Friday, 25 November 2011

Building a real cyber security policy

So, after all the build up the Government has finally released its Cyber Security Strategy, and what an exciting bit of work it is. It is intended to, in the words of the press release:
[Set] out how the UK will support economic prosperity, protect national security and safeguard the public’s way of life by building a more trusted and resilient digital environment.
All very laudable goals of course, so how will that be done?

Borrowed from The Guardian's writeup, here are some of the top lines:
GCHQ is to get a huge increase in funding, and the Ministry of Defence will benefit too. The ideas in the strategy include:

Creating within two years a cyber crime unit within the National Crime Agency that will take the lead in the most serious fraud and theft cases.

Sending guidelines to courts and police highlighting the extra powers now available to them. They include using orders which ban criminals from owning more than one mobile phone, limiting them to one email address and restricting internet access. Courts can also order people to stop using instant messaging.

Encouraging all police forces to recruit more so-called cyber specials – part-time officers who are experts in computing.

Creating a cyber defence operations group at the MoD, which will be overseen by Air Marshal Sir Stuart Peach, head of the new Joint Forces Command. His job will be to develop "new tactics, techniques and military cyber capabilities". This will include offensive as well as defensive capabilities.

The government has also pledged to do more to raise public awareness by revamping the Get Safe Online website. It will also push software manufacturers to agree to a kitemark safety system.

A lot of this isn't particularly new or exciting, a fair amount of it is the sort of stuff which gets announced with no hope of it going anywhere in the mid to near future, or is aspirational (The "kitemark" system is the prime example here).

The two core elements for me are the creation of both military and civilian (or at least police) cyber warfare teams. The civilian one presumably will be aimed in part at domestic cybercrime, which is good, but will also inevitably overreach and end up being used for purposes which the creators never intended. If, within the first 3 years, the cybercrime police force hasnt been found to have been cracking the home email accounts of people like Occupy protesters.

The militarised force is clearly aimed at both China and Russia, now this is something which will be of interesting. The US also has a taskforce like this, US Cyber Command, which frankly sounds like something from a bad science fiction novel. Its not clear if there is anything positive coming from this team as yet, but who knows what the future holds?

The problem is that there is a huge disparity between what is being done in China and Russia, and what is being talked about here. In Russia and China "patriotic hackers" have been given virtually free reign without risk of prosecution, so long as they're pointed in the right direction. Compared to Russia China has shown a more organised and militarised style, but ultimately they are given freedom to act, so long as they do so in support of the state, or at least don't run counter to the overarching goals of the state. That means if you spend your lunch break cracking people's bank accounts then so be it, just make sure that when you're on the clock you're attacking websites belonging to people in Georgia you don't like.

This is where the strength of these organisations lies, they arent shacked to a political process, nor are they expected to conform to a diplomatic ruleset. There's no consequence if they, say, shut down a water pump to prove a point. There's always enough deniability to shrug it off and move on. It's clear that even in this case, there's some degree of confusion as to exactly what happened here, but frankly I trust the security experts who think it was a hack, rather than DHS, who have a vested interest in saying the systems didn’t get cracked.

In order to create a real UK Cyber Security force we need to take a page out of the books of those who are doing it best already, and there are three places for that, China, Russia and Anonymous. All three embrace freedom to action, tied to loose strategic goals, without getting the picture messy by demanding that their hackers try to conform to an artificial set of constraints.

The best hackers in the world are black hats, and former black hats (in my opinion). These are the guys who have to be able to crack security, evade police and other organisations who might be upset about that, and turn a profit at the end of the day. White hats (non criminal hackers) never have to develop the requisite skillset to operate against foreign governments.

If we want the best and the brightest to come in from the cold and start operating in support a national agenda is to create an environment where those who are the best, and thus most likely criminals, get something out the deal. That means immunity from prosecution, the ability to make a little profit on the side, and a general understanding that they will be directed from a strategic level, rather than a tactical level most of the time.

What will fail is a highly controlled set of computer science graduates who learned their skills from textbooks on hacking. It'll fail even most significantly if there is no clear agenda, and the objectives are purely defence. So its good that's whats being built.


