Missing in Action: Cyber Dictionary?

092215-640x400

As published on Norse on September 22nd, 2015.

I recently stumbled over an old issue that has shown no signs of being resolved: the lack of a normalized lexicon on Cyber Security. We can’t seem to start agreeing on terminology, even though the cyber security industry is rapidly professionalizing globally and the need for a universally understood set of concepts is beginning to show. The best example of this problem is that there are at this moment roughly 28 definitions for the concept we know as “cyberspace”, with the most recent draft definition apparently being:

Cyberspace defined

Cyberspace is a global and dynamic domain (subject to constant change) characterized by the combined use of electrons and electromagnetic spectrum, whose purpose is to create, store, modify, exchange, share and extract, use, eliminate information and disrupt physical resources. Cyberspace includes: a) physical infrastructures and telecommunications devices that allow for the connection of technological and communication system networks, understood in the broadest sense (SCADA devices, smartphones/tablets, computers, servers, etc.); b) computer systems (see point a) and the related (sometimes embedded) software that guarantee the domain’s basic operational functioning and connectivity; c) networks between computer systems; d) networks of networks that connect computer systems (the distinction between networks and networks of networks is mainly organizational);e) the access nodes of users and intermediaries routing nodes; f) constituent data (or resident data).Often, in common parlance, and sometimes in commercial language, networks of networks are called Internet (with a lowercase i), while networks between computers are called intranet. Internet (with a capital I, in journalistic language sometimes called the Net) can be considered a part of the system a). A distinctive and constitutive feature of cyberspace is that no central entity exercises control over all the networks that make up this new domain. – Mayer, Martino, Mazurier & Tzvetkova (2014)

This is a considerable problem for the eventual advancement of the practice, because ‘cyberspace’ isthe root term from which the entire “cyber-everything!” craze stems, and we can’t even seem to agree on what that is, exactly. How can we properly define derivative terms from a core concept that we don’t universally agree on? What is Cyber Security if nobody agrees on what Cyber is?

Cyber-anything

The result is that cyber-anything is, essentially, a rough approximation of what we mean to say. Developments in the industry haven’t yet reached the point where this is a problem for real scientific advance because there is still so much to discover. But in the long run, if the profession is to mature and be advanced beyond the point of the initial growth spurt we are currently experiencing, people will have to perform research. Thanks to that same ill-defined cyberspace, desktop research is often largely based on searching for keywords in existing research (thank you Google Scholar!). And herein lies the rub.

As said, it’s not just cyberspace that we can’t conceptually agree on. We also can’t seem to agree on the use of other terms. For instance, the terms ‘cyber security’, ‘information security’ and ‘cyber defense’ are used liberally, and are generally used to define the same set of concepts, but not always. The term ‘defense’ (singular), ‘security measure’ and ‘security control’ are all used to describe roughly the same concept as well.

Cybersecurity strategy

Give yourself the challenge to figure out what cyber security strategy means. Some quick research will show that some authors used this term in describing “security one-liners”, such as the security principle‘Reduce Attack Surface’, whereas others use the term to describe entire frameworks. There were also authors who did not use the term “strategy” where it might have made good sense to do so.

To answer any research questions on the subject of cyber security strategies, it is necessary to first be clear on which interpretation is used. We need to know where we are now to determine where we want to go. As an industry, we have an obligation to the rest of the world to be clear in what we mean by the words that we use. Many people complain about the use of the term ‘cyber warfare’. The most common heard complaint was that talk about war incites war, and that the resultant ‘militarization’ of the internet is an undesirable state. Whether the lack of a universal lexicon is to be blamed for this, is almost certainly overstating it, but it doesn’t help either. The press loves ‘sexy’ language, and military lingo sounds very impressive. It sells. It makes for bad reporting, but when considering that we, as an industry haven’t provided them with anything better to use, maybe they are not the only ones to blame here.

