Download - Why Cybersecurity Is Rubbish
@alecmuffett www.greenlanesecurity.com
blan
k
this page intentionally left blank
@alecmuffett
@alecmuffettwww.alecmuffett.com
green lane securitywww.greenlanesecurity.com
www.greenlanesecurity.com
how to think clearlyabout (cyber) security
@alecmuffett www.greenlanesecurity.com
how to think clearly aboutsecurity
@alecmuffett www.greenlanesecurity.com
how to think clearly aboutcybersecurity
@alecmuffett www.greenlanesecurity.com
why cybersecurity is rubbish
@alecmuffett www.greenlanesecurity.com
...a bit too polemical?
@alecmuffett www.greenlanesecurity.com
thesis:
@alecmuffett www.greenlanesecurity.com
1there is a word cybersecurity
@alecmuffett www.greenlanesecurity.com
2this word is both a metaphor
and a model for thinking about the challenges of information
and network security
@alecmuffett www.greenlanesecurity.com
3this model, with perhaps one exception, is unsuited to describe the challenges of
information and network security
@alecmuffett www.greenlanesecurity.com
4this model has been adopted bystate actors as key to discussion and/or strategic consideration
of information and network security
@alecmuffett www.greenlanesecurity.com
5strategy based upon this model
tends to be misconceived, expensive,and of an illiberal nature
@alecmuffett www.greenlanesecurity.com
6unless diluted with other perspectives,
this model provides a lever for greater state control over
information and network security that will harm the evolution of the field
@alecmuffett www.greenlanesecurity.com
end thesis
@alecmuffett www.greenlanesecurity.com
thesis defence
@alecmuffett www.greenlanesecurity.com
1cybersecurity: what does it mean?
@alecmuffett www.greenlanesecurity.com
@alecmuffett www.greenlanesecurity.com
@alecmuffett www.greenlanesecurity.com
a long time ago in a novel far far away...
@alecmuffett www.greenlanesecurity.com
http
://e
n.w
ikip
edia
.org
/wik
i/Fi
le:N
euro
man
cer_
(Boo
k).j
pg
@alecmuffett www.greenlanesecurity.com
cyberspace
@alecmuffett www.greenlanesecurity.com
not cybernetic
@alecmuffett www.greenlanesecurity.com
http
://e
n.w
ikip
edia
.org
/wik
i/Fi
le:S
ixm
illio
ndol
lar1
.jpg
@alecmuffett www.greenlanesecurity.com
virtual reality,a real virtuality
@alecmuffett www.greenlanesecurity.com
hack
ers
mov
ie
@alecmuffett www.greenlanesecurity.com
http
://e
n.w
ikip
edia
.org
/wik
i/Fi
le:T
ron_
post
er.j
pg
@alecmuffett www.greenlanesecurity.com
spinoff words
@alecmuffett www.greenlanesecurity.com
http
://e
n.w
ikip
edia
.org
/wik
i/In
tern
et-r
elat
ed_p
refi
xes
cyber-prefix
@alecmuffett www.greenlanesecurity.com
cyberpunk
@alecmuffett www.greenlanesecurity.com
http
://e
n.w
ikip
edia
.org
/wik
i/Fi
le:W
arga
mes
.jpg
@alecmuffett www.greenlanesecurity.com
http
://e
n.w
ikip
edia
.org
/wik
i/Fi
le:H
acke
rspo
ster
.jpg
@alecmuffett www.greenlanesecurity.com
http
://e
n.w
ikip
edia
.org
/wik
i/Fi
le:T
he_M
atri
x_Po
ster
.jpg
@alecmuffett www.greenlanesecurity.com
cypher-punk ?
PGP!
@alecmuffett www.greenlanesecurity.com
cyber-everything!
@alecmuffett www.greenlanesecurity.com
cybercrime
@alecmuffett www.greenlanesecurity.com
cybercriminals
@alecmuffett www.greenlanesecurity.com
cybersex
@alecmuffett www.greenlanesecurity.com
cyberchildren“digital natives”
@alecmuffett www.greenlanesecurity.com
cyberbullying
@alecmuffett www.greenlanesecurity.com
cyberterrorists
@alecmuffett www.greenlanesecurity.com
cyberattacks
@alecmuffett www.greenlanesecurity.com
cyberwarfare
@alecmuffett www.greenlanesecurity.com
cyberweapons
@alecmuffett www.greenlanesecurity.com
cyberespionage
@alecmuffett www.greenlanesecurity.com
...and so forth
@alecmuffett www.greenlanesecurity.com
AN OBSERVATION
@alecmuffett www.greenlanesecurity.com
word prefixes ...
