Since the emergence of behaviourally modern man some 50,000 years ago, two themes have been constant features of all subsequent iterations of culture- technology and conflict.
As actors, technology has always defined the reach of our theatre; and in that sense we have encompassed (and conquered) the physical domains of land, sea, air and space. Each and every such expansion has been mirrored by our need to defend, and ability to attack. In the story of our growth, conflict (in all its forms) scaled from tribal to global, from the sword to the atomic bomb; and humanity grew from being able to kill just a few- to being empowered with the ability to destroy the world.
Recent history has introduced a new domain into our existence- one that is almost conceptual rather than physical.Cyberspace is the emergent unblinking, silent and invisible domain of humanity’s existence created by the impossibly complex interaction of all our devices and networks. Cyberspace has no borders, no perimeters, and exists everywhere simultaneously. It is, as William Gibson described in his 1984 novel Neuromancer “A consensual hallucination experienced daily by billions of legitimate operators, in every nation…”
“In humanity’s relentless drive for convenience and economic growth…” writes Misha Glenny, “we have developed a dangerous level of dependency on networked systems in a very short space of time: in less than two decades, huge parts of the so-called ‘critical national infrastructure’ in most countries have come under the control of ever more complex computer systems. Computers guide large parts of our lives as they regulate our communications, our vehicles, our interaction with commerce and the state, our work, our leisure, our everything”. (Dark Market, 2011) And this theatre is large. Estimates by Cisco state that by the end of 2013, the number of mobile-connected devices (not including traditional computers, servers and other pieces of hardware) will exceed the number of people on Earth. By 2017, the world expects to have over 10 billion such devices, generating 130 exabytes of data per year (the equivalent of 33 billion DVDs, 4.3 quadrillion MP3 files, or 813 quadrillion text messages). Projecting forward, and given our species current plans are often a good proxy for our trajectory of the future, it is significant to note that we now have (available) over 100 unique internet addresses for each and every atom on our planet.
Cyberspace has had a profoundly positive impact on humanity, but has also “…been abused, as a playground for criminals… already [used] by some as a battle-space” (Clarke, Knake – Cyber War 2012). The illicit side of cyberspace is diverse and complex. We are not simply talking about war between nations, but about hackers, terrorist groups, fraudsters, corporations, individual acts of malice and more. The social cost of such activity is difficult to quantify (albeit we know that over 500 million consumers a year are affected by cybercrime), but conservative estimates of the economic cost (globally) from cyber-attacks range from US$300 billion to over US$1 trillion or, to use another analogy, the equivalent of losing an economy the size of Malaysia or Mexico from the global economy every year.
So what are the real risks posed to our world from cyberspace?
In these exclusive interviews we speak to Col. Artur Suzik (Director of the NATO Cooperative Cyber Defence Centre of Excellence, NATO CCD COE), Ambassador Gábor Iklódy (Director of Europe’s Crisis Management and Planning Directorate), Professor Sadie Creese (Professor of Cybersecurity at Oxford University and Director of the Global Centre for Cyber Security Capacity Building at the Oxford Martin School) and Professor Howard Schmidt (Partner at Ridge Schmidt Cyber and Former Cyber Advisor to Presidents Barack Obama and George W. Bush). We discuss the threats posed to nations, their economies and societies from the internet and networks that form cyberspace.
[bios]Colonel Artur Suzik began his military training as a signal officer in 1985. Following the reestablishment of Estonia’s independence in 1991 he joined the Estonian Defence Forces and served as a signal officer at infantry battalion, commander of the Signal Battalion, Chief of Planning Section of the CIS Department and Chief of J6 at the Headquarters of Estonian Defence Forces. His assignments also include C3 Representative at the Estonian Delegation to NATO. Throughout his career COL Suzik attended trainings at the US Army Command and General Staff College, USA and a Senior Course at the NATO Defence College in Rome, Italy.
COL Artur Suzik started his current appointment as Director of the NATO Cooperative Cyber Defence Centre of Excellence (NATO CCD COE), Tallinn, Estonia on 15th July 2012.
Mr. Iklody took up his duties as Director of Crisis Management and Planning Directorate (CMPD) of the European External Action Service in June 2014. Until September 2013, Mr. Iklody served as NATO Assistant Secretary General for Emerging Security Challenges. He set up and directed NATO’s newest policy Division with responsibility for cyber defence, counter-terrorism, WMD non-proliferation and energy security. He also oversaw the Alliance’s work in areas such as nuclear policy and strategic analysis and managed NATO’s largest civilian partnership budget. He joined the NATO International Staff after 27 years of national public service. Before taking up his post at NATO, he worked as Political Director and State Secretary in charge of multilateral and security issues in the Hungarian Foreign Ministry and helped prepare his country for its first EU Presidency in the first half of 2011. Prior to that, Mr. Iklody served two four-year terms in Scandinavia as Ambassador, first in Norway (1999-2003) and later in Sweden (2005-2009). In Budapest, he filled the position of Director General for European Political Cooperation at the time when Hungary joined the European Union in 2004 and headed the Foreign Ministry’s NATO and WEU Department when Hungary prepared for and joined the North Atlantic Alliance in 1999.
