Open Security Data  22.10.11

The European Commissioner for the Digital Agenda from the Dutch conservative-liberal VVD party, Neelie Kroes, announces an “ambitious EU Open Data Strategy“. It seeks to “encourage more openness and re-use of public sector data” by a Public Sector Information Directive. The Commission is planning to set up an “Open Data portal” for the European Commission, later to be supplemented by a “pan-European Open Data portal”.

This is indeed going to be huge, potentially at least. We have seen plenty of these geeky apps and web sites that make use of publicly available data and create some clever mashups. The usual meme of Open Data advocacy is that it fosters transparency, openness, enhances citizens’ say in public matters and thereby strengthens democracy and what else. For all this open data hipness and siren songs, it remains to be seen whether the advantages will be evenly distributed among citizens, who might receive enhanced or innovative public and non-public services, entrepreneurs entering the markets with some fresh and bright ideas bureaucrats haven’t thought of and ICT behemoths, which most likely will seize the opportunity and kick outtasking into new spheres to sell software, iron and services.

A litmus test to the openness and transparency rhetoric is, as always, the area of security. Will there be a section in COM’s portal labelled “internet security” or “cyber security”? In Brussels, the draft Directive on “judicial cooperation … on combatting attacks against information systems” is still under consideration. Article 15, paragraph 3 states:

Member States shall transmit the data collected according to this Article to the Commission. They shall also ensure that a consolidated review of these statistical reports is published.

Here we have a perfect opportunity for the EC to display its willingness for openness of public sector data. In addition to merely releasing consolidated statistics about the internet-based crimes, a more open approach appears to be perfectly feasible. We still lack reliable, deep knowledge about the scale of the internet security problem. Publicly accessible data will be very helpful to overcome this deficiency and thus to provide the knowledge base for sound political decisions.

Open Data often tends to focus on low-hanging fruits such as geographic data, administrative documents and similar kinds of public service raw data. The one and only area however that truly impacts transparency of governmental action is security. Security is often is grotesquely secretive, security organisation shielded from public scrutiny. With legitimate force entirely concentrated in their hands, these institutions both protect citizens and society, but also, by definition, pose a threat once organisational culture, political oversight and political independence become non-optimal. Hence, democratic governance requires security organisations that are open to public oversight to the maximum degree possible without endangering societal security interests.

While Open Data “merely” requires to add public interfaces to existing data warehouses, Open Security Data admittedly needs a thorough analysis on which data is safe for publication and which isn’t. It shouldn’t be that hard though to make statistical cyber-crime databases public. For a start.

 

14 years after, blissfully unaware  21.10.11

Fourteen years ago, the Clinton administration launched the Presidential Commission on Critical Infrastructure Commission. Its 1997 report “Critical Foundations – Protecting America’s Infrastructure” states (Appendix A, Section Summary Report, p. A-26):

Vulnerabilities facing the energy industries include:

* Those created in the operating environment by the rapid proliferation of industry-wide information systems based on open-system architectures, centralized operations, increased communications over public telecommunications networks and remote maintenance

Earlier this week, Terry Zink quoted the following in a blog post:

Despite investments into state of the art technology, a majority of the oil and gas industry remain blissfully unaware of the vulnerabilities, threats and capability of a malicious cyber attack on control systems.

2002 security recommendations not implemented – US Federal cyberattacks 650% up  10.10.11

The EpochTimes on a recent report of the Government Accountability Office:

It found 41,776 cybersecurity incidents in 2010, up from just 5,503 in 2006. The GAO also analyzed the security practices of two dozen federal agencies, and gave recommendations on improving federal cybersecurity in line with the Federal Information Security Management Act of 2002. It noted, however, these implementations were not yet in place.

“An underlying reason for these weaknesses is that agencies have not fully implemented their information security programs,” states the report. “As a result, they have limited assurance that controls are in place and operating as intended to protect their information resources, thereby leaving them vulnerable to attack or compromise.”

Cyber Crime rate escalating, says Deparment of Homeland Security  2.10.11

The art of statistics – more calls, more cyber:

Homeland Security Department (DHS) of the U.S. has said that the number of cybercrimes has sharply risen as compared to previous records. The DHS said that the cyber experts working on the Control System Security Program have tackled 342 requests for assistance so far this year, while the number of such requests in 2010 was only 116, deploying the Emergency Response Team seven times this year as compared to only once or twice in previous years.

Amazon’s Silk – security by sniffing?  2.10.11

Om Malik asks David Ulevitch, CEO of OpenDNS and facilitator of phishtank.com, about his view Amazon’s Silk browser. Next to the optional classic end-to-end browsing mode, the browser can route all the traffic via Amazon’s cloud machines to “optimize and accelerate the delivery of web content” (Amazon Silk FAQ), to “troubleshoot and diagnose Amazon Silk technical issues” (Amazon Silk Terms and Conditions). David replies:

I think it’s brilliant. Not sure if people are wary of Amazon doing it since they will see all your traffic but SOMEONE should be doing this. Performance is one reason, but security benefits could be added too. Ultimately I think the idea of decoupled browsing makes a lot of sense. I’d rather a remote exploit run in a VM in the cloud instead of compromising my mobile device and rooting my phone.

