I’m excited to announce that my artwork will now be available for viewing and purchase at Market Gallery in Prahran! Make sure you come down and have a look if you live in the Melbourne area!
Cybersecurity is an interesting beast. It is a relatively young discipline, which tends to get caught between its two older and more mature siblings, Security and Engineering. Cyber professionals tend to fall in one camp or the other when it comes to engineering security into the design of a system. Either they’re too preoccupied with standards, compliance, and over-engineered technical solutions. Or they fall into the other camp, where they’re too focused on external factors, such as threat intelligence or the latest known exploits.
The issue with the technical mindset is that, unlike with safety engineering, security engineering can’t assume that people behave the way they’re expected to. So, even if the system is technically engineered to perfection, the whole thing falls down as soon as you add people to the mix. Blindly implementing best-practice controls, achieving accreditation, and having all the latest gadgets will not necessarily achieve the desired risk levels.
The security intelligence mindset brings about a different issue. The modern threat landscape is in a state of perpetual disruption – we have no idea what threats are going to look like in the next year, let alone over the life of a system. Threat models and threat intelligence are great, but at the end of the day it doesn’t actually give any useful information when it comes to designing a system security architecture.
The key is to find a balance between these two mindsets and achieve both technology and threat agnostic security. This can be done by focusing on the system’s inherent vulnerabilities and, taking an impact-focused approach, building in mitigations to lower the risk exposure to the desired level. Naturally, risk exists wherever humans are involved and fail-secure solutions need to be considered. Technology should never be included in a design simply to meet compliance expectations as this will only make the final solution more complex than it needs to be, which in turn raises the risk profile. Additionally, threat assessments should not be used as a key input into the design as threats and attack methods evolve far too quickly to be reliable – these tools are much more useful for operational security.
Drawing up a system scope and taking an inward vulnerability focus is the only way to secure a system by design. This ensures the most critical security consequences of system failure are covered, regardless of what happens outside the system boundary.
Most people’s introduction to cybersecurity begins with a dramatic video displaying a balaclava-clad criminal hacking their way into a business and wreaking havoc from a dark room with no windows. Unfortunately, this image tends to create a fear-driven mindset that promotes counter-productive behaviours.
Whilst it’s completely true that threats from cyberspace pose significant risks to business operations, combatting threats is not the key value proposition that cybersecurity offers; and hence should not be the primary driver behind cybersecurity investment.
Let’s change our perspective
We’ve all had enough of hearing about massive hacks and reputation-crushing information leaks. Everyone knows this is the reality of living in a modern, inter-connected, and digitised world. So why is it that we can still walk into so many organisations just to find out that cybersecurity is under-resourced and under-valued? Why is it that the security function is almost always considered a sub-function of ICT?
The answer is that cybersecurity is seen as a necessary evil. It is merely a ‘nuisance’ that hinders an organisation’s ability to get stuff done. It’s expensive, it’s complex, and it takes more effort. Security is perceived as an operational cost that provides no direct value to the business, other than an insurance of sorts.
This view of the world creates a failure-avoidance mindset towards cybersecurity, which drives behaviours such as tick-and-flick compliance, corner cutting, and cover-ups. Inevitably, such an apathetic, or sometimes even negative, attitude doesn’t actually do much to protect anything.
Accelerating growth through security
Let’s consider two competing businesses – Alpha and Bravo – who are both investing heavily in their innovation teams with a view to rapidly grow and expand their business operations. Business Alpha sees cybersecurity as an ‘IT problem’ and a hindrance to their ability to rapidly develop their new solution. They therefore decide to do the bare minimum required to meet whichever regulations are imposed on them. Business Bravo, on the other hand, sees cybersecurity as a business-enabler that enhances stability, giving them a secure platform to then focus on innovating confidently and without interruption. Accordingly, Bravo sets up an executive-represented security function that is integrated into the innovation and business processes.
Both solutions hit the market and perform exceedingly well, with Alpha breaking-even slightly earlier than Bravo due to the cheaper cost of insecure development. With more and more publicity, inevitably both businesses are targeted by cyber criminals. Alpha is hit hard and confidential documents regarding the new solution are published, leading to mass reputation damage. Their team are suddenly thrust into damage control and profitability is heavily impacted. Bravo is also targeted, but they are able to quickly respond and minimise losses due to their well-resourced security function.