His assignments abroad also included working in Vienna at the Hungarian CSCE/OSCE Mission following the fall of the Berlin Wall. He was part of the team negotiating and implementing the CFE treaty.
Sadie Creese is the Director of Oxford’s Cyber Security Centre, Director of the Global Centre for Cyber Security Capacity Building at the Oxford Martin School, and a co-Director of the Institute for the Future of Computing at the Oxford Martin School. Her research experience spans time in academia, industry and government. She is engaged in a broad portfolio of cyber security research spanning situational awareness, visual analytics, risk propagation and communication, threat modelling and detection, network defence, dependability and resilience, and formal analysis. She has numerous research collaborations with other disciplines and has been leading inter-disciplinary research projects since 2003. Prior to joining Oxford in October 2011 Creese was a Professor and Director of e-Security at the University of Warwick’s International Digital Laboratory. Creese joined Warwick in 2007 from QinetiQ where she most recently served as Director of Strategic Programmes for QinetiQ’s Trusted Information Management Division.
Howard Schmidt serves as a partner in the strategic advisory firm, Ridge Schmidt Cyber, an executive services firm that helps leaders in business and government navigate the increasing demands of cybersecurity. He serves in this position with Tom Ridge, the first secretary of the Department of Homeland Security. He also serves as executive director of The Software Assurance Forum for Excellence in Code (SAFECode).
He served as Special Assistant to the President and the Cybersecurity Coordinator for the federal government. In this role Mr. Schmidt was responsible for coordinating interagency cybersecurity policy development and implementation and for coordinating engagement with federal, state, local, international, and private sector cybersecurity partners. Previously, Mr. Schmidt was the President and CEO of the Information Security Forum (ISF). Before ISF, he served as Vice President and Chief Information Security Officer and Chief Security Strategist for eBay Inc., and formerly operated as the Chief Security Officer for Microsoft Corp. He also served as Chief Security Strategist for the US-CERT Partners Program for the Department of Homeland Security.
Mr. Schmidt also brings to bear over 26 years of military service. Beginning active duty with the Air Force, he later joined the Arizona Air National Guard. With the AF he served in a number of military and civilian roles culminating as Supervisory Special Agent with the Office of Special Investigations (AFOSI). He finished his last 12 years as an Army Reserve Special Agent with Criminal Investigation Division’s (CID) Computer Crime Unit, all while serving over a decade as police officer with the Chandler Police Department.
Mr. Schmidt holds a bachelor’s degree in business administration (BSBA) and a master’s degree in organizational management (MAOM) from the University of Phoenix. He also holds an Honorary Doctorate degree in Humane Letters. Howard was an Adjunct Professor at GA Tech, GTISC, Professor of Research at Idaho State University and Adjunct Distinguished Fellow with Carnegie Mellon’s CyLab and a Distinguished Fellow of the Ponemon Privacy Institute.[/bios]
Q: What is cyberspace?
[Col. Artur Suzik] It’s very difficult to predict what cyberspace will be like in the future. Approximately 50 billion devices are expected to be connected to cyberspace by 2020. Rather, it’s more important to look at how cyber has affected how we live, and our way of life.
Rapid technological development continues, and cyber will soon be everywhere. This brings technological challenges and their impacts that are less predictable than the weather. We know there will be a lot of changes to our way of life, and we don’t know how these changes will appear.
You may know the movie, Back To The Future… I remember a quote from Doc before his time machine took flight, “Where we’re going, we don’t need roads!”. In cyberspace, the challenge is similar, we don’t know what kind of roads we’ll be on.
[Ambassador Gábor Iklódy] Cyberspace is immense. It’s essentially the network that connects practically innumerable smaller groups of computer networks. These networks transcend national borders and connect continents. They are even three dimensional where one considers satellites. We live our lives increasingly in cyberspace and are heavily dependent on the availability of services these networks provide; from our computers and mobile devices, to cash machines, traffic lights, flights we take and even our medical records.
There are a number of figures being floated around about the scale of cyberspace. The number of internet connected devices is estimated to be around 8 to 10 billion today. Today the number of people who are online is around 2 billion, and that number is increasing very rapidly – estimated to be around 5 billion in 20 years time. The growth is coming primarily from the developing world. In terms of data, it is estimated that we exchange over 800 exabytes each year (1 exabyte being a billion gigabytes). This figure is growing exponentially. Some estimates say around 70% of all information we exchange is done via the internet. The question in my mind is not why that 70% is so high, but what of the remaining 30%?
Our heavy reliance also comes with a heavy vulnerability. When the internet was created, it was not done with security in mind. It did not matter at all, but it matters a lot today. As many say; the internet and cyberspace is a great place to promote freedom and knowledge, but it’s a great place to do crime too (stealing money, espionage or even causing disruption).
[Prof. Sadie Creese] In its current form, cyberspace is the direct result of the level of complex interconnectivity and interactions that occur in the digital parts of our lives. In a sense, it’s the digital environment in which we live. Most, if not all of us- manage our lives in the physical and digital environments in an almost seamless fashion on a daily basis.
