Post-Stuxnet market failures and socialisation of risks?  2.2.12

More than a year ago, we’ve learned that Stuxnet would be a game changer. Indeed, no advisor in all things security missed to mention that the alleged U.S.-Israel (Langner) originated hack and blow-up of Iranian Uranium enrichment facilities posed a show-case of future attacks on our beloved infrastructures and industrial production sites. While one might argue that the transfer of the world’s production sites to China serves as a mediator to scare going wild, there are still some Industrial Control Systems implemented and running within, say, the EU or the U.S. With Stuxnet discussed ad nauseam both at security conferences and in global mainstream media, with policy awareness increased up to the level of the leaders of the universe, with calls for decisive policy responses on all policy levels, calls for cyber-defense programmes against prospective attacks in cyber-warfare (by non U.S.-Israel) for national and international critical infrastructure protection programmes – with all that stuff one would assume that at least some of the most obvious steps have been accomplished.

And then you read an update by the commercial community of technical experts on Industrial Control Systems. According to their assessment, the ICS industry acts deaf and akin to the automotive industry in “Fight Club” (mentioned in the scene in which the automotive white-collar insomniac protagonists meets Tyler Durden on the airplane): it’s cheaper to let systems go bust occasionally and pay for some clean-up than to preventively fix the systems. Industrial control systems are still highly buggy, a group of ICS security researchers around the consultancy Digitalbond have tried to showcase at their SCADA Security Scientific Symposium (S4). For experts in the field, this is common knowledge for more than a decade.

The technical ICS geniuses at the S4 conference put all the blame to the vendors, such as Siemens, General Electric, Schneider Modicon, Rockwell Automation, SEL, or Koyo Automation. But is that easy? My experience from general IT, not ICS admittedly, tells me that life is more complicated. Independent consultancies, which are bound to specific vendors, have certainly no incentive to blame existing or prospective customers. More substantially, while there might be customers with inadequate security procedures out there, I highly doubt that knowledge about notorious insecurity of a particular set of artefacts doesn’t exist somewhere in customer companies and doesn’t climb up the communication ladder to the CIOs or CSOs. If owners are not interested in getting their 20-years old ICS fixed, a vendor interested in subsequent orders wouldn’t want to embarrass itself and its clients by being utterly explicit about the risks or the security hick-ups of the installed base of legacy systems.

The financial sector and the nuclear industry serve as nice role models for dealing with, as we institutional-economics-infected researchers call it, negative externalities of societal or technical systems. For both system vendors and owners of such infrastructures, inactivity is a viable option to respond to publication of vulnerabilities. Why would you want to spend millions on hardening your chemical facilities against a rather hostile hack into its control systems? If shit hits the fan, writing off your production site and transferring the external costs to the public is probably the most economic approach. Just make sure that the downfall of one site doesn’t bring down the complete parent group as with this TEPCO guys who failed to install proper economic firewalls inside their group. There are no columns or rows for the rhetoric of cyber-warfare in the Excel sheets on which executive boards of infrastructure owners rely in their decision making. The ongoing installation of insecure systems and components is certainly is worrying.

The great potential realigner of incentives aka public authorities have have remained rather calm on this issue, too. For Europe, Kroes is gunning for “providing the right incentives“, but we don’t know yet what the Commission will come up with eventually. Hohlmaier, rapporteur of the European Parliament on Cybersecurity issues and with a constituency in Siemens land, has been likewise silent on this, Google tells us. Inaction by incompetent or unwilling operators of information and industrial infrastructures might pose risks for the public at large. The public might want to live with some risks. Or prefer to have incentives realigned, i.e. get regulations installed that force vendors, customers or third parties to invest into security measures. For the last couple of years, policy makers, researchers and public authorities have been obsessed with “incentivising” third parties such as ISPs to make up for the failures of vendors and customers of ICT systems. For industrial control systems, I don’t see this option. It’s either the vendors and/or the customers (owners of infrastructures) that need to take the bill. Or learn to live with the risks. Just like we did with financial and nuclear systems.

“so big it does my head in”  14.10.11

The unnamed Economist author shares her notes of a prep-conference for the upcoming cyber sec conference in London next month.

A “senior” participant remarked:

“It is so big it does my head in.”

But why? The author notes:

“Because this stuff is all mashed up. The interconnectedness of cyberspace breaks down borders and distinctions around which societies and states are organised.

