Worse than Cheese: Scary Scenarios Causing Nightmares Now – the Five Main Issues of IT Security.
I recently found myself wondering how many interviews with the press I do every month. Of course the totals fairly helter skelter between months, but in the busier periods the number can get anywhere up to 70! And that’s only spoken interviews, i.e., those done in person or over the phone. If I were to also include e-mail interviews – the number would be just silly.
But I don’t complain. In fact just the opposite – I love interviews! Which reminds me of Richard Branson and his simple rule about interviews: “If CNN rings me up and wants to do an interview with me, I’ll drop everything to do it.” I also follow this rule – to the letter – and not without good reason.
Most interviews are what you’d expect. I get asked lots of questions, I answer them as best I can, and that’s about it.
But in a very few rare instances I get interviewed by a really well read-up journalist, meticulous to the point of hair-splitting, who not only knows all about me and KL and what we do, but also all about the particular narrow topic the interview’s about. By the end of the allotted hour I’m exhausted, the mind’s pretty much frazzled, and I feel like my very soul’s been extracted together with my long-winded answers to the sophisticated questions.
These are the trickiest and most trying kinds of interviews, but also the most useful. Why? Because during such intense sessions the gray matter inside the skull shifts up a gear or three and really gets to work, thinking in new ways and approaching familiar topics from fresh standpoints – to such an extent that after the end of the interview the momentum keeps the ideas coming, leading to all sorts of new insights. All really quite fascinating how creative cognition comes about. And all kicked-off by super-sharp reporters doing their job masterfully. Respect due. And a thank you!
Curiously, what unites such “special” interviews with regular ones is an inevitable question about the most pressing IT Security issues today – something like: “What keeps you up at night (in terms of IT Security hazards)?”! And I don’t get asked this all the time just by journalists in interviews. The question pops up at practically every IT conference I speak at.
And so: as promised earlier, here I’m presenting my List of the Five Main Issues Facing IT Security, in the broad sense of the term.
I should say straight away that I don’t have prescriptions for solving all five issues. The aim of this post is more to identify the problems, let you start to muse on them, and hopefully draw you into the fold of their ongoing discussion by raising your interest, empathy and/or sympathy!
Right, here’s my list:
By this I mean the privacy of one’s personal life and all that goes on in it on the Internet.
Today’s threats to the inviolability of one’s private life are nothing like what they used to be, having made the maintainability of a modicum of a privacy practically impossible. However, at the same time, thankfully, more and more folks are starting to grasp just how massive the volume of information about them is that’s saved on the Internet, be that from the papers they read, or even the “fictional” TV serials they watch (like, say, 24 or Spooks, in which mountains of anyone’s personal data are instantly obtainable with a few clicks of a mouse (“copy that”)).
Personal data dissemination starts with the voluntary transfer of personal details to different Internet services, and continues via the tracking of every flight you take and every credit card purchase you make, right through to the logging of your physical movement around big cities, the telephone conversations you make, the e-mail correspondence you send and receive, and more.
Another slant on the privacy issue cropped up not so long ago when thousands of leaked text messages of the Russian cell provider Megafon became viewable via the Yandex search engine. Imagine that! All your personal SMSs on show for all to see! Such unintended leaks of private data are bound to occur again in the future.
So you get the picture: the volume of information that accumulates on the www about all of us really is extreme, and may not always be secure. But besides the huge potential danger to each and every one of us individually, the danger is similarly great for the national security of countries.
So it should come as no surprise that legislators around the world are steadily getting more and more involved in regulating the collection and storage of user information. Not that they need to reinvent the wheel to do so. All they need do is pretty much transfer the measures that exist for our offline lives. For example, Internet services shouldn’t have the right to demand private information if similar services can be found offline where you don’t need to hand over the same.
Lastly, for anyone who thinks there’s still a chance of having something vaguely resembling an inviolable private life today, I recommend a viewing of this series of vids.
I already brought this topic up in my December 2011 review & forecast press conference, summarized here. Now for some detail…
It’s rather hackneyed to say that the younger generations differ from the older ones. But it really is true! They live and think differently, and can’t imagine what this world was like without today’s technology that’s taken so for granted – mobile phones, the Internet, Wi-Fi, Skype, personal blogs, social networks, game consoles, etc. They practically live in the digital/online domain and will stay living there forever. Importantly, they’ll never vote in elections if they have to actually get up and walk somewhere to do so! They’ll only vote if they can do so online. And for online voting to work a system of Internet passports is needed. But we don’t have such a thing at the mo – as you’re perfectly aware. Can you begin to see the implications for the basis of democracy?…
The implications of the younger generations not going out to vote (prevented by there being no system of Internet passports) are more far-reaching than might at first be imagined. The technologically-aggravated generation gap will increasingly polarize populations: great swathes – the youngest and most active – will end up completely cut off from politics, unaware of the political decisions being made ostensibly on their behalf. Political power will come to only reflect the interests of the older generations, that is, the so-called Digital Immigrants, not the Digital Natives. At the same time, the political activism of the younger generations will keep increasing as they feel more and more isolated. Which can bring about revolutions and take down regimes.
Therefore, developing and introducing secure digital IDs – Internet passports – I regard as one of the most important tasks facing the industrialized world today. Fortunately, it’s rather straightforward to do technically. Politically – that’s another matter…
It would be logical to introduce biometric Internet passports only for those services that in the offline world require physical identification of the user: banking services (for those operations that require producing some ID), registration for a flight, etc. And as I’ve already mentioned, if in the offline world there’s no need for identification, it shouldn’t be needed in the online world either for similar transactions; therefore, for online purchases or correspondence with friends you should not be obliged to use an Internet passport. Then there’s the “middle” zone of identification, which would maintain anonymity: for services that require not your full name, but, for example, your age – for purchases of things like alcohol and tobacco, access to adult resources, etc. Again, the good news is anonymous “middle” identification is technically easily possible.