If you were to ask me what cyberspace was? I may characterise it by the kinds of organisations and people that are engaged- governments and multinationals down to domestic users, grandparents, kids…. or even the kinds of technologies that populate the space and enable us to engage with it, and give rise to it. This is everything from the Internet backbones that enable global connectivity to the mobile devices, wearable computers, TV’s, cars, process control systems under our critical national infrastructure and more. I may even assess it through the lens of data and information; looking at the vast quantities of data being created, which give rise to the information and services we engage with.
The real answer is that cyberspace is just like a natural environment, albeit a digital environment. Anything you will have experienced happening in the physical space over the last ‘n’ thousand years of human societal development can (and will) happen in cyberspace too.
[Prof. Howard Schmidt] Many people think of cyberspace as being ‘the internet‘ as we know it. Cyberspace is, in fact, much broader. It’s our televisions, our mobiles and any other device that uses IP technology. Cyberspace encompasses virtually everything we do now. It’s connected to power stations, financial systems and more.
The vast majority of the time it works well under the face of tremendous threats. The problem is that the threats we’ve been seeing are not only financial in nature, but have more significant ramifications as- increasingly- our critical infrastructure is part of cyberspace.
Q: How serious is the threat posed by cyberspace?
[Col. Artur Suzik] There’s a real and serious threat to society.
Cyber attacks with various motivations; political, financial or otherwise happen each day now, and will continue in the future. This is why many countries consider cybersecurity as a national priority issue.
It has become very cheap to launch a cyber attack, from a nation state, company or individual perspective. During our recent CyCon conference, a presenter from Microsoft mentioned that there are 17 nations who now publically declare having a cyber offensive capability. It’s not just about individuals and criminals, but also nation states that have to examine cyber threats.
When we speak about cyber space, look at a coin. On one side is cyber-defence, and on the other is cyber-offense including criminals, terrorists and so on. You cannot separate them from each other.
[Ambassador Gábor Iklódy] It’s not cyberspace that is the threat, but people manipulating or abusing it. The threat is imminent, real and very serious.
The focus today is mainly on cyber-crime and espionage against banks, industry and government networks. In terms of economic loss, the most often used figures are really frightening; around US$1 trillion per year. In terms of security threats, US intelligence assessments put cyber threats at the top of the list. The threat is indeed very, very serious.
We are talking about what we see and know about it. That is the realm of the known-knowns.
There are similarly big or maybe even larger realms of the known-unknowns, or the unknown-unknowns. These are things we don’t see, or find out after many years (such as codes implanted in systems that are only discovered after many years).
Writing malicious code is considered a low-cost and high impact weapon. Fortunately we have not seen terrorist use of cyber-means yet, but that’s really the ultimate nightmare… when the capacity to do harm comes together with the intent to do harm.
[Prof. Sadie Creese] The threat is serious and real.
People are experiencing significant losses through their engagement with cyberspace. This could be large scale hack attacks, large corporations having their intellectual property stolen, organisations (large or small) being held to ransom by people getting onto their systems and putting assets out of reach until the perpetrators are paid, or even the man on the street having their identity credentials stolen and reused. It could even be people buying fake goods, and being susceptible to traditional crimes that are engaged using cyberspace.
One of the reasons why I think this threat is serious and real is not just because people are attacked, but the nature of cyberspace that makes these attacks complex. The benefits that we get from our ability to process big-data and the advanced intelligence, scaling and efficiencies that provides also enable people who wish to do us wrong. As an enabler of crime, cyberspace allows you to scale, de-skill and commit crimes in parts of the world- and using methods- that make it very hard to police and gather evidence.
There are definite upsides from cyberspace, but those same upsides enable criminals and the like. This problem is compounded by the fact that the risks are very unintuitive for most human beings. We’re good at dealing with perceptions of risk and response in the physical space. We have reflexes that enable us to flee when we’re scared, and make judgements about when we’re being lied to or threatened. We have not evolved those human responses for cyberspace; we’re simply not tooled up.
[Prof. Howard Schmidt] We need to look at the evolution of cyberspace to begin with.
First there were just a few of us online; researchers, academics and so on. This expanded into a few commercial things… pretty static web pages… and look where we are now.
The threat is increasing exponentially because more people are involved in criminal activity, espionage and intellectual property theft are learning that for little investment- they can get good financial rewards online. The system was never designed to deal with high-threat environments.
As people learn more about vulnerabilities and how to exploit them, they share that information with each other [in many cases] better than we do in the private sector and government. It’s a constant cat and mouse game to get ahead of where the bad-guys are… fixing the things built in the past and building well for the future.
All the threats in cyberspace tend to get lumped into one big group by policymakers. In reality, you can break it down into computer crime, financial fraud, identity theft, credit card fraud and more. Many of these are not new. The difference now is that it’s done on an international scale using technology.
At the other end of the spectrum, you see spy vs. spy. Nation states have been conducting espionage operations on each other forever. They are not going to stop, and technology makes it a little easier and less risky.
You also see the theft of intellectual property. In this space you see nation states, corporates and others who steal and exploit intellectual property for extortion, sabotage o even financial gain.