@alecmuffett www.greenlanesecurity.com
digital, virtual = interesting, virtuous
@alecmuffett www.greenlanesecurity.com
virtual reality
@alecmuffett www.greenlanesecurity.com
e-something = dull
@alecmuffett www.greenlanesecurity.com
@alecmuffett www.greenlanesecurity.com
iSomething
@alecmuffett www.greenlanesecurity.com
iPrefer this logo
@alecmuffett www.greenlanesecurity.com
cyber = bad/profane?
@alecmuffett www.greenlanesecurity.com
are we meant or predisposedto dislike ‘cyber’ ?
@alecmuffett www.greenlanesecurity.com
“information superhighway”was always boring
@alecmuffett www.greenlanesecurity.com
pop(@stack);
@alecmuffett www.greenlanesecurity.com
2what model does it represent?
@alecmuffett www.greenlanesecurity.com
not cyber-space
@alecmuffett www.greenlanesecurity.com
but cyber-space
@alecmuffett www.greenlanesecurity.com
a near-tangible virtual world
@alecmuffett www.greenlanesecurity.com
described as a space
@alecmuffett www.greenlanesecurity.com
people meet in a space
@alecmuffett www.greenlanesecurity.com
battles are fought in a space
@alecmuffett www.greenlanesecurity.com
wars are waged in a space
@alecmuffett www.greenlanesecurity.com
humans understand space
@alecmuffett www.greenlanesecurity.com
underlying assumption is that cyberspace is sufficiently like realspace
and much the same rules can apply
@alecmuffett www.greenlanesecurity.com
but, alas...
@alecmuffett www.greenlanesecurity.com
3the model is a mostly-bad fit to reality?
@alecmuffett www.greenlanesecurity.com
cyberspace is not like realspace
@alecmuffett www.greenlanesecurity.com
example 1: theft
@alecmuffett www.greenlanesecurity.com
cyberspace theft is not commutative
@alecmuffett www.greenlanesecurity.com
theft in realspace•if I steal your phone
• you no longer have it• it is gone
@alecmuffett www.greenlanesecurity.com
theft in cyberspace•if I steal your data
• you still have it• unless I also destroy your copies
• assuming you haven’t backed-up your data
• you no longer have secrecy• not the same as “loss”
@alecmuffett www.greenlanesecurity.com
later debate:is intellectual property theftactually theft (ie: crime) ...
@alecmuffett www.greenlanesecurity.com
... or is it like copyright infringementand/or patent infringement
(ie: typically a tort)?
@alecmuffett www.greenlanesecurity.com
(ask a lawyer. pay him.)
@alecmuffett www.greenlanesecurity.com
example 2: cybersize
@alecmuffett www.greenlanesecurity.com
social media as a medium: Twitter
@alecmuffett www.greenlanesecurity.com
@AlecMuffett~ 1300 followers
@alecmuffett www.greenlanesecurity.com
@MailOnline~29,000 followers
@alecmuffett www.greenlanesecurity.com
@GuardianNews ~223,000 followers
@alecmuffett www.greenlanesecurity.com
Can a case for newspaper regulationto be applied to newspaper twitterers?
@alecmuffett www.greenlanesecurity.com
@StephenFry~3,120,000 followers
@alecmuffett www.greenlanesecurity.com
Why regulate newspapers & journalists on Twitter,
yet not regulate Stephen Fry?