Wednesday, 23 November 2011

Book Review: The Big Short

I had initially planned to do a line by line dissection of the piece of shuddering inanity which was this article in Conservative Home. Written by Christian Guy simply by reading it I am personally driven to wanting to take drugs, if only to escape, for a few moments, the raw horror that was reading it. Boneheaded to the point of being mendacious, even now I crave sweet release from its flawed assumptions, and lines like this:
People take drugs for a variety of reasons, but in the CSJ’s experience there are some common drivers: chaotic and dysfunctional families, leading to family breakdown; educational failure; the hopelessness of welfare dependency and entrenched worklessness; severe personal debt; and a criminal justice system which can make drug and alcohol abuse more likely, not less.
Its always wonderful to read something like this, from a man who almost inevitably has close friends who regularly use illegal drugs (we all do, statistically speaking), and yet is too blinkered to realise that the reason most people take drugs is because drugs are god damn awesome, that's why so many people take the ones which are legal (alcohol and tobacco being the most common of a very wide field).

Anyway, t
he moronic gibberings of the Director of Policy for the Centre for Social Justice (I guess getting a real job was a bit tough) aside, I thought I'd focus instead on the superb gibberings of Michael Lewis and his book The Big Short: Inside the Doomsday Machine.

I have an ongoing fascination with the financial crisis, in large part because I'm fascinated by almost anything which I struggle to understand. There are lots of books written about the causes and many of them are excellent, Too Big to Fail probably having been one of my favourites until now.

The book is largely about a group of guys who were smart enough to do the math and realise that sub-prime mortgages were a really really bad idea. So much so, they realised, that they would inevitably cause massive damage to the financial system. Realising this, they all positioned themselves to become extremely wealthy in the event that this collapse happened, a bet which I'm sure they're all very glad they made.

Two things struck me about this book, first, it is a superbly personal tale of a time which is usually discussed through the lens of obscure financial products, or individuals too high up the ladder to really engage with on a meaningful level. The characters in this book are much closer to the ground, and thus are significantly more interest.

The second is that this book is really honest about the fact that the financial sector as a whole is a morally corrupt place, staffed by people who have no interest in the security of tomorrow, if they can make a buck today. I realise this is not a surprise, but the way it is laid so bare by the characters in the book is almost painful in how stark it really is. People within the financial sector had to work really hard in order to lie to themselves about the insecurity that sub prime was creating within their industry, willful, wanton lying.

The the process of this self deceit the "bad" characters in the book (read: those in favour of sub prime) are cast as fools, or worse, willing participants in a system they know is flawed.

If I had to lay a criticism at the door of this book, is that there is a need for the author to have taken just a little longer in explaining some of the concepts which are regularly used. This would have made the book more useful for me as a reader, but ultimately, in the world of Wikipedia, I can get by somehow.

Overall a fascinating read and an insight into the largely hidden world of "shorting". Certainly made me want to go and set up a hedge fund.


Monday, 21 November 2011

Two ways to the cool kids table

I've been reading a lot it seems over the last few weeks on Myanmar, which has recently been given the opportunity to Chair Asean through to 2014. This comes not long after a series of pro-democracy changes, with political prisoners released and Suu Kyi not only no longer under house arrest but free to stand for political office.

These steps towards a more liberal form of Government have resulted in the rewards of international community, with cautious praise being heaped on Myanmar. I imagine that it will, over time, also result in greater investment into the country, both from the private sector and in the form of inter-Governmental assistance. It's the first small step toward a more globalised state.

On the flip side, Iran continues to dominate the Middle East agenda with its pursuit of nuclear weapons. Everyone is very worried about this, although from the coverage, there's a lot of confusion about exactly why we're worried. The most obvious reason is that they might bomb Israel, or use a proxy to do so. The fact that Tehran would vanish in a flash of light and thunder about 20 minutes after the same happened to an Israeli city apparently wouldn't deter the country.

But reading between the lines, here's my though. The fear is that if Iran has the bomb then no one will be able to threaten them not to build a bomb (or do other stuff) any more. Having a bomb would mean having to talk to Iran as a grown up, rather than as a tinpot dictatorship.

Speaking of tinpot dictatorships with nuclear weapons, Pakistan did rather well out of its nuclear programme. It calmed relations with India (to some extent) and got America more heavily involved in mediating future disputes. The risks of nuclear conflict between the two counties still exist, but its a lot less likely that they'll go to war now they know any war would be utterly devastating for both countries.