Different actors are doing different things, creating the diverse threat environment we see today.
Q: What are the unique characteristics and challenges of the cyberspace theatre?
[Col. Artur Suzik] In the military context, there is always a strategic and operational goal to be achieved. Actions in cyberspace are always connected with overall operational and mission plans. Cyber increases the scope of possible means and ways by which states can achieve their goals. That’s why operational aspects using cyber could be far greater than conventional forces.
If an action is taken by someone for economic, ideological or political reasons, from a military perspective it becomes real and can often be connected with strategic means and actions.
[Ambassador Gábor Iklódy] There are specificities coming with cyberspace. There are no borders, no space, no time. It is invisible. These are key attributes of cyberspace. In particular, the speed element is critical. If we want to do our business properly, we need to focus a lot more on prevention, as there will be cyber attacks in the future. This requires co-operation, intelligence sharing, technology and many other things. Resilience is also critical.
We know there will be cyber attacks in the future, and we must harden our infrastructure so that when the blow comes, we can receive the blow and reconstitute our networks as quickly as possible. The third area is response. If we are subject to a serious campaign of attacks, we want to make sure that the attacks can be stopped. One challenge that comes with this is that our good-old crisis management and decision-making procedures do not work in cyberspace.
There’s simply no time. There is no time to convene meetings to discuss things and come to conclusions. As the time element is no longer there, in certain cases we have to think of practically automated responses. That raises a whole range of practical, legal and other questions.
[Prof. Howard Schmidt] It used to be only governments or enterprise which had the ability to protect themselves. The common denominator is now the individual and end-user.
Each one of us is a part of cyberspace in many ways. I look around my house and I find television sets, mobile devices, blu-ray players and more- all connected to the internet.
Individuals are often the gateway now to bigger things happening – and not often good things.
Q: How do governments view cyberspace?
[Prof. Howard Schmidt] This varies and depends where nations are. Estonia has one of the best perspectives, and have learned rather quickly what cyberspace means to them in the government and private sector. I’ve seen other nations where policy makers really don’t understand the technology, business and security implications. I’ve seen some cases where governments get the smallest bit of information about some threat that’s out there- and immediately they feel like they have to create a law or do something!
The role of government, policy-makers and the private sector need to be better defined. The private sector has done a great job in responding to cyber threats. Non-profits like SafeCode have brought companies together like Microsoft, Computer Associates, Siemens, Adobe and Intel to invest in each-other realising that by collaborating they will write better, and more secure code- with fewer vulnerabilities and less opportunities to be exploited.
Q: What are the threats posed to businesses and individuals from cyberspace?
[Prof. Sadie Creese] We’re very concerned about the threat of the ‘insider‘. The reason we’re concerned is because if you have someone attacking you from the inside of your organisation, they will have access to all-sorts of things!
For many years in the security profession, we have focussed on perimeter defence. That’s a very natural thing! If you think of the middle ages, we built very large walls around towns and cities. We put layers, moats and other physical methods of preventing access. In the modern day we have border control mechanisms and the such-like. It’s very human to think of that approach in cyberspace, but unfortunately we know that people are attacking us from inside our systems- and the perimeter cannot do anything about that.
Insiders in business and enterprises don’t just have access to a lot more than outsiders, and more easily- but such actions are very under-reported. It’s acceptable nowadays to admit that people are knocking on your door and trying to hack in… that’s common. If you were to come out and say you were attacked by your own staff? it may look like you’re a little out of control of your own organisation- so we suspect these things are heavily underreported.
Insider attacks can also have serious ramifications. We think this is a growing attack sector, and while the various security profession and vendor reports that you see show this as a small proportion of overall attacks? it’s a highly growing segment… Some even think it doubled in the last year.
When you move to things like cloud computing environments, such attacks may even get worse. If you’re co-habiting in a cloud and gain access to it? you could potentially access all of the organisations that use it, without having to hack each one. If you look at the very sophisticated attacks that have made the news in the past few years, they usually have a number of different steps involved- and have some kind of insider activity associated with them.
We as citizens of cyberspace and the nations to which we belong have many things to be concerned about, albeit there structures to support us. The banks have insurance mechanisms around online banking for example…
For a lot of people the risks that they face on a daily basis, and feel the impact of- are less to do with identity theft- and more to do with giving away too much information, and wishing they hadn’t posted X on a site, or said Y. There’s a whole complexity around what constitutes personal data… what constitutes privacy in cyberspace… and the persistence of those concepts. Pre-cyberspace, you were (as a human being) able to grow and re-invent yourself.
There’s something about the persistence of data in cyberspace that means that people are held accountable to their histories in a way that humanity hasn’t had to deal with before. There are many instances of course where you want such accountability, such as were people are doing awful things… but in general, for the vast majority of people in cyberspace, this is not the case. I suspect that some of the biggest issues we will see emerging in cyber-security will be in this space. For business and enterprise, there is also the issue of the bleed between domestic and work-lives that are achieved through social environments- these are also causes for concern.
Q: What are the threats posed to nations from cyberspace?