It mashes up people and geography. …

Cyber mashes up functions. …

Cyber mashes up the trivial and the critical. …

It mashes up weapons. …

Finally, the internet mashes up state and private … “

Release often, release early:

By definition we need international co-operation. … So we should start with something small and build out. I see it as a quilt, a patchwork…  The role of NGOs, think-tank and private experts in sensitising governments, without it seeming a form of electronic imperialism, is important.

The role of states:

Whatever the threat, it seems to me that the private sector will be involved in almost all responses. One working group made the point that “knowledge implies more responsibility”.

Indeed, indeed. Operationally, cyber security rests on those who control the components that make up the internet.

In any case, it is hard to translate rules and practices of war. Two examples: – Is private industry ready to be the warfighter? – How do you put red crosses on hospitals and orphanages? Do we have to put them on separate networks, ie, create a “dot.humanitarian” domain? Here we start to move into polders. Should we create “dot.secure” areas? People are willing to give up a lot of privacy in social networking. It seems to me that they would be wiling to do it for security.

 

The Prince of Wales moment in cyberspace  13.10.11

Stewart Baker, former official at DHS and NSA, in an article called “Denial of Service” on Foreign Policy:

“We should not wait for our own Prince of Wales moment in cyberspace.”

Now, that’s disturbing. Virtual Pearl Harbour no more. Welcome to: Oh, that I were a bot upon that machine that I might touch that juicy data? Well, I shouldn’t start reading articles at their very last paragraph. The second last comes to rescue.

In 1941, the British sent their most modern battleship, the Prince of Wales, to Southeast Asia to deter a Japanese attack on Singapore. … It took Japanese bombers 10 minutes to put an end to their fantasy, to the Prince of Wales, and to hundreds of brave sailors’ lives.

Besides that, the message is:

But the lesson of all this for the lawyers and the diplomats is stark: Their effort to impose limits on cyberwar is almost certainly doomed.

Therefore, cyber strategies are necessary:

The offense must be powerful enough to deter every adversary with something to lose in cyberspace, so it must include a way to identify attackers with certainty. The defense, too, must be realistic, making successful cyberattacks more difficult and less effective because resilience and redundancy has been built into U.S. infrastructure.

How to identify attackers with certainty without fundamentally altering the architecture of the internet or the ability to enforce collaboration of intermediaries such as ISPs worldwide? The latter could be accomplished in several ways: a) by foreign governments as a proxy, convinced by diplomatic influence ad-hoc or by institutions such as international treaties; or b) by supportive worldwide technical communities.

Microsoft shares some lessons from the Least Malware Infected Countries in the World  4.10.11

Microsoft’s Trustworthy Computing product manager, Tim Rains, observed that a number of countries had been doing particularly well in Microsoft’s annual Security Intelligence Report. So they asked their local teams for potential reasons behind the stats.

Answer from Austria by Leon Aaron Kaplan, CERT.at:

“We believe the low piracy rate, combined with a generally strict IT security enforcement of ISPs and the fact that updates are quickly installed due to fast Internet lines (broadband, cable connection) forms a basis for the generally low infection score in Austria.”

Answer from Finland by Erka Koivunen, CERT.fi: skills and tools, admin culture, regulative environment. On regulation:

There are clear and pragmatic provisions in Finnish legislation granting network admins the right (and at times an obligation) to defend their networks and interconnected IT systems against breaches of technical information security…. The rules start with administrative engagement: appointing responsible network security admins and the so-called abuse helpdesks to handle complaints is mandatory. The more technical stuff includes provisions such as exercising what we call “address hygiene” in core networks (e.g., filtering spoofed and source-routed packets) and restricting broadband subscribers’ ability to send spam or participate in denial-of-service attacks. There are also a requirement for ISPs to inform their subscribers about the possible dangers of the Internet and ways to mitigate them. As a side effect, this has greatly boosted the purchase of security software by private consumers

Microsofts local Chief Security advisor in Finland adds: a community of peers in public and private sectors, educated users.

Lessons from Germany and Japan.