So here's my hypothesis, there's two ways to get a leg up into the realms of the new globalising states. One is to pursue a route which involves greater liberalisation and moves towards a democracy, the other is to build a bomb. The first route is the one everyone likes, but the second one also works. It gets you something to trade and it means that its a lot harder for the rest of the world to aggressively influence your internal structures.

Now, there is one thing which is a risk. So far, no country has developed a nuclear weapon with a view to using it to close off their borders and tell the rest of the world to go to hell. China did to some extent, but in the end, globalisation's siren call was too much to resist.

So will Iran become that first state? My feeling is probably not. What they want is to feel like they have control over their internal structures, but those structures are already fraying. The youth of Iran don't want a future dominated by the mullahs, and the Government is increasingly at odds with the religious orders.

What the bomb will do in Iran is create a world in which the outside has to communicate with Iran, not through threats and bluster, but instead as statesmen. There are huge risks, but if history is any guide, the presence of a bomb in Iran will serve only to shift the way in which the state behaves, but not so far as to knock it off a trajectory it is already on.

Tuesday, 15 November 2011

Making things and reading stuff

I've recently become slightly obsessed by the superb Make Projects website. I come from a family of engineers and I've always enjoyed the principle of building things, but I've never really gotten around to it. Fortuitously this discovery comes at the same time I find out that there's such a thing as the London Hackspace.

I can't imagine there's ever been a generation which is more disconnected from the ways in which things are actually made. I certainly have no real idea of how things are put together and why the devices I use every day do the things which they do.

In the next few weeks and months I'm hoping to get down to the Hackspace and become a member.

In other news, I'd thoroughly recommend keeping an eye on both the Al Jazeera and The Guardian's live feeds on Occupy Wall Street, which was evicted (quite possibly illegally) last night.

I also would suggest taking a look at the live feed, run by a guy called Tim (I think), in fact, you should be able to see it right here:


Wednesday, 9 November 2011

Anonymous and its evolution

I'm going to firmly wedge my tongue in my cheek for the next couple of sentences, before getting to the meat of this evening's symposium.

The trouble with Anons is that they're a bunch of greasy 15 year old script kiddies sitting in their parent's basements spewing filth on the internet. But the problem with that statement is that's what people have been saying for many years now, pretty much since Anonymous (or indeed youth culture on the internet, going back to the BBSes of yesteryear). What that means in practice is that I, a 27 year old market research guy with a background in politics and communications, can happily say that I'm an Anon and have been for years.

This is the trouble with youth subcultures, the members tend to grow up and a lot of what they learned along the way sticks with them. Just as the hippy generation grew up, so lots of those who were early Anons are now educated and out there in the world. Pretty much everyone I know either is an Anon in some fashion, and those that aren't are aware of the culture, even if they don't know what it is they're referring to (I include pretty much anyone who has seen a lolcat in that context, see associated image, you have now seen Anon Culture)

Probably the best article there has ever been on Anonymous came out this week. That is not hyperbole, it is literally the best thing any credible person has ever written about Anonymous, at least that I've read. Quinn Norton successfully deconstructs the movement with seeming ease and identifies aspects of it which are rarely explored. Here's some of it, but if you do one thing today, stop reading this, and go read the whole article:
NYU Professor and Anonymous researcher Biella Coleman compares Anonymous to the trickster god archetype.

“The trickster does exist across America, across Europe, really across the world and it is not in myth but in embodied in group and living practice: in that of the prankster, hacker, the phreaker, the troller (all of whom, have their own unique elements of course, but so does each trickster),” she wrote in Social Text.

The trickster isn’t the good guy or the bad guy, it’s the character that exposes contradictions, initiates change and moves the plot forward. One minute, the loving and heroic trickster is saving civilization. A few minutes later the same trickster is cruel, kicking your ass and eating babies as a snack.

This is probably the crux of the issue, Anonymous ruins lives and saves cats, reveals paedophiles and crushes companies.

If I was going to pick up one thing to define Anonymous, it would be this, a short script which has long been at the core of the movement:
We are Anonymous
We do not Forgive
We do not Forget
We are Legion
Its worth noting that Legion is not just a randomly picked word for a group of people, its the name of another supernatural entity, a collective of demons who were driven out by Jesus.

It wasn’t until I downloaded and listened to Lulz: A corruption of LOL’s second album, Corruption, that I grasped what Anonymous really is.

It’s a culture.