[Prof. Sadie Creese] We have to be focussed on critical and national infrastructure. These are the infrastructures that keep the food on our tables, keep planes in the air, keep us going to work, keep our hospitals running, keep our houses warm, keep electricity running and money in the banks. These are parts of the critical infrastructures without which life would grind to a halt potentially pretty quickly. They are also all critically dependent on cyberspace to greater or lesser degrees. Unfortunately, the complexities of these relationships and the organisations themselves mean that there is little understanding of how they use cyberspace and digital assets.
As citizens, we need to have an eye on our own roles in protecting those infrastructures. If I am a staff-member at one of those corporations, I have to understand how I fit into the picture of keeping those organisations running.
Q: How is technological advance contributing to risks from cyber space?
[Col. Artur Suzik] The more technologically advanced we are, the more vulnerable we become; because of our dependency on the digital way of life.
Many devices which will be connected to the internet of things are very inexpensive; and they are often not as secure as they should be. Being advanced also opens out a number of threats.
Not having full control of your data, identity theft and so forth; all these things are threats to digitally advanced nations. In Estonia for example, in 2007 we had severe cyber attacks. We use a lot of digital services here, people like and enjoy using e-services, but at the same time the nation depends on these services which makes us vulnerable.
Q: Are there any specific characteristics of cyber-threats that are unique to NATO?
[Ambassador Gábor Iklódy] NATO primarily concentrates on the protection of the networks it owns and operates. That is our primary headache, and the emphasis is very much on early detection. We have an operational capability called the NATO Computer Incident Response Capability (NCIRC). This is a team of experts, assisted by technology, who try to manage all NATO networks under centralised protections. They try to be aware of all malicious activities, and ideally are able to detect malicious activity before they target NATO networks. That’s one key element. The other is that we are a defence alliance. Our strategic concept adopted in November 2010 states that if the impact of an attack reaches a certain threshold, it becomes a common concern and may require concerted response.
Q: Who are the key stakeholders in cyber security?
[Ambassador Gábor Iklódy] It is in this sense that we realise that defence is no longer the realm of government and military. Dealing with cyber-attacks, and cyberspace related challenges requires a collaborative approach where state and non-state actors, military and civilian, the defence establishment and homeland security, the private sector and academia should all be part of the effort. They all have things to bring to the table.
If we look at industry; we know that industry owns and operates 85-90% of all the networks. Technology comes from them, and they are the first line of defence. They are shaping the technological environment of the future. If governments want to know what kind of decisions to take now in order to be more prepared for the future, they need to work closely with industry.
Citizens are also important! Who owns the Internet? …. often individuals are building it! Governments should not think for a moment that cyberspace belongs to them, it doesn’t. Governments cannot lean back, no one can go it alone, none of them are powerful enough to do that.
Q: Can nations prepare for cyber attacks?
[Col. Artur Suzik] There are various ways in which nations can prepare themselves against cyber attacks. Education and training for example. Here at CCD COE we do a lot of training for NATO countries, and conduct real-time cyber defence exercises. Nations need to have education, have crisis management plans, run exercises and have to build a network of contacts, fostering cooperation with international and national partners.
Cyber security is not just government business, we have to discuss it with the private sector; who often own and manage the large proportion of cyber critical information infrastructure; whether it’s traffic control system air traffic control, power grids and more. Individuals must also be brought into the discussion, they can play their own individual role in making cyberspace safer and more secure, and taking basic precautions.
Another important stakeholder is the universities. They can take a long-term perspective and research and be relatively independent from commercial bias.
Law enforcement agencies and the military must also be in the conversation, they need to fight cyber crime, and the military need to own some degree of monopoly on a nation’s offensive cyber capability.
Q: Are existing national and international legal frameworks sufficient for cyberspace?
[Col. Artur Suzik] The question of whether existing international laws apply in cyberspace has been asked for many years. Only recently, the majority of the international law community has strongly leaned towards the view that existing international laws are sufficient. Back in 2013, our Centre published the Tallinn Manual– this was the product of independent expert input, and did not represent nation state interests, and became one of the most important reference texts on the international law applicable to cyber warfare.
Recently in June 2015, the U.S. Department of Defence published their Laws of War Manual, similarly stating that existing law of war generally applies to cyber operations; this is a view shared by many other countries.
[Ambassador Gábor Iklódy] I’m convinced that as a first step, we should agree that all norms that apply off-line should be applicable and apply on-line too. People may argue that some laws and rules are not applicable. We have to assess these one-by-one, understand which instruments are incompatible with the cyber-environment, and decide how to deal with those instruments individually.
Confidence building is critical. Whatever happens in cyberspace, whether within countries or internationally, is about trust. We will use the Internet and cyberspace more extensively, and to the benefit of everybody, if there is real trust. If trust is challenged, our appetite and ability to use cyberspace will be weakened. If there is mistrust – as we see today between countries, we should start with the low hanging fruits of confidence building. This could start with de-escalation measures. We can learn a lot from arms control, be it nuclear or conventional. We have to build that initial confidence, before we make further steps.
We do not have to start from scratch and re-invent the wheel. As a minimum, we should agree that what applies off-line, applies on-line also.