Summing up:

1. There exists strong public – private partnerships that enable proactive and response capabilities
2. CERTs, ISPs and others actively monitoring for threats in the region enable rapid response to emerging threats
3. An IT culture where system administrators respond rapidly to reports of system infections or abuse is helpful
4. Enforcement policies and active remediation of threats via quarantining infected systems on networks in the region is effective
5. Regional education campaigns and media attention that help improve the public’s awareness of security issues can pay dividends
6. Low software piracy rates and widespread usage of Windows Update/Microsoft Update has helped keep infection rates relatively low

 

 

 

“round the clock Internet surveillance”?  30.9.11

African news outlet coastweek.com reports from the ongoing Internet Governance Forum:

According to International Telecommunications Union (ITU) Secretary General Hamadoun Toure, governments should put in place round the clock Internet surveillance to prevent cyber-crime.

Toure called for the need for governments and the private sector to enter into partnership to ensure measures to guard Internet users in order to realize the full benefits of information technology growth.

Has Touré really called for “round the clock Internet surveillance”?

Anyhow, the design of coastweek.com makes me feel 15 years younger.

DHS, DoC ask for anti-botnet policy input  28.9.11

Joint request by May, Strickling, Beers:

The U.S. Department of Commerce and U.S. Department of Homeland Security are requesting information on the requirements of, and possible approaches to creating, a voluntary industry code of conduct to address the detection, notification and mitigation of botnets. (…) The Departments seek public comment from all Internet stakeholders, including the commercial, academic, and civil society sectors, on potential models for detection, notification, prevention, and mitigation of botnets’ illicit use of computer equipment.

DHS asks for contributions in three segments: a) Practices To Help Prevent and Mitigate Botnet Infections, b) Effective Practices for Identifying Botnets, c) Reviewing Effectiveness of Consumer Notification, d) Incentives To Promote Voluntary Action To Notify Consumers.

I’ve seen similar public request for comments in other policy domains before in the political system of the US. Thus, I’m not sure whether this is as unique as it appears to be from my European perspective.

Currently, Microsoft – and not some state agency – seems to be the botnet take-downer du jour.

Update. Joel Harding with regard to Microsoft’s role in botnet response:

DHS does not have the resources to protect US citizens, US corporations or any other government infrastructure beyond the critical infrastructure. Yet it is their mission to provide Homeland Security. When will DHS step up to the plate and perform their mission? Do we need a Department of Microsoft instead?

Agency or networks – some thoughts about Europe’s ongoing internet security debates  21.5.11

Well, I shouldn’t make these all-encompassing headlines, after all, forcing me to write way too long texts. Anyhow. I’ve been in Belgium a couple of weeks ago, used the opportunity of proximity for a Brussels visit. The first glaring characteristic of Brussels is the scent of Waffles all over Midi station. It is like any station comes with a little suprise for its passengers. At Luxembourg station, the on which neighbours the European Parliament, the party in control of the facility equipment opted for an acoustic treatment: Abba’s “The winner takes it all.” For sure she does. (Which reminds me of “Mamma Mia”: Meryl Streep has quite a voice, by the way.)

The voices of the European citizens are represented by representatives sitting in offices matching in size those of elaborated knowledge workers in corporate headquarters. A nice quality surplus however […]

The uber-CERT: Germany’s new cyber-defense centre  2.4.11

I guess when average media consumer hears “cyber-defense centre”, she likely has Star-War-ish control rooms in mind,. Now, starting today, Germany has its National Cyber Defense Centre. It is located in the offices of the Federal Office for Information Security (BSI), which reports to the Federal Minister of the Interior. Not much of a surprise, any Quite some headlines in national media for a 10-persons task-force. (Sources: FAZ, Ministry of the Interior, both in German)

[…]

NATO and its role in internet security – geopolitics of intenet security governance?  20.3.11

“The threat is there to see and if the worst were to happen…” (Donald Rumsfeld, Feb 2003)

Looks like Stuxnet is the best of all electronic Pearl Harbours, so far. The signs on the walls of what could be. The “game changer” (DHS cyber director), the menace that seems to convince politicians, media and the public alike that there is something potentially very threatening. It has taken some fifteen years of fear mongering to achieve that.

Menaces, threats, risks, dangers require responses, yet which? […]

“Intensification of civil-military cooperation”. Some comments on the recent Dutch National Cyber Security Strategy on incident response  18.3.11

In February, the Dutch Ministry of Security and Justice released its “National Cyber Security Strategy (NCSS) – Success through cooperation.” (govcert.nl) Section 5.4, “Response capacity for withstanding ICT disruptions and cyber attacks”, is particularly interesting and highlights the ongoing transformation of the organisational landscape. While the strategy’s briefness makes a refreshing change for lazy readers like us, is also raises a couple of questions.
[…]