ASKING THE RIGHT QUESTIONS ABOUT CYBERSECURITY
description
Transcript of ASKING THE RIGHT QUESTIONS ABOUT CYBERSECURITY
![Page 1: ASKING THE RIGHT QUESTIONS ABOUT CYBERSECURITY](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b74c/html5/thumbnails/1.jpg)
ASKING THE RIGHT QUESTIONS ABOUT CYBERSECURITY
Dr Ian Brown, Senior Research Fellow
Oxford Internet Institute
![Page 2: ASKING THE RIGHT QUESTIONS ABOUT CYBERSECURITY](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b74c/html5/thumbnails/2.jpg)
![Page 3: ASKING THE RIGHT QUESTIONS ABOUT CYBERSECURITY](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b74c/html5/thumbnails/3.jpg)
HOW CAN WE…
Design and execute strategic responses that carefully target security threats, avoiding where possible tactical arms races?
Get the best return on security investment? Build citizens’ trust and maintain democratic
legitimacy?
![Page 4: ASKING THE RIGHT QUESTIONS ABOUT CYBERSECURITY](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b74c/html5/thumbnails/4.jpg)
OUTLINE
Definitions and the scale of the threat Graffiti, fraud, terror, war and espionage Value at risk
Policy responses Trust and democratic legitimacy
![Page 5: ASKING THE RIGHT QUESTIONS ABOUT CYBERSECURITY](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b74c/html5/thumbnails/5.jpg)
CYBER GRAFFITI
Defacement of Web sites with inadequate security
Mainly for propaganda and bragging
Increasingly used to distribute “drive-by” malware
![Page 6: ASKING THE RIGHT QUESTIONS ABOUT CYBERSECURITY](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b74c/html5/thumbnails/6.jpg)
CYBER FRAUD
Highly efficient criminal economy has sprung up (bot herders, coders, mules, phishermen)
Phishing (Symantec observed 207,547 unique phishing messages 2H 2007) – with increased targeting
Denial of Service extortion (Symantec observed 5,060,187 bots 2H 2007)
Anti-Phishing Working Group Q2 2008 report
![Page 7: ASKING THE RIGHT QUESTIONS ABOUT CYBERSECURITY](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b74c/html5/thumbnails/7.jpg)
SCALE OF FRAUD
Internet Crime Complaint Center 2007 Annual Report p.3
Symantec Report on the Underground Economy 2008 p.49
![Page 8: ASKING THE RIGHT QUESTIONS ABOUT CYBERSECURITY](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b74c/html5/thumbnails/8.jpg)
CYBER TERROR
“Terrorists get better returns from much simpler methods such as car bombs. Cyberterror is too low key: not enough dead bodies result, and attacks are too complex to plan and execute.” (Bird 2006)
Reality is use for communications, research (CBNR info poor - Stenersen 2007), propaganda, recruitment and belonging (Labi 2006 and Shahar 2007), tactical intel (US Army 2005)
![Page 9: ASKING THE RIGHT QUESTIONS ABOUT CYBERSECURITY](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b74c/html5/thumbnails/9.jpg)
CYBERWAR?
Attacks on Estonian finance, media and govt websites by Russian nationalist groups after statue moved
“Complexity and coordination was new… series of attacks with careful timing using different techniques and specific targets” (NATO)
Arbor Networks monitored 128 distinct attacks, with 10 lasting over 10 hours and reaching 90Mbps
![Page 10: ASKING THE RIGHT QUESTIONS ABOUT CYBERSECURITY](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b74c/html5/thumbnails/10.jpg)
CYBER ESPIONAGE
Incursions into DoD, German chancellory, Whitehall, NASA, Lockheed Martin…
“Chinese attackers are using custom Trojan horse software targeted at specific government offices, and it is just walking through standard defences. Many government offices don’t even know yet that they are leaking information. 99% of cases are probably still not known.” (NATO)
“Intrusion detection systems react to obvious signatures such as lots of traffic from one IP address – so onion routing and botnets are used to disguise the origin of intrusions.” (Sommer)
![Page 11: ASKING THE RIGHT QUESTIONS ABOUT CYBERSECURITY](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b74c/html5/thumbnails/11.jpg)
OUTLINE
Definitions and the scale of the threat Graffiti, fraud, terror, war and espionage Value at risk
Policy responses Trust and democratic legitimacy
![Page 12: ASKING THE RIGHT QUESTIONS ABOUT CYBERSECURITY](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b74c/html5/thumbnails/12.jpg)
OUR REAL GOALS
Availability & integrity of Critical National Infrastructure
Protection of confidential information Manageable levels of fraud …all in cost-effective form, where
costs include inconvenience, enhancement of fear, negative economic impacts & reduction of liberties
![Page 13: ASKING THE RIGHT QUESTIONS ABOUT CYBERSECURITY](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b74c/html5/thumbnails/13.jpg)
GOVERNMENTAL RESPONSES
Protecting govt infrastructure – $294m requested by DHS for 2009; $6bn requested for NSA initiative
Critical infrastructure programmes – e.g. CPNI, InfraGard
Law enforcement response – e.g. PCeU; FBI has 800+ full-time agents, received 320,000 complaints in 2007
Updating legislation – Council of Europe Cybercrime Convention
![Page 14: ASKING THE RIGHT QUESTIONS ABOUT CYBERSECURITY](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b74c/html5/thumbnails/14.jpg)
CROSS-GOVERNMENT ACTION
Fund security R&D with INFOSEC agency participation
Use procurement, licensing and standardisation power to require significantly higher security standards in systems and services
Use diplomacy to pressure state actors behind Russian Business Network, DDoS attacks, classified network incursions etc.