Post-attack, Bravo continues innovation and their business grows even more rapidly due to the increased market-confidence compared to their competition. Alpha, however, have found themselves preoccupied with fighting fires and are unable to devote their full attention to regaining their market position and developing new opportunities for growth.
A motivation to avoid failure led Alpha to perceive security as a roadblock in their mission to expand. In contrast, a motivation to succeed drove Bravo to perceive security as an integral component of innovation and a vital prerequisite to success. In the end, it was business stability that Bravo invested in through their attitude towards cybersecurity. And it was this business stability that allowed them to win.
We need to shift our mindset away from seeing cybersecurity as an insurance against failure and start seeing it as a foundation for success. To paraphrase an old parable; a house built on a rock will withstand floods, winds, and rain, whereas a house built on sand will crumble.
Communication and Information Systems (CIS) are ubiquitous in modern operations, from daily administration,logistics and operational planning, through to aircraft maintenance support and mission systems. All of these systems are viewed by opposing forces as valid targets for exploitation of information,denial of service, or outright attack. “It’s our role to ensure Air Force can conduct missions safely and securely, with limited impact from the cyberspace domain,” Flying Officer Plotnek said… Continue reading
“DART-A’s primary task while here is to give senior leaders the ability to understand and, if required,address any risks posed to air operations from the cyberspace domain.”…
A HISTORIC Air Force Squadron is now at the leading edge of defending deployed units against cyberspace attacks. Originally formed in 1942 as a bomber unit, No. 462 Squadron (462SQN) now forms part of the Air Warfare Centre’s Directorate of Information Warfare. It has now returned to operations, this time sending Deployable Assessment & Remediation Teams (DARTs) to the Middle East Region… Continue reading
Self-driving cars are quickly becoming a reality. Everyone from Volvo to Google are jumping on the bandwagon to design and build autonomous vehicles for the commercial market. California is even already in the process of creating legislation to allow driverless vehicles on the road without a licensed driver.
Taking the human out of the loop is almost always a good engineering decision when it comes to reducing error. The move to autonomous vehicles will undoubtedly make our roads safer and significantly reduce the number of road accidents. However, as we have already seen with Tesla in Germany, accidents are still bound to occur for one reason or another. The question is, when accidents do happen how are they going to be managed?
Naturally there are the legal questions, such as: Who is financially responsible for a collision, the car owner or the car manufacturer? Who is allowed to operate an autonomous vehicle? Will we be allowed to drink and drive now?
But the far more interesting questions (in my opinion) arise from the ethical decisions inherently programmed into the vehicles themselves. The good thing about having humans in the loop is that we are conscious beings capable of making moral judgements based on a given set of information. When it comes to autonomous vehicles however, these kinds of decisions will have to be left to the machine. Of course the machine can only do what it is programmed to do (at least at this point in time), so most of these philosophical questions need to be foreseen and decided on in advance by the car manufacturers.
How will this work? Will each car model have a different moral code embedded into its software? Will the consumer have any choice in whether they purchase the altruistic or egocentric model; one which sacrifices their own life for the greater good versus one which saves them every time? Can we finally enforce philosophical ideals in the real world? How much information can the car’s sensors gather in order to allow them to make the best decision possible?
MIT have developed a very interesting exercise to get the general public thinking about these sorts of questions. I encourage you to have a play on their Moral Machine website and see how tricky some of these problems can get. The bonus of playing around on their site is that data will be gathered about your choices which may be used to influence some of these decisions being made by the manufacturers.
In the below video Cesar Cerrudo, the CTO of IOActive Labs and Board Member of Securing Smart Cities, presents his perspective of what a Smart City is before delving into some of his experiences with the security of smart technologies and describing some rather frightening attack vectors and potential scenarios. Finally, he concludes with some recommendations to Smart City vendors and governments to better secure these technologies and protect their citizens. Although I highly recommend watching the full video, for those of you who would rather read an ‘executive summary’ I have summarised the speech and slide package in my own words below the video.