[Prof. Sadie Creese] Given that cyberspace is international, it begs the question of whether we need international co-operation and actions to police it properly. The answer is- of course- yes.
We need to understand what we might determine as being allowed and not allowed, and how the power balances are achieved. The latter part of this is more complex, and different based on where you are in the world. Cultures are different and we all have different expectations about how we live our lives, what privacy may mean to us and so on.
The question for the international community, as in any other context in life, is to what extent they need to govern in a joined up manner- and to what extent they need to respect each other’s differences. How can they ensure a safe and secure cyberspace while also respecting the sovereignty of nations and cultures?
It’s how to imagine how you would keep watch on the attribution of weapons in a cyber sense in the same manner you would nuclear- for example. Many sophisticated attacks conceptually require very low cost of entry- a computer attached to a network. In truth, many have teams, infrastructure and resource- but it’s still exceptionally low cost. That’s a real challenge.
Q: Is it possible to balance security with the need for freedom and privacy?
[Col. Artur Suzik] Each nation has it’s own needs as they relate to cyber security. The key is to make sure that the public is consulted. Different nations will have different levels of security the public are comfortable with, and hence the process needs to be a democratic decision.
There are many ways to improve security without restricting freedom and privacy , education and training for example. We must also build security into the design of IT products and services, making it seamless.
The balance between security, freedom and privacy is not a fixed point.
[Ambassador Gábor Iklódy] We are still in search of finding the right balance between freedom and security. This has always been the big question in cyberspace.
Even though the concepts of freedom and security sometimes seem contradictory, I think they can be reconciled. We have to find the right balance, but what that balance is- we just don’t know. It’s easy to say that on the one hand privacy should be protected, but law enforcement should be given the freedom they need to catch online criminals (who very often leave electronic footprints of their crimes), but it’s easier said than done.
After 9/11, finding the balance between freedom and security became a real challenge. Are we all happy to undergo additional security checks at airports? Are we happy about cameras everywhere on buses and in public places? The general reaction is “No! But we want to be more secure!“.
We are so heavily dependent on the use of cyberspace. This will only increase in the future, affecting every detail of our lives. The real goal is to ensure that we can all use cyberspace as a trusted and secure domain. That is the objective.
[Prof. Sadie Creese] I believe we have matured processes of hundreds and thousands of years relating to governance in society. All societies are different but in each country we have mechanisms by which we hold our governments to account, and the longer arms of governments (police forces, intelligence services and the like).
In the context of incidents like the PRISM programme which recently blew up… we have to ask ourselves key questions. Have we really seen something that was breaking the law? or are these examples of how these ‘longer arms of the government’ are able to do their jobs more effectively?
Being pragmatic, I do not think that the maturity of cyberspace means that we give-up on the checks, balances and government controls we have in society. I do think we have to reflect on the effectiveness of those, and how they are enabled in cyberspace. People may feel there is too much power-shift towards the governance mechanism and away from the citizen- that may in fact be the question that is being raised.
What is the right power balance? What are the right checks and balances? Cyberspace is a positive enabler, but allows things to happen at scale and very quickly- and so naturally it may be perceived that putting back-in checks and balances and re-enforcing them, could slow things down in a detrimental sense.
There’s something about cyberspace and how it enables the scale and speed of data collection and processing that means we may need to reflect on these questions. These factors may also be a huge positive in enabling our society to fight crime more effectively.
[Prof. Howard Schmidt] Without security you have no privacy.
We often view security as a means to accomplish the goal of better privacy- data protection for example. Without good security controls, our ecosystem will not have the tools necessary to protect the ownership of our data. Security and privacy are not at odds with each other.
The argument against this occurs when you start to look at law enforcement and intelligence operations. In the United States, we fought against the use of encryption. It was considered ‘munitions’, and we dealt with it under export law. The bottom line was that many of us said that we need better encryption to create better security- others said that if you have better encryption, bad-guys will use it and it will restrict our ability to see what they’re doing- whether terrorism, cyber crime or otherwise. The lesson here was that encryption itself was not bad… it helped security… we have to focus on these sorts of views.
Q: Can cyber security empower economies?
[Prof. Howard Schmidt] I travel around the world and people still say, “yeah, it’s great that you can buy all this stuff online- but I don’t trust the company, so I’m not going to do it…” This creates an economic impact! If people have better trust in the internet personally and commercially, it would no-doubt foster economic growth.
When you look at some of the security intrusions that have taken place, you can see why companies that are looking to expand may be less inclined to do so. They may feel they can’t trust their return on investment. They may feel they could save money or compete online, but feel put-off by security needs which can cause a lot of money.
Q: Will the generation after ours have a different attitude to cyber security?
[Prof. Howard Schmidt] I think there will be a harmonisation in the future, we see a wave of this already.
For those of us that have been using social media since the very beginning and have a security background, we really appreciate the ability these technologies bring- but see the potential privacy and other problems that could emerge.
Others who saw this as a great, fun and a cool communications tool are backing away somewhat and are thinking, “Hey, should I be putting all this information online?“. They may have become a victim, know someone who has, or have reached a point where they want to do things differently- being more secure.