@alecmuffett www.greenlanesecurity.com
On Twittereveryone is the same size
0 = no twitter account1 = twitter account
@alecmuffett www.greenlanesecurity.com
On Twittereveryone has equal capability
tweet, or not-tweet, that is the question
@alecmuffett www.greenlanesecurity.com
On Twittersome have much greater reachwhich is not the same thing as size
@alecmuffett www.greenlanesecurity.com
a maths/compsci analogy:
@alecmuffett www.greenlanesecurity.com
graph theory → euclidean geometry →
@alecmuffett www.greenlanesecurity.com
wp:
dire
cted
_gra
ph
@alecmuffett www.greenlanesecurity.com
a node/vertex/twitterer is a pointand is of zero dimension;
hence all twitterers are the same size
@alecmuffett www.greenlanesecurity.com
a line/edge/follow is thatwhich joins two nodes/twitterers
@alecmuffett www.greenlanesecurity.com
the degree of a twittereris the number of followers,
the number of people with whomyou communicate
@alecmuffett www.greenlanesecurity.com
the only metrics on twitter•volume
• number of tweets
•indegree• number of followers
•outdegree• number of people you follow
@alecmuffett www.greenlanesecurity.com
so which of these three metricsshould trigger state regulation
of your twitterfeed - regulation of what you may say?
@alecmuffett www.greenlanesecurity.com
if none, perhaps regulation shouldpertain to the author & his message
rather than the medium
@alecmuffett www.greenlanesecurity.com
if the medium is irrelevant and open,why discuss regulation of the medium
rather than of its users?
@alecmuffett www.greenlanesecurity.com
example 3: sovereignty
@alecmuffett www.greenlanesecurity.com
“Where are the boundaries ofBritish (or American, etc) Cyberspace?”
@alecmuffett www.greenlanesecurity.com
(we will return to this)
@alecmuffett www.greenlanesecurity.com
precissociety is still adjusting to the net
@alecmuffett www.greenlanesecurity.com
4what model has the state adopted?
@alecmuffett www.greenlanesecurity.com
2011 - 1984 = 27
@alecmuffett www.greenlanesecurity.com
@alecmuffett www.greenlanesecurity.com
@alecmuffett www.greenlanesecurity.com
if it is a place, it can be policed
@alecmuffett www.greenlanesecurity.com
if it is a theatre, war can be prosecuted
@alecmuffett www.greenlanesecurity.com
EXPERIMENT
@alecmuffett www.greenlanesecurity.com
http
://w
ww
.cpn
i.go
v.uk
/thr
eats
/cyb
er-t
hrea
ts/ Cyberspace lies at the heart of modern society; it impacts our personal
lives, our businesses and our essential services. Cyber security embraces both the public and the private sector and spans a broad range of issues related to national security, whether through terrorism, crime or industrial espionage.
E-crime, or cyber-crime, whether relating to theft, hacking or denial of service to vital systems, has become a fact of life. The risk of industrial cyber espionage, in which one company makes active attacks on another, through cyberspace, to acquire high value information is also very real. Cyber terrorism presents challenges for the future. We have to be prepared for terrorists seeking to take advantage of our increasing internet dependency to attack or disable key systems.
CPNI works with the Cabinet Office and lead Government departments and agencies to drive forward the UK's cyber security programme to counter these threats.
@alecmuffett www.greenlanesecurity.com
posit:internet → communications
@alecmuffett www.greenlanesecurity.com
so replace:cyberspace → telephoneworld
cyber → phone
@alecmuffett www.greenlanesecurity.com
http
://d
rops
afe.
cryp
tici
de.c
om/a
rtic
le/4
933 Telephoneworld lies at the heart of modern society; it impacts our
personal lives, our businesses and our essential services. Phone security embraces both the public and the private sector and spans a broad range of issues related to national security, whether through terrorism, crime or industrial espionage.
E-crime, or phone-crime, whether relating to theft, hacking or denial of service to vital systems, has become a fact of life. The risk of industrial phone espionage, in which one company makes active attacks on another, through Telephoneworld, to acquire high value information is also very real. Phone terrorism presents challenges for the future. We have to be prepared for terrorists seeking to take advantage of our increasing communications dependency to attack or disable key systems.
CPNI works with the Cabinet Office and lead Government departments and agencies to drive forward the UK's phone security programme to counter these threats.
@alecmuffett www.greenlanesecurity.com
The UK should dominate Telephoneworld Cyberspace!
@alecmuffett www.greenlanesecurity.com
If cyberspace is communication...