In any society, in any country, there’ll always be opposing views and antagonisms – even if dormant. Is it possible to use social networks to wake up dormant conflicts and transform them into angrily active ones? Of course – easy! Especially when you consider that a large share of users of social networks are the young – with the attendant overt and active civil positions.
Today we receive information from a great many different sources, among which we have traditional TV, radio, newspapers and other print publications, but now also social networks. But how accurate is info published on the latter? For traditional mass media, what they show/publish is regulated by legislation. Thus, if a journalist publishes untrue or unreasonably provocative information, sooner or later his/her publication would have to answer for such, probably in court and with a hefty fine. And there’s always a media outlet’s reputation to think about – vitally important in keeping up viewership/readership. Taking risks with reputation just isn’t worth it to legacy media; therefore, as a rule they are very careful with what they broadcast/publish – very responsible.
With social networks things are different. It’s not always clear who’s hiding behind a nickname, so responsibility for what’s written is diminished, to the extent that anyone can write just about what he/she likes – true or not. Looking at them this way, social networks can be used as effective platforms for anonymous manipulation of the masses, for initiating and spreading false rumors, and for provocation and misinformation of the population. Of course, social networks can be used for positive things too, but the point here is that they can easily be abused, unlike legacy media. There are no watchdogs overseeing social networks.
Theoretically, and no doubt in practice, social networks can be used to destabilize societies (whether that be a good or a bad thing, in your view, in a given case). One doesn’t have to look far for examples of this: we had last year the Arab Spring, the American Summer, the British Autumn, and the Russian Winter. Like the propaganda messages on slips of paper dropped from airplanes onto enemy territory during the wars of yesterday, social networks are their modern-day version, used for conducting similar propaganda campaigns today – not all of them for objectively positive causes.
The Chinese solution – namely, to register users of social networks based on an ID document – is overdoing it, for sure. But then it’s far from easy to get the balance right in ensuring freedom of speech and anonymity while at the same time ruling out the possibility of mass manipulation. And this is one issue I have no solution to. Any ideas?
Cybercrime is global, as you’ll probably have gathered by now.
I reckon the losses to the world economy caused by the dirty deeds of cybercriminals can be measured in billions of dollars a year, maybe hundreds of billions. Fortunately, the governments of different countries have at last started constructive dialog on this issue and international projects and regional/national cyber-police units have been established; the UN’s IMPACT unit has been in operation since 2008, and Interpol has announced its opening a special department for tackling cybercrime in Singapore in 2014. So even if the problem of cybercrime won’t be solved fully over the next several years (which is most likely), cybercriminals will at least have a lot harder a time in conducting their harmful endeavors than what they’ve been used to. Unlike, I regret to say, the folks behind cyberwarfare.
A formally established and widely accepted definition of military and/or terrorist cyber-attacks hasn’t been introduced yet. In the meantime, my definition is as follows:
cyberwar attacks are attacks on systems critically important for national and/or global economies, and also for national and/or global security, and which have the objective of weakening military potential and inflicting considerable damage to nation states and their ability to act appropriately and as they would like, with grave consequences for human populations, possibly with casualties.
And if you think that such threats sound like something out of science-fiction, I’m afraid I’ve got some very bad news for you: all this is real already – today.
One of the first cyberwar attacks, which occurred in 2007, was of a more or less harmless character (if here such a word in principle is possibly suitable and/or appropriate): perhaps you’ll recall the story of how as a result of a DDoS attack on Estonian sites the whole Baltic country was cut off from the Internet. But that was nothing, really, compared with what was to come…
In 2010 the world learned about a second – this time extremely serious – case of targeted cyberwar attacks.
An incredibly complicated computer worm called Stuxnet was able to penetrate the network of the Iranian nuclear facility and sabotage its industrial computer systems and physically damage its uranium enrichment centrifuges. Interestingly, the computer network had no Internet connection.
Since Stuxnet, news from the cyberwar front started to come in thick and fast. The most recent discovery has been the Flame worm, which demonstrates just how much things are heating up in terms of cyberwarfare in the world. And I’ve no doubt whatsoever that governments are behind it all.
So what’s so dangerous about cyberweapons? I won’t repeat myself: have a look at my recent post on this. Here let me just summarize the conclusions we’ve reached so far.
The most dangerous aspect of cyberweapons is their unpredictable side-effects. A worst case scenario would see a cyberweapon aimed at a specific industrial object not actually being able to accurately pick out its victim – either down to a mistake in the algorithm or a banal error in the code – easily possible with it being so vast and complex. As a result of such an attack the targeted victim – let’s say hypothetically a power station – would not be the only thing affected: all the other power stations in the world built with the same design would be too. A lethal boomerang effect.
It’s practically impossible to protect ourselves from such attacks today. To do so it’d be necessary to redesign just about all the software code in existence and switch to secure operating systems. It’s clear this is virtually impossible; even if it were possible, can you imagine the size of the budgets involved? No state would ever permit itself to make such colossal investments in IT Security.
So, what do we do?
This problem needs solving in the same way as the problems of chemical, biological and nuclear weapons were in the past. What is needed is an international agreement on cooperation, non-proliferation and non-usage of cyberweapons. And such a project needs to be organized and coordinated by an independent international organization – like a Cyber-IAEA, ideally under the aegis of something like the United Nations.
I believe that sooner or later nation states will come to fully understand the dangers of cyberweapons being applied in cyberwar attacks, and then eventually put an end to, if not the development, at least the application and proliferation of cyberweapons.