21 February 2012

CyberFloss

Yet another recitation of superficial conventional wisdom about 'cybersecurity', this time in 'Cyber-security: the vexed question of global rules: An independent report on cyber-preparedness around the world' [PDF] by Brigid Grauman at Security Defence Agenda [sic] under the auspices of McAfee.

The 104 page report claims to present "the risks and threats associated with the rising use of the internet to access personal and professional information". The author, a journalist whose work has appeared in the FT and other publications (eg articles on art fairs, tourism, film directors, and molecular gastronomy), indicates that it is
made up of a survey of some 250 leading authorities worldwide and of interviews carried out in late 2011 and early 2012 with over 80 cyber-security experts in government, companies, international organisations and academia. It offers a global snapshot of current thinking about the cyber-threat and the measures that should be taken to defend against it, and assesses the way ahead.

It is aimed at the influential layperson, and deliberately avoids specialised language. For the moment, the “bad guys” have the upper hand – whether they are attacking systems for industrial or political espionage reasons, or simply to steal money - because the lack of international agreements allows them to operate swiftly and mostly with impunity. Protecting data and systems against cyber-attack has so far been about dousing the flames, although recently the focus has been shifting towards more assertive self-protection.
No great revelations there and the "influential layperson" might be better off looking at OECD studies, Australian parliamentary committee cyber-security reports or some of the writing by figures such as Bruce Schneier, not least because Schneier emphasises both the ICT and 'wetware' aspects of security and moves beyond a simplistic awarding of gold stars.

The report's recommendations are anodyne -
1. Build trust between industry and government stakeholders by setting up bodies to share information and best practices, like the Common Assurance Maturity Model (CAMM) and the Cloud Security Alliance (CSA).
2. Increase public awareness of how individuals can protect their own internet data, and promote cyber-security education and training.
3. New problems and opportunities created by smart phones and cloud computing must be examined. Cloud computing needs an appropriate architecture to achieve optimum security levels.
4. Prioritise information protection, knowing that no one size fits all. The three key goals that need to be achieved are confidentiality, integration and availability in different doses according to the situation.
5. Consider establishing cyber-confidence building measures as an alternative to a global treaty, or at least as a stopgap measure, knowing that many countries view a treaty as unverifiable, unenforceable and impractical.
6. Improve communication between the various communities, from policy-makers to technological experts to business leaders both at national and international levels.
7. Enhance attribution capabilities by investing in new technologies, and establishing rules and standards.
8. Follow the Dutch model of a third party cyber-exchange for improved private-public partnership on internet security.
9. Despite the many practical hurdles in the way of transparency, both for private companies and for governments, find ways of establishing assurance – or trust – through the use of security mechanisms and processes.
10. Move the ball forward and encourage integration of cyber into existing processes and structures. Make sure cyber considerations and investment are present at every level.
One of my more acerbic ICT contacts added three further recommendations -
11. Take a cut lunch and a spare set of socks
12. Wear clean underwear
13. Be nice to your dad, mum and - of course - the PA who knows where the cybersecurity skeletons are buried
Some sense of the report is provided by the snapshot on Australia -
Until late 2011 Australia's Attorney General was in charge of cyber-security policy and of streamlining work between government departments and setting up information groups to discuss problems like critical infrastructure protection. However since December the responsibility is in the hands of Prime Minister Julia Gillard in a move to consolidate whole-of-government responsibilities, according to a spokesperson for her department.

Interviewed before the reshuffle Ed Dawson of Queensland University of Technology said cyber-security policy involved most big companies but that on the downsuide the private sector is loath to take responsibility and spend money. A Cyber White Paper, issued in late 2011, focused on how to bring together the various stakeholders.

"With electricity for instance", Dawson continued, "we'll have the distributor saying that cyber-security is the responsibility of the power generators. It's like they're waiting for an accident to happen." The government has proposed to partly fund projects in the area of critical infrastructure.

Australia's funding policy on the whole gets good marks. Queensland University of Technology is currently engaged in two large projects. The first, co-funded by India (to the tune of A$4.4 million) is researching denial-of-service attacks. "We're trying to see what sort of attacks are feasible and we're developing mechanisms like cryptography to guard against them", says Dawson. The other is a five year project on airport security worth A$5 million.

The Australian Department of Defence's Cyber-Security Operations Centre (CSOC) provides threat detection and mitigation for government departments and agencies, and the Department is recruiting an extra 130 cyber-security experts to work there.

The country is also promoting a voluntary code of conduct for ISPs to educate customers, offer better online protection, and quarantine infected users. "The problem with voluntary codes is their uneven application," says Tim Scully, CEO of stratsec and Head of Cyber-Security at BAE Systems Australia. The Australian Communications and Media Authority has a list of blacklisted sites, and requires Australian ISPs to filter them.

Communications Minister Stephen Conroy says that the blacklist targets only illegal sites, but some feel that the scope of the censored content is too broad. "Selling cyber security regulations is a brave thing for a government to do," says Scully, citing the public outcry at the government’s attempts to introduce internet censorship to protect children from porn. In a country where most people are hostile to the idea of carrying ID papers, privacy is high on the agenda.
No evaluation of whether consolidation of whole-of-government responsibilities was needed and is working. No critique of the Cyber White Paper. No indication that Dawson is representative of the 'cyber-security community' or offers a uniquely authoritative insight into Australian public/private sector practice. No reference to law, whether domestic or in relation to Australian adherence to global cyber-security agreements such as the Council of Europe Cybercrime Convention. No data on the incidence and severity of cyber-security problems in Australia. No indication of whether the government's proposal to "partly fund projects" is meaningful. No indication of whether there is any cyber-security research outside QUT.

All in all - in my opinion - a report on which the conscientious "informed layperson" need not waste her time. It's not much better than the piece of brightly-coloured and not-nutritious cyberfloss known as the Norton Cybercrime Report noted here last year.