It takes cultures to have albums, idioms, and iconography, and I was swimming in these and more. Anonymous is a nascent and small culture, but one with its own aesthetics and values, art and literature, social norms and ways of production, and even its own dialectic language.

It is no wonder we in the media and the wider culture are often confused. Any study of Anonymous must be anthropological, taking into account the way people exist in different societies. The media has just been looking for an organization with a leader who could explain why Anonymous seems to do weird things. Not only that, but Anonymous seems to be built around doing weird things, and even has a term for it: the lulz.

And there it is, the simple realisation which lifts this article out of the mire and up to a level which isnt usually explored. Anonymous is a culture. The thing which separates Anonymous from other subcultures, is that it is geographically unlimited, and in the end it exists entirely separate to day to day society. You can be an Anon and anything else you like, the two can co-exist, no one at work needs to know you're an Anon unless you tell them. The internet means everyone can contribute in any way they like and from those contributions can come meaningful results.

I don't want to quote any more of the article, because it deserves to be read in full, but here is what I alluded to at the start and I think is worth bearing in mind. Anonymous is growing up, and growing bigger. Those who founded the movement on /b/ are now in their 20's and 30's or older. Script kiddies are now full blown crackers, and intelligent well meaning members now have jobs and lives.

Personally I think this has resulted in offshoots of Anonymous like LulzSec, which is still as active as it ever was, cracking corporate security and stealing data like there's no tomorrow. It's also resulted in a greater Anonymous presence IRL (in real life). Its almost impossible to attend a protest now without seeing Anons. They tend to stand a little apart, be-suited, masked, watching and occasionally acting. The Occupy protests would be substantially less well organised but for the efforts of AnonOps and other similar services.

The question which no one is asking is what happens when those who grew up with Anonymous as a major part of their self identity are the ones running companies and getting elected.

Monday, 7 November 2011

Book review: The Pentagon's New Map

Slightly late to the party, but I finally read Thomas Barnett's The Pentagon's New Map. I've been a fan of Barnett since watching his TED talk on the basis of a recommendation from a friend, but beyond his blog haven't until now read any of his books.

New Map is (in my mind at least) a book about the need to rediscover a more clearly stated purpose for American power. Barnett's thesis is that this should be to protect, foster and guide globalisation, by bringing more countries into the realm of well connected and co-operating nations (The Core), and out of the largely dictatorial, undeveloped and conflict ridden areas which exist elsewhere (The Gap).

The part of New Map I personally like the most is that it seeks to create a framework for a grand strategy, not only for the USA but also for other countries like the UK which exist in the Core. Barnett proposes re purposing the US military (any many other elements of the US Government) in particular in order to develop a set of tools more suited for the messy and unpleasant business of dealing with all the conflict and chaos that exists in the world.

The core elements of this are a "Leviathan" force and a sys-admin force. The Leviathan force is essentially already there, the US military can knock over pretty much any country in the world without breaking a sweat. The only countries it couldn't easily roll over are countries which exist in co-operation (broadly) with globalisation and the US.

What doesnt exist, and in truth hasnt shown a great deal of evidence of emerging since the book was written, is the sys-admin force. This force would be one set up for dealing with the mess which comes when shutting down a conflict. It would be a type of peacekeeping force (and I diminish a great deal with Barnett's analysis when I call it that) with teeth.

If anything, the sys-admin force has been replaced by the increased use of unmanned drones to monitor and with greater frequency attacks on militants and suspected militants. These tools are cheap, disposable and pretty much divorce the user from any form of risk and responsibility. The problem is that these tools do nothing in terms of actually shutting down a conflict, but instead provide an impetus for elongating conflicts.

I'm actually surprised by the fact that when discussing a sys-admin force Barnett doesnt discuss in more detail how other countries could become involved in this. One of America's strengths, traditionally, has been the forging of multilateral alliances, either independently, or through existing international institutions. This strength has diminished in recent years however, both as a result of a seeming indifference to achieving these sorts of ends, and due to the emergence of other powerful international actors.

Ultimately, what Barnett's book is, is a challenge particularly to America, but also to other Core nations, to rethink their approach to the world, abandoning national self interest in favour of the more important trend of Globalisation. Its a deeply idealistic text, which is rare when discussing grand strategy.

Well worth reading for its scope, concept and the depth which the core issues are explored.