@alecmuffett www.greenlanesecurity.com
to control communication:•you must define it•...and/or...•you must inhibit it
@alecmuffett www.greenlanesecurity.com
to define communication•propaganda
• a bad word in government lingo• also marketing & public relations
@alecmuffett www.greenlanesecurity.com
to inhibit communication•censorship
• likewise a bad word
@alecmuffett www.greenlanesecurity.com
it’s safer for government to pretendthat cyberspace is a space
filled with bad people
@alecmuffett www.greenlanesecurity.com
metaphor drives perception
@alecmuffett www.greenlanesecurity.com
land → army
@alecmuffett www.greenlanesecurity.com
sea → navy
@alecmuffett www.greenlanesecurity.com
sky → air force
@alecmuffett www.greenlanesecurity.com
cyberspace → up for grabs
@alecmuffett www.greenlanesecurity.com
to achieve dominancethe internet must be widely perceived
as a space which can be policed,as a battleground in which war
may be prosecuted...
@alecmuffett www.greenlanesecurity.com
...but what are its boundaries?
@alecmuffett www.greenlanesecurity.com
“Where are the boundaries ofBritish (etc) Cyberspace?”
@alecmuffett www.greenlanesecurity.com
depends on what you mean by:“Boundary”
“British”
@alecmuffett www.greenlanesecurity.com
is British Cyberspace the union ofevery Briton’s ability to communicate?
@alecmuffett www.greenlanesecurity.com
...then Stephen Fry is very large indeed.
@alecmuffett www.greenlanesecurity.com
is cyberspace the boundary of storageof every and all Britons’ data?
@alecmuffett www.greenlanesecurity.com
...then British Cyberspace extends into GMail and Facebook servers in the USA.
@alecmuffett www.greenlanesecurity.com
is British Cyberspace the sum overdigital/cyberactivities of all Britons?
@alecmuffett www.greenlanesecurity.com
...then the State seeks to constrainlegal (or, non-criminal) activitiesand amend/remove civil rights.
@alecmuffett www.greenlanesecurity.com
Government is curiously unwillingto clarify this matter.
@alecmuffett www.greenlanesecurity.com
5“expensive, misconceived and illiberal”
@alecmuffett www.greenlanesecurity.com
key, critical, strategic quotes:
@alecmuffett www.greenlanesecurity.com
http
://g
oo.g
l/M
XCsG
- c
ompu
terw
orld
The cost of cybercrime to the global economy is estimated at $1 trillion
[US General Keith] Alexander stated and malware is being introduced at a rate of
55,000 pieces per day, or one per second.
@alecmuffett www.greenlanesecurity.com
http
://g
oo.g
l/nG
PvW
- c
ompu
terw
orld
The annual cost of cybercrime is about $388 billion, including money and time lost, said Brian Tillett, chief security
strategist at Symantec. That’s about $100 billion more than the global black market
trade in heroin, cocaine and marijuana combined, he said.
@alecmuffett www.greenlanesecurity.com
http
://g
oo.g
l/A1
4px
- sy
man
tec
Symantec Sums•$388bn =
• $114bn “cost” + • $274bn “lost time”
@alecmuffett www.greenlanesecurity.com
http
://g
oo.g
l/qr
mD
n -
deti
ca
In our most-likely scenario, we estimate the cost of cyber crime to the UK to be
£27bn per annum.
@alecmuffett www.greenlanesecurity.com
http
://g
oo.g
l/eQ
cVS
- it
pro
Cyber criminals will cost the UK economy an estimated £1.9 billion in 2011, according to a Symantec report.
@alecmuffett www.greenlanesecurity.com
$1000bn vs: $388bn vs: $114bn?
£27bn vs: £1.9bn ?
@alecmuffett www.greenlanesecurity.com
wtf?
@alecmuffett www.greenlanesecurity.com
http
://g
oo.g
l/AJ
MM
X -
cabi
net
offi
ce
@alecmuffett www.greenlanesecurity.com
“the £27bn report”
@alecmuffett www.greenlanesecurity.com
http
://g
oo.g
l/vK
k3S
- de
tica
The theft of Intellectual Property (IP) from business, which has the greatest economic impact of any type of cyber crime is estimated to be £9.2bn per annum. p18
@alecmuffett www.greenlanesecurity.com
This gave an overall figure for fiscal fraud by cyber criminals of £2.2bn. p19
@alecmuffett www.greenlanesecurity.com
Our total estimate for industrial espionage is £7.6bn p20
@alecmuffett www.greenlanesecurity.com
Overall, we estimate the most likely impact [of online theft is] £1.3bn per annum, with the best
and worst case estimates £1.0bn and £2.7bn respectively. p21
@alecmuffett www.greenlanesecurity.com
Cyber crime Economic impact
Identity theft £1.7bn
Online fraud £1.4bn
Scareware & fake AV £30m
p18
@alecmuffett www.greenlanesecurity.com
@alecmuffett www.greenlanesecurity.com
but...
