
The cost of cybercrime to the global
economy is estimated at $1 trillion
[US General Keith] Alexander stated and
malware is being introduced at a rate of
55,000 pieces per day,
or one per second.
@alecmuffett www.greenlanesecurity.com
139. http://goo.gl/nGPvW - computerworld
The annual cost of cybercrime is about
$388 billion, including money and time
lost, said Brian Tillett, chief security
strategist at Symantec. That’s about $100
billion more than the global black market
trade in heroin, cocaine and marijuana
combined, he said.
@alecmuffett www.greenlanesecurity.com
141. http://goo.gl/qrmDn - detica
In our most-likely scenario, we estimate
the cost of cyber crime to the UK to be
£27bn per annum.
@alecmuffett www.greenlanesecurity.com
142. http://goo.gl/eQcVS - itpro
Cyber criminals will cost the UK economy
an estimated £1.9 billion in 2011,
according to a Symantec report.
@alecmuffett www.greenlanesecurity.com
147. http://goo.gl/vKk3S - detica
The theft of Intellectual Property (IP) from business,
which has the greatest economic impact of any type of
cyber crime is estimated to be £9.2bn per annum. p18
@alecmuffett www.greenlanesecurity.com
148. This gave an overall figure for fiscal fraud by
cyber criminals of £2.2bn. p19
@alecmuffett www.greenlanesecurity.com
149. Our total estimate for industrial espionage
is £7.6bn p20
@alecmuffett www.greenlanesecurity.com
150. Overall, we estimate the most likely impact
[of online theft is] £1.3bn per annum, with the best
and worst case estimates £1.0bn and
£2.7bn respectively. p21
@alecmuffett www.greenlanesecurity.com
154. “The proportion of IP actually stolen
cannot at present be measured with any
degree of confidence”
@alecmuffett www.greenlanesecurity.com
155. “It is very hard to determine
what proportion of industrial espionage
is due to cybercrime”
@alecmuffett www.greenlanesecurity.com
156. “Our assessments are necessarily based
on assumptions and informed judgements
rather than specific examples of
cybercrime, or from data of a classified
or commercially sensitive origin”
@alecmuffett www.greenlanesecurity.com
157. also, do you remember...
@alecmuffett www.greenlanesecurity.com
158. “malware is being introduced
at a rate of 55,000 pieces per day”
@alecmuffett www.greenlanesecurity.com
160. http://goo.gl/YwjT0
You just have to look at some of the figures, in
fact over 50%, just about 51% of the malicious
software threats that have been ever identified,
were identified in 2009.
Theresa May, Today Programme, Oct 2010
@alecmuffett www.greenlanesecurity.com
161. http://goo.gl/vK331
Symantec
“Global Internet
Security Threat Report
- Trends for 2009”
@alecmuffett www.greenlanesecurity.com
162. In 2009, Symantec created 2,895,802 new malicious code
signatures (figure 10). This is a 71 percent increase over
2008, when 1,691,323 new malicious code signatures were
added. Although the percentage increase in signatures added
is less than the 139 percent increase from 2007 to 2008, the
overall number of malicious code signatures by the end of
2009 grew to 5,724,106. This means that of all the
malicious code signatures created by Symantec, 51
percent of that total was created in 2009. This is slightly
less than 2008, when approximately 60 percent of all
signatures at the time were created.
@alecmuffett www.greenlanesecurity.com
163. “code signatures” up 51%
therefore “malware” up 51% ?
@alecmuffett www.greenlanesecurity.com
164. it doesn’t work like that.
@alecmuffett www.greenlanesecurity.com
168. Malware Reaches Record Numbers
Malicious code, in its seemingly infinite forms and ever expanding targets, is the largest
threat that McAfee Labs combats daily. We have seen its functionality increase every
year. We have seen its sophistication increase every year. We have seen the platforms
it targets evolve every year with increasingly clever ways of stealing data. In 2010
McAfee Labs identified more than 20 million new pieces of malware.
Stop. We’ll repeat that figure.
More than 20 million new pieces of malware appearing last year means that we
identify nearly 55,000 malware threats every day. That figure is up from 2009. That
figure is up from 2008. That figure is way up from 2007. Of the almost 55 million
pieces of malware McAfee Labs has identified and protected
against, 36 percent of it was written in 2010!
@alecmuffett www.greenlanesecurity.com
169. politicians & generals are using
glossy marketing reports
to bolster strategy
@alecmuffett www.greenlanesecurity.com
174. “...but the US is spending
$9bn* on cybersecurity;
are we spending enough?”
- Audience Member,
BCS Meeting Cyber Challenges of 2012
* Actually closer to $11bn
@alecmuffett www.greenlanesecurity.com
175. Of the £640m
9% (£58m) goes to cybercrime
65% (£416m) goes to
operational capabilities
@alecmuffett www.greenlanesecurity.com
176. maybe the proportions reflect
the actually perceived threats?
@alecmuffett www.greenlanesecurity.com
177. 6
harmful to evolution of network security
@alecmuffett www.greenlanesecurity.com
178. there is clearly some reality
to cybersecurity
@alecmuffett www.greenlanesecurity.com
195. You might ask:
where’s the harm
in cyber/space/security philosophy?
@alecmuffett www.greenlanesecurity.com
196. If not to the exclusion of all others?
@alecmuffett www.greenlanesecurity.com
197. 1) expansion of the state
@alecmuffett www.greenlanesecurity.com
198. What’s a politician more likely
to tell the public?
1) “you’re on your own”
2) “we’re sorting it out for you”
@alecmuffett www.greenlanesecurity.com
199. Who is better to be responsible
for a family’s cybersecurity?
1) the family members
2) state cyber-police
@alecmuffett www.greenlanesecurity.com
200. 2) interference in evolution/education
@alecmuffett www.greenlanesecurity.com
201. karmic cycle
• technologies change
• people complain
• problems arise
• people complain
• problems get fixed
• people complain
@alecmuffett www.greenlanesecurity.com