Friday, 25 November 2011

Building a real cyber security policy

So, after all the build up the Government has finally released its Cyber Security Strategy, and what an exciting bit of work it is. It is intended to, in the words of the press release:
[Set] out how the UK will support economic prosperity, protect national security and safeguard the public’s way of life by building a more trusted and resilient digital environment.
All very laudable goals of course, so how will that be done?

Borrowed from The Guardian's writeup, here are some of the top lines:
GCHQ is to get a huge increase in funding, and the Ministry of Defence will benefit too. The ideas in the strategy include:

Creating within two years a cyber crime unit within the National Crime Agency that will take the lead in the most serious fraud and theft cases.

Sending guidelines to courts and police highlighting the extra powers now available to them. They include using orders which ban criminals from owning more than one mobile phone, limiting them to one email address and restricting internet access. Courts can also order people to stop using instant messaging.

Encouraging all police forces to recruit more so-called cyber specials – part-time officers who are experts in computing.

Creating a cyber defence operations group at the MoD, which will be overseen by Air Marshal Sir Stuart Peach, head of the new Joint Forces Command. His job will be to develop "new tactics, techniques and military cyber capabilities". This will include offensive as well as defensive capabilities.

The government has also pledged to do more to raise public awareness by revamping the Get Safe Online website. It will also push software manufacturers to agree to a kitemark safety system.

A lot of this isn't particularly new or exciting, a fair amount of it is the sort of stuff which gets announced with no hope of it going anywhere in the mid to near future, or is aspirational (The "kitemark" system is the prime example here).

The two core elements for me are the creation of both military and civilian (or at least police) cyber warfare teams. The civilian one presumably will be aimed in part at domestic cybercrime, which is good, but will also inevitably overreach and end up being used for purposes which the creators never intended. If, within the first 3 years, the cybercrime police force hasnt been found to have been cracking the home email accounts of people like Occupy protesters.

The militarised force is clearly aimed at both China and Russia, now this is something which will be of interesting. The US also has a taskforce like this, US Cyber Command, which frankly sounds like something from a bad science fiction novel. Its not clear if there is anything positive coming from this team as yet, but who knows what the future holds?

The problem is that there is a huge disparity between what is being done in China and Russia, and what is being talked about here. In Russia and China "patriotic hackers" have been given virtually free reign without risk of prosecution, so long as they're pointed in the right direction. Compared to Russia China has shown a more organised and militarised style, but ultimately they are given freedom to act, so long as they do so in support of the state, or at least don't run counter to the overarching goals of the state. That means if you spend your lunch break cracking people's bank accounts then so be it, just make sure that when you're on the clock you're attacking websites belonging to people in Georgia you don't like.

This is where the strength of these organisations lies, they arent shacked to a political process, nor are they expected to conform to a diplomatic ruleset. There's no consequence if they, say, shut down a water pump to prove a point. There's always enough deniability to shrug it off and move on. It's clear that even in this case, there's some degree of confusion as to exactly what happened here, but frankly I trust the security experts who think it was a hack, rather than DHS, who have a vested interest in saying the systems didn’t get cracked.

In order to create a real UK Cyber Security force we need to take a page out of the books of those who are doing it best already, and there are three places for that, China, Russia and Anonymous. All three embrace freedom to action, tied to loose strategic goals, without getting the picture messy by demanding that their hackers try to conform to an artificial set of constraints.

The best hackers in the world are black hats, and former black hats (in my opinion). These are the guys who have to be able to crack security, evade police and other organisations who might be upset about that, and turn a profit at the end of the day. White hats (non criminal hackers) never have to develop the requisite skillset to operate against foreign governments.

If we want the best and the brightest to come in from the cold and start operating in support a national agenda is to create an environment where those who are the best, and thus most likely criminals, get something out the deal. That means immunity from prosecution, the ability to make a little profit on the side, and a general understanding that they will be directed from a strategic level, rather than a tactical level most of the time.

What will fail is a highly controlled set of computer science graduates who learned their skills from textbooks on hacking. It'll fail even most significantly if there is no clear agenda, and the objectives are purely defence. So its good that's whats being built.


No comments:

Post a Comment