@alecmuffett www.greenlanesecurity.com
“The proportion of IP actually stolen cannot at present be measured with any
degree of confidence”
@alecmuffett www.greenlanesecurity.com
“It is very hard to determinewhat proportion of industrial espionage
is due to cybercrime”
@alecmuffett www.greenlanesecurity.com
“Our assessments are necessarily based on assumptions and informed judgements
rather than specific examples of cybercrime, or from data of a classified
or commercially sensitive origin”
@alecmuffett www.greenlanesecurity.com
also, do you remember...
@alecmuffett www.greenlanesecurity.com
“malware is being introducedat a rate of 55,000 pieces per day”
@alecmuffett www.greenlanesecurity.com
Compare...
@alecmuffett www.greenlanesecurity.com
http
://g
oo.g
l/Yw
jT0
You just have to look at some of the figures, in fact over 50%, just about 51% of the malicious
software threats that have been ever identified, were identified in 2009.
Theresa May, Today Programme, Oct 2010
@alecmuffett www.greenlanesecurity.com
http
://g
oo.g
l/vK
331
Symantec “Global Internet
Security Threat Report- Trends for 2009”
@alecmuffett www.greenlanesecurity.com
In 2009, Symantec created 2,895,802 new malicious code signatures (figure 10). This is a 71 percent increase over
2008, when 1,691,323 new malicious code signatures were added. Although the percentage increase in signatures added is less than the 139 percent increase from 2007 to 2008, the overall number of malicious code signatures by the end of
2009 grew to 5,724,106. This means that of all the malicious code signatures created by Symantec, 51
percent of that total was created in 2009. This is slightly less than 2008, when approximately 60 percent of all
signatures at the time were created.
@alecmuffett www.greenlanesecurity.com
“code signatures” up 51%therefore “malware” up 51% ?
@alecmuffett www.greenlanesecurity.com
it doesn’t work like that.
@alecmuffett www.greenlanesecurity.com
(“polymorphic” malware)
@alecmuffett www.greenlanesecurity.com
So: 55,000/day ?
@alecmuffett www.greenlanesecurity.com
http
://g
oo.g
l/M
09Ik
McAfee Threat Report:Fourth Quarter 2010
@alecmuffett www.greenlanesecurity.com
Malware Reaches Record Numbers
Malicious code, in its seemingly infinite forms and ever expanding targets, is the largest threat that McAfee Labs combats daily. We have seen its functionality increase every
year. We have seen its sophistication increase every year. We have seen the platforms it targets evolve every year with increasingly clever ways of stealing data. In 2010
McAfee Labs identified more than 20 million new pieces of malware.
Stop. We’ll repeat that figure.
More than 20 million new pieces of malware appearing last year means that we identify nearly 55,000 malware threats every day. That figure is up from 2009. That
figure is up from 2008. That figure is way up from 2007. Of the almost 55 million pieces of malware McAfee Labs has identified and protected
against, 36 percent of it was written in 2010!
@alecmuffett www.greenlanesecurity.com
politicians & generals are usingglossy marketing reports
to bolster strategy
@alecmuffett www.greenlanesecurity.com
government response ?
@alecmuffett www.greenlanesecurity.com
“£640m over 4 years”
@alecmuffett www.greenlanesecurity.com
OCSIAOffice of
Cyber Security andInformation Assurance
@alecmuffett www.greenlanesecurity.com
£640m•cyberinvestment breakdown
• operational capabilities 65% • critical infrastructure 20% • cybercrime 9% • reserve and baseline 5%
@alecmuffett www.greenlanesecurity.com
“...but the US is spending $9bn* on cybersecurity;
are we spending enough?”- Audience Member, BCS Meeting Cyber Challenges of 2012
* Actually closer to $11bn
@alecmuffett www.greenlanesecurity.com
Of the £640m
9% (£58m) goes to cybercrime
65% (£416m) goes to operational capabilities
@alecmuffett www.greenlanesecurity.com
maybe the proportions reflectthe actually perceived threats?
