Over the last year the world has been virtually buried under news items describing hacks, insecure websites, servers and scada systems, etc. Each and every time people seem to be amazed and exclaim “How is this possible?” Politicians ask questions, there is a short lived uproar and soon after the world continues its business as usual. Till the next incident.

In this blog post I take a step back and try to look at the cyber security issue from this angle: nothing is secure and what can be done about it. (The post refers to a lot of articles. As most are in Dutch I left them out here. Should you be interested and you should as some very interesting examples of ways forward are presented, I refer you to my blog. All links to articles, papers and proposed law texts can be found there.)

Week 8 - 15 February 2012

In the past two months I had the impression that there were less news items on the topic. Were we getting tired of this form of news or were there less hacks? I don’t know, but fact is that in the past week the shit hit the fan. One major hack after the other was revealed and vulnerabilities exposed. KPN was hacked by a hacker “who did nothing”, Bavaria, through the hack of a small telco named Creation Point, and Philips lost hundreds of thousands unique privacy sensitive data of customers. All three examples because of outdated security of involved servers. Water regulation systems in parts of The Netherlands were exposed as nearly unprotected. To be honest, I wouldn’t be surprised if the same would go for our national atom power plant in Borssele…

Internet = optimism, or it was

The Internet was expanded on optimism. A great new medium with all these beautiful features that could be added and saved lots of money and resources. In this enthusiasm decisions were made of which the implications could not be overseen or most likely not understood. To quote the above mentioned article on the water scada systems:

“Most organisations do not oversee which of their systems are directly connected to the Internet.”

Nobody had thought through the opportunities let alone the implications the Internet offers to themselves. And who ever thought upfront of the challenges the success of the darker sides would pose?

Let’s pose another question. How much money is spent presently to secure this Internet? Does it surpass the savings? An interesting question, isn’t it?

Richard Clarke and infection of critical infrastructure

In his book ‘Cyber war’, Richard Clarke writes, that he expects that in almost all major critical infrastructure systems in the United States cyber bombs have been installed, somewhere in the past. Small pieces of software that do not belong there and are controlled by unknown entities, to inflict unknown damage. He hints at China as the source. The news that China was inside the Canadian firm Nortel from the year 2000 and undetected, is quite revealing, I’d say. Critics advice to file Cyber war under fiction. Or is it the view of a visionary, warning a non-listening majority? And how is this in The Netherlands or your country? Has anyone even started looking?

(You can find my review of Cyber war here.)

The Dutch National Cyber Security Centre

So here we are in 2012. In the Netherlands there is a National Cyber Security Policy and a National Cyber Security Centre. It specifically aims at public-privacy cooperation and partnerships. The structure to tackle the challenge of a safer Internet on a national basis is installed. This makes a logical, step by step approach to the problem possible.

What could be a starting point? How about taking for granted that systems/websites/servers/etc. are safe till proven different, is no longer the correct approach. My advice would be to declare everything unsafe and from there work towards steps to improve security.

First signs of a coordinated approach

The whitepaper of the NCSC on websites is a first step. Another good example is that the NCSC already has published a factsheet on ICS/Scada systems with advice to those concerned on protective measures to take. This shows commitment and resourcefulness to those concerned.

Extinguish ignorance

But is this enough? Does self-regulation actually work? The track record of the past years is not hopeful. Ignorance (or carelessness?) still seems rampant, despite messages that ought to raise red flags. Apparently passwords are not changed, servers not checked, websites not updated security wise, despite of the news. Of course not all is bad, but it could become much better, more pro-active and coordinated.

Incidence reporting by law

An initiative to come with a law around security and notification duty of cyber incidents a good second.

Coordinated approach to ensure cyber security

I think the government could go one step further in setting a policy or coordination plan that step by step secures the Internet and all related topics around it. So clear rules on the security of websites and servers, including those services offered to the Netherlands from outside. Public systems become better secured through the program, starting with better passwords, mandatory updates of security software and a minimum set level of security, etc.

Next to that a program could start in which security is tested continuously by a team of people that do exactly the same as the people who do so out of a hobby or for more nefarious reasons: hacking. Testing leads to a continuous rise of the security level, awareness replaces ignorance and involvement carelessness. Lessons learned are shared through the coordination of the NCSC and the ISAC programs with all concerned.

Responsibility and accountability

Another thing that needs to happen, is making someone responsible and accountable for security. The loss of privacy sensitive data or successful hacks in public systems, including former utility services, as the public totally depends on them, must not be seen as unfortunate, but as a serious problem. Starting with a serious breach of personal integrity, ending with potential threats to national security and everything in between. Only by presenting it in this way, can executives be made to understand that they really have a problem on their hands. Up to this day, this does not seem the case. It is not as if the news of one hack makes people run for security. The proposed change in the Telecommunications Act and the Data Privacy Act should take care of accountability.

The loss of private companies, e.g. through industrial espionage, is or may also (be) a major problem, but in the end the loss of that company. If they do not understand the implications of a lack of security online, it is their problem. The implications for the national economy come second.

Important to realise is that this law only looks at the results of the hack and does nothing to prevent it, at least not directly, let alone go for the source.

Security costs and saves money

Security costs money and the people making decisions on budgets must be made to understand that neglecting security could lead to considerable losses and even to bankruptcy, as Diginotar has ably demonstrated. Internet security saves money. Governments can explain this quite vividly to those concerned and thus gain involvement from the private sector. Use the Nortel and Diginotar example!

Conclusion

Whether the threat of cyber war or actions by isolated terrorist cells are at present real or science fiction, fact is that a lot of front and back doors are open because of a lack of understanding. This can be dealt with through a solid nationally coordinated plan of action, aimed at making the country safer. The Netherlands at least has built the infrastructure to be able to aim for a comprehensive approach. How is this in your country and what could you learn from the Dutch approach?

Enforcement

Another topic is enforcement. I’ll come back to that later.