Finally Cyber Security makes it to the top table

Introduction

We have spent years here promoting the need for change in our approach to our cyber infrastructure, and it's been a long slog, especially getting UK/Scottish politicians to see it as a major issue. So it was great to see President Obama including Cyber Security in his State of the Union address.

You may agree and disagree with some of things that he says, but he is providing leadership, and breaking through some of the naive thinking, that the debate around the rights to privacy and the rights of society to protect itself is a simple quick fix of banning encryption, and listening to everyone's communications.

We should all know now that we are now in the Cyber Age, and the Internet we have created has just past its infancy stage - with some teething problems but we are mainly sorted - and now is the time when we'll ready start to use it for the betterment of the whole of society. To put on the brakes now, could derail many of the advancements we have made, and drive our economy backwards. With the Internet there should be no boundaries, and no area of our lives can remain untouched, especially in the reforms of our public services and in the support of our business infrastructure.

Few technologies as the Internet have ever provided such benefits to all, and have been so inclusive, so we are now entering a time when the decisions made now will lay the foundation of the future. One thing that is become apparent is that the notion of physical boundaries and checkpoint, and where governments could control the flow of information, are reseeding fast, and that they are losing any form of control on limiting is scope.

Cyber Security at the top table

Nations around the world are now seeing their cyber infrastructure as one of the key elements that could be used by a range of actors to perform warfare in a way that was not possible in the past:

No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids," he said. "We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism."

He is thus highlighting that Cyber space is just as important in defensive infrastructure, as our traditional defence, and where virtualised ammunition is just as potent as physical ones. The Sony hack highlighted the opportunities around large scale theft of secrets, that any organisation could be open too. As long as one can get physical access to a network infrastructure, there is the threat of large-scale data loss. In the times of pen-and-paper, we could lock secrets away in vaults, in these days, organisations often have no idea about where all their secrets are kept, and who could get access to them.

The need to freshen the laws on cyber attacks is also highlighted by:

... to pass legislation that would protect the nation’s infrastructure against cyber attacks and identity theft, legislation that the president has attempted to push through Congress several times without success.

as the legal system is often too slow to properly keep itself up-to-date from fast moving technology, but, unfortunately, this can often be fairly scattergun in its approach.

A particular problem in legislation relates to the actual linkage the perceived usage of IT systems and the technical nature of them. For example, in some organisations the usage of ping is barred, as it can discover the network, whereas it is also used on a continual basis by admin staff to debug network problems. Also the skills gap is widening between the possible attackers and defenders, and it is key that we create a workforce which can keep up with the range of threats that organisations are faced with. It would be hoped that we could start to build virtualised infrastructures where a wide range of the key stakeholders can learn to cope with attacks.

The President also highlights the tension currently in the debate between privacy and the rights of society with:

. as Americans, we respect human dignity, even when we're threatened, "which is why I've ... worked to make sure our use of new technology like drones is properly constrained."

and then highlights the tension even more by highlighting civil liberaties along with the rights to fight against terrorist networks:

Americans cherish civil liberties, and emphasized that government must uphold that commitment to gain maximum cooperation from other countries and industry in the fight against terrorist networks.

There is no answer here, just two sides of the argument. Civil liberatives in this context focuses on the fight against terrorism, and less on the rights to privacy. One saving grace is that surveilance programs will be more open in their scope, so, at least, the debate can continue around the rights of privacy:

"So while some have moved on from the debates over our surveillance programs, I haven't," he said. "As promised, our intelligence agencies have worked hard, with the recommendations of privacy advocates, to increase transparency and build more safeguards against potential abuse."

The bottom line in this debate is the move towards encrpytion by-default on devices and with network communication, and the worry that defence agencies will not be able to intercept communications.

In Cyber space ... it's privacy v. surveillance

John Shinal, in USA Today, crystalises the two ends of the spectrum in the debate outlined by The President, with:

Banning encryption is digital equivalent of banning books

and outlines the case for society to survey its people in order to keep them safe:

Cameron wrapped his proposal in a speech that stated that the most important thing a government can do for its people is to keep them safe.

but then weights-in around the other side of the argument:

I would argue to Cameron that the most important thing a democracy can do for its people is to keep them free.

John puts his point well, and, in a literary way, goes from the book burning thoughts of Ray Bradbury in Fahrenheit 451, to the state-observing notions of George Orwell in 1984. One thing is for sure, is that this debate has only just begun, and that no side actually has a completely water-tight solution to this. One thing I know is that there are a lot of smart people working in cyber security, and the lack of ability to read everyone’s communications will not actually stop them from investigating crime in other ways. Like it or not we leave traces of our activity all over the Internet, and it is these traces that investigations will often use to pin-point malicious intent.

Figure 1: John Shinal's viewpoint invokes thoughts around Fahrenheit 451 and 1984

The art of investigation has been around for thousands of years, and, in the time before the Internet, the listening to someone’s telephone conversation was only one way to actually investigate someone suspected of a crime. The concept of investigators listening to every telephone conversation, no matter if they were guilty or not, would send shivers down anyone’s spine. It is now only possible for this to happen with the Internet, and on a scale never quite imagined.

Innovation in Cyber Security, especially by SMEs, will be at the core of the development of new tools which aim to keep in-step with adversaries. Large companies often struggle to innovate, as they have long processes of approval, and are often risk adverse in their nature. So a collaborative approach is the only solution for a range of organisations to work together to match the fast pace of those who aim to do damage within our society, especially as the Internet has opened up new ways to inflict pain and suffering to others. On the other hand, the Internet is the most amazing structure we have every built, and we shouldn't damage it, or it will limit its future potential.

Conclusions

There is no steer in the address about how surveillance can continue, and how the rights to privacy - a civil liberty - can be protected. It's a difficult problem, but it's one that needs to be addressed soon, as the same system which can be used to survey, can be used by others for other purposes. It should be remember that the spying tools in the hands of defence forces are the same that others will have.

One thing, hopefully, is the UK/Scottish politicians and senior government officials will start to put it higher up their agenda, in the same way that many businesses have. It's also a debate for everyone to get involved with, especially as we become more dependent on the Internet, and move to control the Internet from any organisation/government will have serious consequences, in the same way that a disruption in our energy supply would have on our lives.

We have seen a transformation in our lives, and for the first time we see that the politicians are actually seeing that the protection of its infrastructure is now key, and which most people would agree with. It is the key areas around surveillance and the rights to privacy, that need to be addressed soon. Whether a grand idea is actually technically feasible is another thing, and the worry is that the politicians will care more about sound bites than the actual detail of the policy. The rights of individuals on the Internet are being debated now, and the decisions made now will shape its future.

No county in the World can really fully control the operation of the Internet, but each country can do their best to make the full usage of it, and bring opportunties to every citizen on this planet!

I'm a technologist, and keen to fix the problems in the existing Internet, so all that can be asked for is that this is not a simple debate, and really there needs to be a separation of all the issues. For cyber defence ... there's a strong need for reliance, especially to protect our business infrastructure, but for restrictions on encryption, that's a whole different debate. At least, in the US, there's some open debate, from both sides, as that is what free speech is all about.