The future

If the Internet has proven anything, it is that there can be cooperation on a global scale. Perhaps one of the custodian organizations of the Internet, such as the IETF, can be used as a vehicle for the development of a universal set of concepts, who knows? But it certainly is high time we get started, before the future catches up with us.

 

The Right to Strike Back

pic3-640x400As published on Norse on June 26, 2015.

Last week, at the HiP Conference in Paris, there was a debate on whether or not it should be allowed to strike back when you are being hacked. Currently, criminal law in most countries does not allow it. But is this tenable in today’s’ highly digitized society rife with cybercrime?

My position in this matter is that we should create a legal recognition of the fact that we are in a social gray area where it concerns the Internet, even if it is only a temporary recognition, and allow for somecapability to strike back at cyber criminals. As I’ve said before, humanity is only now scratching the surface of what it means, socially and culturally, to have (largely) unrestricted access to the collective knowledge of Man at our fingertips, (almost) everywhere and (almost) anytime we desire.

In virtually every aspect of the human experience, it has made its’ impact felt. The number of human lives that remain completely unchanged through some kind of information technology is rapidly dwindling to zero as technology advances, and our adoption of them continues to rise.

Under the umbrella-term “Cyber”, that is similarly revered and reviled, we are inching our way through the various aspects of our daily lives to adapt our old notions of how we ‘did things’ to incorporate the new realities we face in the Information Age. Crime, international politics and armed conflicts are among the most hotly debated topics in this regard. What I am getting at, is that in a social and cultural sense, Cyberspace can (and in my opinion should) be considered terrain in the early stages of colonization. Think of it as the New Frontier or the Wild West, if you will.

We recognize that there is this huge new area that can be explored, colonized and exploited, but exactlybecause it is new and untamed, there should be only a limited expectation of Law and Order. Certainly, in most countries the national laws have been revised to incorporate the new realities of Cyberspace. But often these amendments or new laws are only rough first drafts because very few (if any) people understand exactly what Cyberspace means (culturally and socially).

What doesn’t help is the fact that as our technology continues to advance, our uses –and in turn the consequences- are changing with it. In other words: even if we manage to define proper laws for the circumstances right now, there is a good chance that they will be outdated due to technological advances in short order. But that is not really the core issue. Having properly defined, applicable and reasonable laws is only the first step. You have to be able to enforce a law if you expect people to follow it, otherwise it just becomes little more than an advisory note. A cute bauble that the criminally inclined can have a chuckle over while they continue making money off of these exact crimes you’re trying to prevent. And that, unfortunately, is largely where we are now.

Despite being a horrible analogy in every other sense, Cyberspace is the Wild West. Law and Order is reasonably established in some areas, but for the most part you can only depend on the occasional sheriff or Ranger. As was the case in the early years of the Wild West, there –on the whole- isn’t a whole lot of coordination between law enforcement, the government and the citizenry. This can be easily verified by looking at the figures. The number of successfully prosecuted cybercrime cases is very small indeed, when compared to the number of reported incidents. Also consider that we don’t see every incident, and even when incidentsare discovered, they are not always reported. Please don’t misunderstand what I am trying to say: This is not intended as a snipe against law enforcement or the government. They are trying to get a handle on these cases. But the fact of the matter is that we have a serious lack of expertise and experience across the board. There just aren’t enough people skilled and experienced enough to make a serious dent in the numbers. Or, for that matter, to faster develop an underlying framework that makes law enforcement of cybercrime any easier.

Frameworks containing (and hinging on) effective international agreements, laws and political policy to address cybercrime are also still being developed. The often-heard argument to forbid people from striking back at cyber criminals is that to do so is anoffensive act, and not a defensive one. In other words, striking back should be considered a weapon and not a shield. In the strictest sense of the definition this is indeed correct. However, just looking at the success rate of cyber-attacks alone will dissuade anyone from the notion that a “good defense” is enough to stave off a cyber-attacker.

