1 / 26

ASKING THE RIGHT QUESTIONS ABOUT CYBERSECURITY

ASKING THE RIGHT QUESTIONS ABOUT CYBERSECURITY. Dr Ian Brown, Senior Research Fellow Oxford Internet Institute. HOW CAN WE…. Design and execute strategic responses that carefully target security threats, avoiding where possible tactical arms races? Get the best return on security investment?

senta
Download Presentation

ASKING THE RIGHT QUESTIONS ABOUT CYBERSECURITY

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. ASKING THE RIGHT QUESTIONS ABOUT CYBERSECURITY Dr Ian Brown, Senior Research Fellow Oxford Internet Institute

  2. HOW CAN WE… • Design and execute strategic responses that carefully target security threats, avoiding where possible tactical arms races? • Get the best return on security investment? • Build citizens’ trust and maintain democratic legitimacy?

  3. OUTLINE • Definitions and the scale of the threat • Graffiti, fraud, terror, war and espionage • Value at risk • Policy responses • Trust and democratic legitimacy

  4. CYBER GRAFFITI • Defacement of Web sites with inadequate security • Mainly for propaganda and bragging • Increasingly used to distribute “drive-by” malware

  5. CYBER FRAUD • Highly efficient criminal economy has sprung up (bot herders, coders, mules, phishermen) • Phishing (Symantec observed 207,547 unique phishing messages 2H 2007) – with increased targeting • Denial of Service extortion (Symantec observed 5,060,187 bots 2H 2007) Anti-Phishing Working Group Q2 2008 report

  6. SCALE OF FRAUD Internet Crime Complaint Center 2007 Annual Report p.3 Symantec Report on the Underground Economy 2008 p.49

  7. CYBER TERROR • “Terrorists get better returns from much simpler methods such as car bombs. Cyberterror is too low key: not enough dead bodies result, and attacks are too complex to plan and execute.” (Bird 2006) • Reality is use for communications, research (CBNR info poor - Stenersen 2007), propaganda, recruitment and belonging (Labi 2006 and Shahar 2007), tactical intel (US Army 2005)

  8. CYBERWAR? • Attacks on Estonian finance, media and govt websites by Russian nationalist groups after statue moved • “Complexity and coordination was new… series of attacks with careful timing using different techniques and specific targets” (NATO) • Arbor Networks monitored 128 distinct attacks, with 10 lasting over 10 hours and reaching 90Mbps

  9. CYBER ESPIONAGE • Incursions into DoD, German chancellory, Whitehall, NASA, Lockheed Martin… • “Chinese attackers are using custom Trojan horse software targeted at specific government offices, and it is just walking through standard defences. Many government offices don’t even know yet that they are leaking information. 99% of cases are probably still not known.” (NATO) • “Intrusion detection systems react to obvious signatures such as lots of traffic from one IP address – so onion routing and botnets are used to disguise the origin of intrusions.” (Sommer)

  10. OUTLINE • Definitions and the scale of the threat • Graffiti, fraud, terror, war and espionage • Value at risk • Policy responses • Trust and democratic legitimacy

  11. OUR REAL GOALS • Availability & integrity of Critical National Infrastructure • Protection of confidential information • Manageable levels of fraud • …all in cost-effective form, where costs include inconvenience, enhancement of fear, negative economic impacts & reduction of liberties

  12. GOVERNMENTAL RESPONSES • Protecting govt infrastructure – $294m requested by DHS for 2009; $6bn requested for NSA initiative • Critical infrastructure programmes – e.g. CPNI, InfraGard • Law enforcement response – e.g. PCeU; FBI has 800+ full-time agents, received 320,000 complaints in 2007 • Updating legislation – Council of Europe Cybercrime Convention

  13. CROSS-GOVERNMENT ACTION • Fund security R&D with INFOSEC agency participation • Use procurement, licensing and standardisation power to require significantly higher security standards in systems and services • Use diplomacy to pressure state actors behind Russian Business Network, DDoS attacks, classified network incursions etc.