While there is some ambiguity in Ulevtich’s wording, my interpretation is that he supports the idea of centralised access points for web surfing end users, which function as kind of content washing machines deleting malware, phishing sites and similarly insecure web content.

Will the sanitizers coalesce with the privatizers? Chris Espinoza:

The “split browser” notion is that Amazon will use its EC2 back end to pre-cache user web browsing, using its fat back-end pipes to grab all the web content at once so the lightweight Fire-based browser has to only download one simple stream from Amazon’s servers. But what this means is that Amazon will capture and control every Web transaction performed by Fire users. Every page they see, every link they follow, every click they make, every ad they see is going to be intermediated by one of the largest server farms on the planet.

Fire isn’t a noun, it’s a verb, and it’s what Amazon has done in the targeted direction of Google. This is the first shot in the new war for replacing the Internet with a privatized merchant data-aggregation network.

And what does this from Amazon’s Silk FAQ mean:

What about handling secure (https) connections?
We will establish a secure connection from the cloud to the site owner on your behalf for page requests of sites using SSL (e.g. https://example.com).

John Healey on discussions about an international internet security treaty  1.10.11

Irrespective of David Eaves’ speculations about the underlying motives of the U.S., UK and the remaining Open Government Partnership cosigners, internet security certainly is a subfield of strategic foreign policy thinking. On the Atlantic Council website, John Healey has summed up the current status quo of the discussions for cybersecurity treaty. The Sino-Russian UN proposal for an “International Code of Conduct for International Security”. Healy has an excerpt addressing Twitter revolutions (Russia’s and China’s noospheric soft belly) …

The Russian and Chinese proposal asks for nations to pledge to
… prevent other states from using their resources, critical infrastructures, core technologies or other advantages, to undermine the rights of other countries … to independent control of ICTs, or to threaten other countries’ political, economic and social security. 

… and the points at the omission of paragraphs on patriotic hackers (kind of unlawful cyber combatants posing asymmetric risks for the West):

Any UN voluntary code should include a pledge by nations to control patriotic hackers, militias, or other groups that are ignored, encouraged, or even supported by governments. This has been a scourge of modern cyber conflict and is a lead cause of instability in cyberspace, helping to escalate crises. And Russia and China are the particular sponsors of such groups as seen in Estonia and Georgia (Russia) and against the United States after Hainan Island incident and bombing of the Beijing embassy in Belgrade (China).

(Annotation: In Germany, courts have ruled human-bot-driven DDoS attacks legal and likened them to likewise legal sit-ins, which block traffic from and to property in the physical world.)

Update: The Council of Foreign Relations has a blog entry – alas too short – on the Chinese perspective of the geopolitics in cyberspace.

But taken together with China’s proposed International Code of Conduct for Information Security, they suggest that some observers in China feel that the United States has gained momentum in cyberspace with the introduction of the International Strategy for Cyberspace and the DoD Strategy for Operating in Cyberspace.

Malström’s security cure for Europe: “The EU Internal Security Strategy in Action”  30.11.10

Commissioner Cecilia “Censilia” Malmström has launched the European Commission’s EU Internal Security Strategy, “The EU Internal Security Strategy in Action”. One of the five “strategic objectives for internal security” mentioned in the document: “Raise levels of security for citizens and businesses in cyberspace.”

According to her plans, Europe will have a built capabilities to smoothly respond to cyber attacks (contingency plans, sharing and alert systems) by 2013. […]

dataloss.db  27.10.10

The so-called Open Security Foundation has set up a publicly view- and editable database to collect and share information about, well, data losses:

DataLossDB is a research project aimed at documenting known and reported data loss incidents world-wide. The effort is now a community one, and with the move to Open Security Foundation’s DataLossDB.org, asks for contributions of new incidents and new data for existing incidents.

May it help those virtual runaway bits to come back to their motherships. Such as:

New York breach notification: Bear Sterns – client information accidentally was viewable by 2 unauthorized firms. 442 NY residents potentially exposed.  (Source)

If only Bear Sterns had exposed just those 442 New Yorkers. Anyhow. Data losses are a societal problem, especially when incidents climb up to the dimensions of the Heartland Payment Systems case with their 130,000,000 records or the T-Mobile Germany incident, which affected some 17,000,000 customers.

Nagging questions in cybersecurity research  12.4.10

It doesn’t happen too often that you read about a conference or a workshop and think: Now, that was about time! Internet governance is about to undergo some fundamental changes, states are getting ever more involved, mostly for addressing internet security problems. A plethora of questions need to be resolved to deal with these problems with well designed institutions. And yet, as far as I can tell, there is no major research programme on internet security governance going on anywhere on this planet. Hence, the workshop “Europe And The Global Information Society Revisited: Developing A Network Of Scholars And Agenda For Social Science Research On ‘Cyber Security’” could not have been launched more timely.
The Center for Media and Communication Studies at the Central European University (Budapest, Hungary), in partnership with the Centre for Global Communications Studies at the Annenberg School of Communications (Philadelphia, USA) will convene 30 selected experts next week at CEU in Budapest for a Strategic Workshop sponsored by the European Science Foundation (ESF). As flattering as rather undeservedly, I will be on a panel discussing the relations between cybersecurity on the one hand and International Relations, governance and institutions on the other. Following, my take on some blind spots in internet security research from a social scientific perspective.

[…]