Q: Are existing and emerging technological paradigms designed to be secure?
[Prof. Sadie Creese] Whether you’re referring to clouds, ‘app store‘ business models and so forth- you will find they are not designed to be secure. They have arisen for other reasons.
Back when I was a student, security cultural awareness campaigns advised you not to open a ‘.exe’ file– that’s how viruses got around. They also told you not to open attachments in case they downloaded something horrible. The equivalent now would be to not download apps! Apps are designed by someone you don’t know… you have no reason to believe it isn’t malicious…. it conflicts with the entire business model of smart-phones and apps. That’s just one example of how our old security approaches do not scale up to mature cyberspace.
The new technology paradigms we face are- by definition- not secure. They will stretch our understanding of security, and our job as security professionals is to keep pace with technology and to match those paradigms.
We’re seeing a massive shift that rubbishes perimeter based security mechanisms. In an environment of trillions of devices, sensors and so on- we have to change our understanding of security. In cyberspace, we have to protect positive experiences, well being and prosperity. It’s not about just understanding confidentiality and integrity, but understanding what people want from cyberspace and protecting that. These are exciting times and I suspect they always will be as we continue to consume new technology innovations in a very enthusiastic manner.
Q: What are the key threats you perceive in cyber space that could affect us over the next 5 years?
[Prof. Howard Schmidt] There are three major areas we need to focus on over the next 5 years.
Firstly- we need to look at identity management. This runs the gamut from people wanting to remain anonymous and avoid tracking, to secure identities that could enable financial transactions online. There are technologies out there, but we still live in the world of user-id’s and passwords. If you look at the vast majority of successful intrusions into systems over the past 20 years, they involve people sending attachments through unsigned or uncertified emails that they click on- installing malware– which eventually takes over systems. A lot of this occurs because we don’t have a good ecosystem for managing identities- we rely on usernames and passwords!
Secondly- our vulnerabilities. 80-85% of all successful intrusions could have been prevented by engaging in good ‘cyber hygiene’ practices. Keeping your software up-to-date, keeping your anti-virus and anti-malware software up-to-date… People will get anti-virus apps, and after the 90day trial expires, they don’t renew- and that means the software is no good! We need to do a better job of not just managing vulnerabilities, but identifying them as well.
Thirdly- we need to reduce the number of vulnerabilities we have…. better software development and better testing (using techniques such as ‘fuzzing‘). Mobile software is enjoying a honeymoon period. Only a few instances have been seen where mobile devices are subject to malware. As we continue to become more mobile, we have to do a better job of writing software that has less vulnerabilities, and doing better testing on that software before it gets out into the end-user world.
Q: What would be the impact to the world of total cyber-security?
[Col. Artur Suzik] A secure cyber environment would have very positive economic consequences. We would see more investment, lower risks in digital transactions, less money being lost, less IP being stolen and so on.
A more secure cyber space will accelerate the development of technology and society. At the same time a more secure cyberspace would enable more utilisation of cyber means for diplomatic, economic and political purposes.
There will always be ways to breach a system, and at any given moment the real battle is making sure that the community is one step ahead of hackers and actors.
There is no such thing as a 100% secure system, but investing in cyber security can protect our way of life now, and in the future.
[Ambassador Gábor Iklódy] We are using cyberspace extensively. If the trust element can be handled more convincingly, the speed at which this expansion continues will be even faster. In my mind, whatever happens – even if the trust element cannot be secured easily – we will continue to use cyberspace and the internet more extensively anyway.
Only if there is a major incident or a major crisis, will we see a rupture in this trend. For instance, ecommerce characterises a huge amount of our overall transactions. But if all of a sudden we found out that our money could be stolen through our use of ecommerce, there may be a lot of people going back to banknotes and cards – for a while.
But the bottom line is: technological development and our use of cyberspace cannot be stopped or reversed.
[Prof. Sadie Creese] I suspect we wouldn’t really know if we achieved the hypothetical aims of complete trust, safety and security… people’s views on what these are differ greatly.
Cyberspace is clearly a force for good. It underpins all the developing world economies, and provides them with the opportunity to become more prosperous and raise the quality of life of citizens. Ensuring people feel cyberspace is a place where they can do business and live their lives has to be a good thing. It could even mean that people are more willing to share richer data and information which could increase the quality of the algorithms and data produced, enhancing services available, science and so on.
Equally, you have to guard against complacency. If you create a world where everyone believes they had a safe and secure cyberspace, but in truth people were conducted malicious activities- you could very well switch off your defences.
The truth is that there will always be people engaged in cyberspace, and it’s difficult to imagine we will see a world without that small proportion of people who want to break the rules and harm others.
There is no such thing as complete security. You couldn’t even decide it! Even if you have a bunch of metrics, you will never find a metric that determines in a binary sense that “yes, you are now secure, or no you’re not…” It’s about balance, risk-management and understanding whether you are secure enough to do what you need to do.
[Prof. Howard Schmidt] The internet will continue to open up human communication at all levels at all levels, with people we know (such as friends and family) and people who we don’t- and who we must be sure of before entering into communications, transactions and so forth.