A Smart City is “a city that uses technology to automate and improve city services, making citizens’ lives better”. Such technology can be employed in areas such as: traffic control, parking, street lighting, public transportation, energy management, water management, waste management, city management, security, M2M, sensors (weather, pollution, seismic, flood, smell, sound, etc), open data, and mobile applications.
A large number of vulnerabilities are present in Smart Cities around the world due mainly to new technologies being deployed without any security testing occurring beforehand. These problems are compounded by the facts that almost everything is wireless (ie able to be attacked without requiring physical access) and there is a wide lack of city CERTs (Computer Emergency Response Teams), resulting in a lack of coordination and communication about security incidents. Other problems plaguing technology-dependent cities are: huge and unknown attack surfaces, patch deployment and system update difficulties, vulnerable legacy systems being interconnected with new systems, government bureaucracy and shortage of skilled people, no city cyberattack response plans, and difficulty for security researchers to obtain systems and devices for testing. There are already many cases where even simple bugs have caused significant city-wide disruptions and, in some cases, even loss of life.
In consideration of the aforementioned vulnerabilities, there are many potential and proven malicious attacks that could occur on city systems. Hundreds of thousands of traffic control systems across the world have already been proven to be vulnerable to attack. Wireless encryption problems leave street lighting vulnerable to the extent that entire cities and islands could be left in the dark. The integrity of city management system information is vulnerable and could lead to events such as the 2010 confusion of Texan construction workers with respect to the location and status of a buried gas pipeline; resulting in an explosion with several casualties and one death. With real-time access to open data available to the public, attacks can even be freely orchestrated to determine the best timing for maximum impact.
So, it has been established that Smart Cities are vulnerable and that there are a variety of ways that these vulnerabilities can be maliciously exploited to cause havoc. The remaining variable in this equation is intent, or, threat likelihood. Cities are a valuable and interesting target when it comes to consideration of war scenarios such as cyberwar or cyber terrorism. It is publicly known that nation states have the knowledge and skills to easily attack cities and cause significant damage. Cybercriminals also exist and have proven to be well organised and have a large amount of resources at their disposal. Finally, let’s not forget about Hacktivist groups who have become known for launching coordinated cyber attack campaigns against various targets of their choice.
Despite the above seemingly alarmist information, there are a number of recommendations that Cerrudo believes will help mitigate against a lot of the highlighted problem areas. In order to highlight these solutions, I have provided them in dot-point format below:
- Do not implement systems and devices without security testing and auditing
- Ask vendors to provide all security documentation and timely incident response
- Fix security issues as soon as they are discovered
- Create a City CERT that can handle the various security aspects of the Smart City
- Regularly run penetration testing on all city systems and networks
- Implement fail-safe and manual overrides on all city systems
- Implement and make known secondary services/procedures in case of cyber attack
- Restrict access to public data
- Threat model everything and prepare for the worst
Unfortunately, what first often comes to one’s mind at the mention of Rwanda is the terrible genocide of 1994 that brutally wiped out 20% of Rwanda’s population. President Paul Kagame, previously the commander of the rebel force that ended the genocide, has since been working hard to change the country’s position and reputation. The now completed eRwanda project was successful in utilising ICT to strengthen and improve the government and its internal processes. The next step? A Smart Rwanda.
Almost a year ago the Republic of Rwanda entered an official agreement with Ericsson to provide ICT infrastructure for the transformation of Rwanda’s villages to thriving Smart Cities. The focus of the Smart Rwanda project is on governance, education, health, agriculture, and infrastructure and is scheduled to be completed by 2018.
From an outsider’s perspective the project appears to be going well, with a Smart Africa secretariat due to open in Rwanda’s Capital Kigali sometime this week. There are however some concerns being raised about Rwanda’s democratic future after President Kagame recently changed the constitution to retain power for a third term; a move which violates Rwanda’s original constitution.
Let’s hope this move towards a smarter Rwanda will help further enable the transparency of the Rwandan government and enforce the democratic values the country has worked so hard to instil over the past two decades.