![Page 15: ASKING THE RIGHT QUESTIONS ABOUT CYBERSECURITY](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b74c/html5/thumbnails/15.jpg)
REDISTRIBUTING LIABILITY
House of Lords concluded liability must be shifted to some combination of software vendors, ISPs and financial institutions
Intended to incentivise innovations such as RBS off-line consumer card terminal
![Page 16: ASKING THE RIGHT QUESTIONS ABOUT CYBERSECURITY](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b74c/html5/thumbnails/16.jpg)
BETTER SECURITY ENGINEERING Least-privilege processes, enforced by
formally verified security kernel Verification of device security before
providing network connectivity Two-factor authentication Full Disk Encryption esp. for removable
media Perimeter controls to block sensitive
data exfiltration Air-gap most sensitive systems eg
SCADA; separate public-facing websites from internal systems
![Page 17: ASKING THE RIGHT QUESTIONS ABOUT CYBERSECURITY](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b74c/html5/thumbnails/17.jpg)
OUTLINE
Definitions and the scale of the threat Graffiti, fraud, terror, war and espionage Value at risk
Policy responses Trust and democratic legitimacy
![Page 18: ASKING THE RIGHT QUESTIONS ABOUT CYBERSECURITY](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b74c/html5/thumbnails/18.jpg)
TRUST IS FRAGILE
“Trust is built over the long term, on the basis not of communication but of action. And then again, trust, once established, can be lost in an instant” -Neil Fitzgerald, Chairman, Unilever
![Page 19: ASKING THE RIGHT QUESTIONS ABOUT CYBERSECURITY](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b74c/html5/thumbnails/19.jpg)
SHORT-TERM TRUST
• Reputation of the organising institution• Opinions in the mass media about
technologies• Attitudes & opinions of friends and family• Convenience system brings (Oostveen 2007)
![Page 20: ASKING THE RIGHT QUESTIONS ABOUT CYBERSECURITY](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b74c/html5/thumbnails/20.jpg)
TRUST IN GOVERNMENT
![Page 21: ASKING THE RIGHT QUESTIONS ABOUT CYBERSECURITY](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b74c/html5/thumbnails/21.jpg)
LONGER-TERM LEGITIMACY
• Informed, democratic consent• Do citizens and their representatives have
full information on costs & benefits?• Privacy Impact Assessment?
• Compatibility with human rights (S & Marper v UK, Liberty v UK, I v Finland)
• Continued legislative and judicial oversight and technological constraint• Privacy by Design
![Page 22: ASKING THE RIGHT QUESTIONS ABOUT CYBERSECURITY](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b74c/html5/thumbnails/22.jpg)
CREDIBLE IMPACT ASSESSMENT
• Risk must be quantified to be meaningful, even for low-probability high-impact events
• How strong is evidence that “solution” will work?
• How widely do stakeholders agree that cost << benefit? Include direct cost, inconvenience, enhancement of fear, negative economic impacts, reduction of liberties
• “Any analysis that leaves out such considerations is profoundly faulty, even immoral” (Mueller 2008)
![Page 23: ASKING THE RIGHT QUESTIONS ABOUT CYBERSECURITY](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b74c/html5/thumbnails/23.jpg)
STRATEGIC IMPACT
Do systems damage societies’ key values e.g. by censoring websites or undertaking warrantless wiretaps?
“Techniques that look at people's behavior to predict terrorist intent are so far from reaching the level of accuracy that's necessary that I see them as nothing but civil liberty infringement engines.” –Jeff Jonas, Chief Scientist, IBM Entity Analytics
![Page 24: ASKING THE RIGHT QUESTIONS ABOUT CYBERSECURITY](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b74c/html5/thumbnails/24.jpg)
HOW NOT TO DO IT
• “We really don't know a whole lot about the overall costs and benefits of homeland security” –senior DHS economist Gary Becker (2006)
• “Policy discussions of homeland security issues are driven not by rigorous analysis but by fear, perceptions of past mistakes, pork-barrel politics, and insistence on an invulnerability that cannot possibly be achieved.” – Jeremy Shapiro (2007)
• “Finding out other people’s secrets is going to involve breaking everyday moral rules.” –David Omand (2009)
![Page 25: ASKING THE RIGHT QUESTIONS ABOUT CYBERSECURITY](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b74c/html5/thumbnails/25.jpg)
KEY QUESTIONS
How can we target security interventions to maximise long-term RoI?
How can law enforcement best work with partners across government and industry to reduce damage?
Are we getting the right balance between reducing vulnerabilities, increasing availability and monitoring/response?
![Page 26: ASKING THE RIGHT QUESTIONS ABOUT CYBERSECURITY](https://reader036.fdocuments.in/reader036/viewer/2022062322/5681469f550346895db3b74c/html5/thumbnails/26.jpg)
REFERENCES Juliette Bird (2006) Terrorist Use of the Internet, The Second
International Scientific Conference on Security and Countering Terrorism Issues, Moscow State University Institute for Information Security Issues
Nadya Labi (2006) Jihad 2.0, Atlantic Monthly pp.102—107, Jul/Aug
John Mueller (2008) The quixotic quest for invulnerability, International Studies Association, New York
AM Oostveen (2007) Context Matters: A Social Informatics Perspective on the Design and Implications of Large-Scale e-Government Systems, PhD thesis, Amsterdam University
Yael Shahar (2007) The Internet as a Tool for Counter-Terrorism, Patrolling and Controlling Cyberspace, Garmisch
Anne Stenersen (2007) Chem-bio cyber-class – Assessing jihadist chemical and biological weapons, Jane’s Intelligence Review, Sep