This is not just about business, but about how we live life. In the past ten years, smart-phones have gone from something that very few people had to now where the loss of a smart-phone is distressing and disruptive! We’re only 20 years since the inception of the internet as we know it. It’s still in its infancy, and will continue to change society as we move forward.
————————————————–
We (as humans) often have conceptual difficulty in recognising our one-ness with the technology. Technology is not a phenomenon like the weather (which occurs independently from us). Technology is instead, a manifestation of humanity itself. It is conceived in our minds, and shapes not just how our society works, but our very understanding of what society is.
“[The word] ‘Society’ isn’t limited to traditional societies….” Writes Bruce Schneier “but is any group of people with a loose common interest. It applies to societies of circumstance, like a neighbourhood, a country, everyone on a particular bus, or an ethnicity or social class. It applies to societies of choice, like a group of friends, any membership organisation, or a professional society. It applies to societies that are some of each: a religion, a criminal gang, or all employees of a corporation. It applies to societies of all sizes, from a family to the entire planet. All of humanity is a society, and everyone is a member of multiple societies. Some are based on birth, and some are freely chosen. Some we can join, and to some we must be invited. Some may be good, some may be bad – terrorist organisations, criminal gangs, a political party you don’t agree with- and most are somewhere in between…” Schneier adds that, “…most societies are made up of people, but sometimes they’re made up of groups of people. All the countries on the planet are a society. All corporations in a particular industry are a society…” (Liars and outliers, 2012)
Group-interests and norms will determine the behaviours, goals and future of any of these modes of society and ultimately, while every person within a society may have one or more competing interests that conflict with the group; societal pressures (in the shape of self-imposed rules, norms and interests) ensure that in the main, society remains cohesive. These factors cannot (in themselves) tell the difference between ‘good’ and ‘bad’. Depending on the lens through which you observe, “those rules could be good, like a respect for human rights or a system for enforcing contracts. Those rules could be bad, like slavery, totalitarianism, persecution, or ritual murder… Or those rules could be perceived as good by some societies and bad by others: arranged marriages; heavy taxation; and prohibitions against drinking, dancing, pot smoking, or sharing music files….”
Technological growth has scaled society faster than our rules, norms and interests have been able to adapt to and we have shifted from an environment of “trust and trustworthiness based on personal relationships…” to what Schneier describes as “impersonal trust- predictability and compliance”.
Every society however, has defectors. These are individuals (or groups) who act in opposition to whatever the norms of society are. They may be the ones who speak out in a society that encourages silence, or they may be the ones that commit crimes in a society that has declared such activity to be wrong.
“Society needs defectors…” Schneier continues, “Groups benefit from the fact that some members do not follow the group norms. These are the outliers: the people who resist popular opinion for moral or other reasons. These are the people who invent new business models by copying and distributing music, movies, and books on the Internet. These are people like Copernicus and Galileo, who challenged official Church dogma on astronomy. These are people who- to take a recent example- disrupt energy auctions to protest government responsibility for climate change. Defection represents an engine for innovation, an immunological challenge to ensure the health of the majority, a defence against the risk of monoculture, a reservoir of diversity, and a catalyst for social change. It’s through defection from bad or merely out-dated social norms that our society improves.”
For (potentially) the first time, humanity is confronted with existence in a seemingly existential domain that it cannot truly conceive. We can see the land, the sky and the ocean- but cyberspace exists in the ether. From this pseudo-reality however- and whether we look at individual experience, entire cultures, corporations, nations and more- cyberspace has amplified society. It has empowered the good and provided cultural, economic, social and political opportunity for billions- changing history in the process. It has also amplified the bad, meaning that those who wish to do harm, can do so faster, wider and with less resource than ever before. Hundreds of thousands of cyber-attacks (at individuals, governments and corporations) occur each and every day, and there is little sign of this trend abating.
In truth, the threat to society from cyberspace is more ideological. It is a battle is between freedom and security- more specifically- how much freedom society will need to trade in order to remain secure at any given time. As we move forward we will see occasions where the ‘bad’ win (unleashing viruses, compromising systems and more) and also many more where the ‘good’ triumph (developing technologies, movements and ideas that keep society secure while giving freedom and liberty). Thinking that this battle will one day be over is naïve, as history teaches us that certain aspects of human character cannot change… but what history also teaches us is that the more people are given a voice, the more likely we are to get the balance right.
Cyberspace has given humanity a profound opportunity for reinvention. It is the platform from which we are all able to speak, and the base from which we will embark- together- on our greatest journeys. This may seem an excessive hyperbole, but it will be our attitude to cyberspace that determines the outcome. As Anais Nin wrote “A war regarded as inevitable or even probable, and therefore much prepared for, has a very good chance of eventually being fought“.
Instead we must adopt a new mode of thinking, and a new-found embrace for the unknown on the horizon. It was on this very topic that William Osler observed (in the late 19th century) that “…the search for static security – in the law and elsewhere – is misguided. The fact is security can only be achieved through constant change, adapting old ideas that have outlived their usefulness to current facts.”
“Uncertainty is the only certainty there is…” mused John Allen Paulos, “and knowing how to live with insecurity is the only security.”