@alecmuffett www.greenlanesecurity.com
6harmful to evolution of network security
@alecmuffett www.greenlanesecurity.com
there is clearly some realityto cybersecurity
@alecmuffett www.greenlanesecurity.com
CNI: Critical National Infrastructure
@alecmuffett www.greenlanesecurity.com
CNI Events
@alecmuffett www.greenlanesecurity.com
1941: Battle of the Atlantic
@alecmuffett www.greenlanesecurity.com
1943: Dambusters
@alecmuffett www.greenlanesecurity.com
Gulf Wars: Iraq Power Stations
@alecmuffett www.greenlanesecurity.com
...pursuant to an invasion, orwith a kinetic component
@alecmuffett www.greenlanesecurity.com
The [Enemy] will crash our systemsand then bomb us.
@alecmuffett www.greenlanesecurity.com
@alecmuffett www.greenlanesecurity.com
Maybe-CNI Events•2007: Estonia
• no banks, services, food
•2009: Russia/Ukraine Gas• people freezing
@alecmuffett www.greenlanesecurity.com
Non-CNI Events•2011: Aurora/GMail
• espionage• who died?
@alecmuffett www.greenlanesecurity.com
Nonetheless there is clearly some risk of being blindsided
@alecmuffett www.greenlanesecurity.com
there is land-war
@alecmuffett www.greenlanesecurity.com
there is sea-war
@alecmuffett www.greenlanesecurity.com
there is air-war
@alecmuffett www.greenlanesecurity.com
so there is cyber-war,but it should not dominate all strategy
@alecmuffett www.greenlanesecurity.com
compare: air supremacy
@alecmuffett www.greenlanesecurity.com
You might ask:where’s the harm
in cyber/space/security philosophy?
@alecmuffett www.greenlanesecurity.com
If not to the exclusion of all others?
@alecmuffett www.greenlanesecurity.com
1) expansion of the state
@alecmuffett www.greenlanesecurity.com
What’s a politician more likely to tell the public?
1) “you’re on your own”2) “we’re sorting it out for you”
@alecmuffett www.greenlanesecurity.com
Who is better to be responsiblefor a family’s cybersecurity?
1) the family members2) state cyber-police
@alecmuffett www.greenlanesecurity.com
2) interference in evolution/education
@alecmuffett www.greenlanesecurity.com
karmic cycle•technologies change
• people complain
•problems arise• people complain
•problems get fixed• people complain
@alecmuffett www.greenlanesecurity.com
people always complain,but they use and learn.
@alecmuffett www.greenlanesecurity.com
3) tunnel vision
@alecmuffett www.greenlanesecurity.com
let me presentan alternative spending model
@alecmuffett www.greenlanesecurity.com
...it’s actually a terrible idea -but bear with me for a moment...
@alecmuffett www.greenlanesecurity.com
if we’re worried about viruses...
@alecmuffett www.greenlanesecurity.com
why not make anti-virus/anti-malware available on the NHS?
@alecmuffett www.greenlanesecurity.com
free at the point of use
@alecmuffett www.greenlanesecurity.com
distributed to all citizens
@alecmuffett www.greenlanesecurity.com
pick what is suitable for your needs
@alecmuffett www.greenlanesecurity.com
run “flu jab”-like information campaigns
@alecmuffett www.greenlanesecurity.com
no huge centralised IT project
@alecmuffett www.greenlanesecurity.com
a great idea,to the extent limited by
bureaucracy, goals and targets
@alecmuffett www.greenlanesecurity.com
ie: this specific idea would be doomed...
@alecmuffett www.greenlanesecurity.com
...and any Government projectto lead security would be likewise?
@alecmuffett www.greenlanesecurity.com
But if you could address security in a distributed manner...
@alecmuffett www.greenlanesecurity.com
then why instead spendall that taxpayer money centrally?
@alecmuffett www.greenlanesecurity.com
Perhaps cybersecurity isn’t actuallyabout protecting the public?
@alecmuffett www.greenlanesecurity.com
But that would mean it’s rubbish.
@alecmuffett www.greenlanesecurity.com
fin@alecmuffett