Even the US military, with the highest defense budget in the world, can’t prevent some attacks from being successful. In very practical terms this tells us that we cannot count on being secure when we are only allowed to defend ourselves; something is clearly missing. Perhaps that missing element is the right to strike back. To stick to the earlier analogy of the Wild West, we are unarmed and criminals are not. Essentially we are telling people not to act when they are being attacked. To trust the Police to protect us against predators. To sit still and pray that the criminals don’t find the valuables we’ve buried in the proverbial shed. But clearly the Police are not capable of doing so right now, as can be easily deduced from the figures mentioned earlier.

In my opinion this is untenable, and quite frankly I find it unconscionable to leave the average citizen as such an easy prey. During the debate I therefore argued for at least a temporary recognition that allows for striking back at our assailants, with the express goal of halting an attack. It will be interesting to see how the other panelists view it, and I look forward to hearing if perhaps there is another solution to the problems we face today.

GCCS2015 Part II: Government Influence is the Key Issue

gccs2(As published on Norse: Feb 5th, 2015)

As we noted in Part I: GCCS2015: Battlefield for the Internets’ Multi-stakeholder Coup, the next iteration of the Global Conference on CyberSpace (GCCS2015) will be held on April 16th and 17th in The Hague, the Netherlands this year. It is the worlds’ premier political conference on Cyberspace.

The Internet was founded on, and has ever since been based on, the multi-stakeholder principle. That is to say: the Internet does not belong to any government, it belongs to everyone equally.

In fact, aside from lending material support, governments have had precious little to do with the development, implementation and administration of the Internet. The brunt of the work has been done by civilian institutions such as the IETF, ICANN, IANA and a whole slew of similar civilian non-profit organizations.

But as time progressed and the significance of the Internet grew, so too did the urge to control grow at the worlds’ governments.  This is signified most clearly by the continued attempts of the UN to move this piece of internet governance away from US-based ICANN to the International Telecoms Union (ITU).

At first glance, the ITU seems innocuous enough. It has a membership of over 193 countries and over 700 commercial entities such as Apple and Cisco. However, the ITU is an agency of the UN and therein lies the rub.

The ITU is ultimately subject to the will of the UN charter members. They will face considerable pressures by many UN nations such as Russia, China and Iran, who are staunch supporters of ‘cyber sovereignty’.

The ‘cyber sovereignty’ camp considers the current state of affairs to be directly threatening their national security primarily because they have no easy way to censure content. They will no doubt push for measures stifling internal dissent and perhaps even for measures to censure content disagreeable to them.

In fact, they’ve pretty much said so.

Several blows have already been dealt to advance the power shift towards the ITU during the 2012 World Conference on International Telecommunications (WCIT), as excellently commented on by Alexander Klimburg in his article “The Internet Yalta”.

In his article he describes how China and Russia managed to sway most of the developing nations to supporting ‘cyber sovereignty’, and the whole issue devolved into essentially a bipartisan issue in which the developing nations aim for governmental control of the Internet, and the Western nations prefer to keep the status quo.

There does not appear to be a middle ground. WCIT was, in this respect, a political cloak-and-dagger event of almost Machiavellian proportions.

It had it all: the polarization of the voters, sudden ‘midnight votes’ that most parties were left uninformed about, and attempts at tricking voters into voting on articles that were thought to contain something other than it did.

Both the ‘code of conduct’ and the battle for the internet’s multi-stakeholder principle shine through in the Seoul Framework for and Commitment to Open and Secure Cyberspace that was drafted for the 2013 conference in South Korea.

It is this framework that will be the key talking point in The Hague this year. The Netherlands has already stated that it would support further work on this framework, but given its democratic nature and strong culture of international trade, this is hardly surprising.

In an earlier published flyer the official statement was made that the ‘self-organization of the Internet should be supported and is preferred to regulation imposed by states’.

It can only be hoped that all sides remain cordial and that political sleight-of-hand doesn’t catch anyone off guard. The result of such an event could very well mean the end of the Internet as we know it.