  14. REDISTRIBUTING LIABILITY • House of Lords concluded liability must be shifted to some combination of software vendors, ISPs and financial institutions • Intended to incentivise innovations such as RBS off-line consumer card terminal

  15. BETTER SECURITY ENGINEERING • Least-privilege processes, enforced by formally verified security kernel • Verification of device security before providing network connectivity • Two-factor authentication • Full Disk Encryption esp. for removable media • Perimeter controls to block sensitive data exfiltration • Air-gap most sensitive systems eg SCADA; separate public-facing websites from internal systems

  16. OUTLINE • Definitions and the scale of the threat • Graffiti, fraud, terror, war and espionage • Value at risk • Policy responses • Trust and democratic legitimacy

  17. TRUST IS FRAGILE • “Trust is built over the long term, on the basis not of communication but of action. And then again, trust, once established, can be lost in an instant” -Neil Fitzgerald, Chairman, Unilever

  18. SHORT-TERM TRUST • Reputation of the organising institution • Opinions in the mass media about technologies • Attitudes & opinions of friends and family • Convenience system brings (Oostveen 2007)

  19. TRUST IN GOVERNMENT

  20. LONGER-TERM LEGITIMACY • Informed, democratic consent • Do citizens and their representatives have full information on costs & benefits? • Privacy Impact Assessment? • Compatibility with human rights (S & Marper v UK, Liberty v UK, I v Finland) • Continued legislative and judicial oversight and technological constraint • Privacy by Design

  21. CREDIBLE IMPACT ASSESSMENT • Risk must be quantified to be meaningful, even for low-probability high-impact events • How strong is evidence that “solution” will work? • How widely do stakeholders agree that cost << benefit? Include direct cost, inconvenience, enhancement of fear, negative economic impacts, reduction of liberties • “Any analysis that leaves out such considerations is profoundly faulty, even immoral” (Mueller 2008)

  22. STRATEGIC IMPACT • Do systems damage societies’ key values e.g. by censoring websites or undertaking warrantless wiretaps? • “Techniques that look at people's behavior to predict terrorist intent are so far from reaching the level of accuracy that's necessary that I see them as nothing but civil liberty infringement engines.” –Jeff Jonas, Chief Scientist, IBM Entity Analytics

  23. HOW NOT TO DO IT • “We really don't know a whole lot about the overall costs and benefits of homeland security” –senior DHS economist Gary Becker (2006) • “Policy discussions of homeland security issues are driven not by rigorous analysis but by fear, perceptions of past mistakes, pork-barrel politics, and insistence on an invulnerability that cannot possibly be achieved.” – Jeremy Shapiro (2007) • “Finding out other people’s secrets is going to involve breaking everyday moral rules.” –David Omand (2009)

  24. KEY QUESTIONS • How can we target security interventions to maximise long-term RoI? • How can law enforcement best work with partners across government and industry to reduce damage? • Are we getting the right balance between reducing vulnerabilities, increasing availability and monitoring/response?

  25. REFERENCES • Juliette Bird (2006) Terrorist Use of the Internet, The Second International Scientific Conference on Security and Countering Terrorism Issues, Moscow State University Institute for Information Security Issues • Nadya Labi (2006) Jihad 2.0, Atlantic Monthly pp.102—107, Jul/Aug • John Mueller (2008) The quixotic quest for invulnerability, International Studies Association, New York • AM Oostveen (2007) Context Matters: A Social Informatics Perspective on the Design and Implications of Large-Scale e-Government Systems, PhD thesis, Amsterdam University • Yael Shahar (2007) The Internet as a Tool for Counter-Terrorism, Patrolling and Controlling Cyberspace, Garmisch • Anne Stenersen (2007) Chem-bio cyber-class – Assessing jihadist chemical and biological weapons, Jane’s Intelligence Review, Sep

More Related