Posts Tagged ‘cyber risk’
Full hearing: US Senate on Cyber War Readiness
Highlights from the US Senate panel on cybersecurity 23 February 2010.
Mary Ann Davidson, CSO (Oracle). Required reading! Ms. Davidson masters the subject in bright prose. This is an excellent indictment of the rush deploy smart grid technologies before we’ve had time to harden them from the types of attacks that routinely take computers off line. Thought experiment: what level of unplanned downtime would you be comfortable with for your house’s electrical power? water? energy? Would you try to save 10% on your electric bill if for a system that you couldn’t be sure would work more than 99.9% of the time?
Even better, Ms. Davidson points out a crucial flaw in education. Computer science is applied mathematics, and few departments teach young programmers how to write secure software. If university departments don’t teach secure programming, we will need professional certifications to substitute, as with medical residencies, CFA exams for financial analysts, and professional societies for engineers and architects.
Vice Admiral Mike McConnell (Booz Allen Hamilton). Sound byte: “If there were a cyber war today, the United States would lose.” Some excellent recommendations for training a new class of software engineers, security professionals, and managers. Don’t be distracted by the salacious and unwarranted assertion at the outset. The rest of the testimony is good, and nobody is better informed than the Admiral.
Dr. James A. Lewis (CSIS). A couple of interesting metaphors. He compares cyberspace to a condominium and to a shopping mall, meaning that the space is all privately owned, and that neighbors have a compelling interest in one another’s behavior. Therefore all should be willing to submit to greater regulation. I’m inclined to agree with Borg’s statement (below) that government regulations are unlikely to keep pace with the rate of innovation. Rather than ask the government to certify that buildings are safe, wouldn’t we be better off with private certification of a standard of risk, as we currently do with automobiles, houses, and financial management? Computers and especially software are endlessly complicated, and don’t lend themselves well to the same type of governance as broadcast media and airplane safety.
Lewis also makes a crucial overstatement when he says that there are no rules on the Internet or that the Internet is a wild west. Actually many national and state authorities have control over Internet commerce, fraud, and even transborder crimes. At a more fundamental level, Lewis’ lawless vision of the Internet is fundamentally at odds with Internet governance over every layer of the Internet, from the development of hardware standards and Internet protocol, to the assignment of names and numbers, to the software that runs servers and home desktops. Re-read Lessig, and see if you can imagine the Internet truly without rules.
Scott Borg (US-CCU). Focuses on 3 central problems: (1) the conflict is already here; (2) cyber conflict threatens future American prosperity; (3) fixing markets is the key to improving cyber security. I agree with Borg, but then I’m biased.
Rear Admiral James Arden Barnett, Jr., Ret. (FCC). An interesting point of view. I don’t have any problem with DHS assisting the country with situational awareness, but the philosophy of defense is extremely centralized. The greatest specific policy errors of homeland security in the last ten years have been efforts to provide one-size-fits-all information and requirements from a central national office: the national threat level scale, vastly increased expenditures on passenger screening at airports, and advice on creating a safe room for chemical gas attacks inside your home. There are too many computers, and too many businesses to expect that federal marshals can secure their IT infrastructure for them. Effective homeland defense will require businesses and individuals to have cheap, effective, and secure choices to accomplish the things they already know how to do: run their businesses and their households.
How much data theft is a lot?
One question I find myself answering frequently is “How much data is stolen?” Put differently, friends and colleagues want to know how much data theft qualifies as a lot, or too much. Often people have the belief that they would already be aware of the problem if it was truly widespread. Thanks to legislation forcing companies to disclose losses to customers, it is now possible to track data breaches that affect consumers.
Privacy Rights Clearinghouse publishes a list of data breaches.
The related question is more difficult to answer: “What does it cost the victims?” The answer to that question depends greatly on the type of measures you use. Do you only count the actual dollars lost to fraud, such as credit card and ATM fraud? Does it matter whether the bank or the customer bears the losses? Can we measure the impact of corporate espionage on business? What value should we assign to personal reputations and corporate brands? Many companies are out there providing expert analysis on exactly this subject, but there is no single, best, universal metric to determine the value of a cyber attack.
Spy uses subcontractors for access
Supply chain penetration is a vulnerability that has been in the news a lot recently. Corporations and governments know that IT systems hold the keys to the kingdom, but so far they have not been able to batten down the hatches of the supply chain. Corporations don’t want information about these types of problems to become public, so we should not look at these problems as some type of anomaly. These are just a few incidents that have made it into the press recently.
Iranian espionage case posted on ZDNet.
Following Pakistan’s recently introduced “Prevention of Electronic Crimes Ordinance 2008” according to which potential cyberterrorists would face the death penalty, a neighboring country, Iran, has recently executed an IT expert who confessed of being an Israeli spy for at least three years. After being recruited by Mossad during a business trip, Ali Ashtari, a trusted supplier of electronic and military equipment for the Iranian government, was allowing Israeli intelligence agents to backdoor the equipment he would later on install in Iranian military and government centers.
