Cybersecurity English Edition, No. 1 / 2018
Trends
Practical Human Security
Security «Cybersecurity-Switzerland» at 360° Congress White Paper
London’s Leading Independent Cyber Security Events Monthly Cyber Events Meet, Learn and Network with Cyber Professionals Over 4000 Members We are Independent, no Sales Pitches Join Our Community for FREE at: www.CyberTalks.co.uk
Cybersecurity Trends
Contents 2
Editorial: Will the use of machine learning help enhanced collaboration in cyber defence? By Norman Frankel
3
International Telecommunications Union By Marco Obiso
4
ÂŤCybersecurity-SwitzerlandÂť 1st edition. A White Paper By Laurent Chrzanovski
22
Practical Human Security By Anastasios Arampatzis and Justin Sherman
32
When sport can become a national security issue By Nicola Sotira
34
The hidden risks of mobile phone systems By Giancarlo Butti
36
Cyber criminals have no boundaries! Dakar, Senegal By Marco Essomba
38
C4, Cyber and Digital Transformation By Olivier Kempf
41
A pearl of culture: Bluetooth By Laurent Chrzanovski
1
ds Editorial - Cybersecurity Tren
Will the use of machine learning help enhanced collaboration in cyber defence?
Author: Norman Frankel Chairman, iCyber-Security
Whilst 2018 has got off to a quieter start than 2017 in terms of media headlines, given the impending introduction of the GDPR initiative in Europe, we can be sure that it will not be long before more newsworthy attacks surface. Maybe the crash in crypto-currency prices from mid-December has led attackers to take a back seat and spend time working on the next forms of attack. With prices starting to rise again and the prize on offer to inflict public Corporate embarassment from the GDPR introduction from end May 2018, we should not be too surprised if Q2 sees some fireworks. Last year I had the pleasure to attend the two CyberSecurity Trends conferences in Sibiu (Sept) and Porrentruy (Dec) under the aegis of the cybersecurity unit from the UN, as well as a number of other conferences. For me the most notable trend was the complete absence in the first half of 2017 of any conversations on machine learning and the place it might hold in the domain of cybersecurity, to occupying over half the topics of discussions in December. It seems the pace of the evolution of attack vectors, increasingly in the hard to discover application layer and now rapidly moving into the processor layer of mobile devices has reached an inflection point where an already lack of skilled technical support workforce can no longer cope. The pace and volume of new niche vendor solutions and the need to still protect against possible vulnerabilities across the 7 layers of the security stack is so great that it is beyond a human to now learn fast enough the knowledge needed for efficient defence. We can add to this challenge, the multiplication of risks about to be caused in home and office by the connection of IoT (Internet
2
of Thing) devices and the risks smart phones will bring in a Bring Your Own Device culture. Will we therefore see the rise of the robot, a software driven platform capable of self-defending and self-learning, more than capable of operating at exponentially faster and on parallel tasks, that a human technical support operator could never keep up with. Whilst there is much to develop in this area, I do believe 2018 will see the rise of a new domain mega-trend in this area of cyber-security. I further believe that these platforms can add value to the business or environment being protected, helping technical resources feel more motivated by removing mundane process tasks and more importantly freeing up their time to actively communicate within their organizations and networks. Communication is the foundation to better collaboration and it is only through collaboration we can better self-defend. The next UN supported conference will take place in Sicily in May. I do recommend readers put the date in diary and pre-book attendance as the knowledge and wealth of experience on offer, in one placed, over two days, is first class. This edition features a detailed review of the speakers and topics discussed at the December conference so the reader can judge the wide range and quality of speakers the organizers pull together. This edition of CyberSecurity Trends looks more closely at machine learning. With an excellent article by academics Justin Sherman and Anastasios Arampatzis on Practical Human Security, they demonstrate how human flaws will always remain and the only solution is to use technology tools to reduce / remove the impact of human errors in the defence ecosystem. Whilst Oliver Kempf’s article looks at Digital Transformation again drawing the conclusion that advanced computing tools are going to be needed to help people better manage the ecosystem. With mobile devices likely to be increasingly the gate with which attacks might enter the ecosystem we have excellent articles from Nicola Sotira illustrating the military breach that was caused by the Strava fitness app and Giancarlo Butti highlights the hidden risks of the smartphone mobile systems. For those among you who like history Laurent Chrzanovski explains the history of the term Bluetooth. As stated in the last editorial, if we are to address complacency then it is Board and the Executives that need to set the tone of the culture to discuss and address these issues. Without an effective culture, collaboration even within the business will fail and breaches will remain common place. We invite you to join in the process and submit articles or suggestions for us to cover. The goal of this publication remains to open up knowledge and information sharing across research and commercial activities, so providing a bridge between public and private dialogues, in an aim to help our world operate more safely giving the growing frequency of attacks that seem to endlessly get media attention. If you would like to contribute articles or have suggestions for us to cover in future editions of the magazine, or even wish to purchase hard copy versions of the magazine to give to your customers, please do contact us via email at info@cybersecuritytrends.uk. On our website http://www.cybersecuritytrends.uk you can also view publications in other languages / countries and purchase advertorials for future editions.
Authorities
Dear Readers, Author: Marco Obiso Cybersecurity Coordinator, International Telecommunications Union (UN-Geneva)
If 2017 had a mix of complex and world-spread cyberattacks, as well as fake news in the headers of mainstream media almost each week, this year seems to start at an even higher level with the unveiling of some vulnerabilities concerning the most vital part of our devices: the processor itself. More than ever, awareness raising, consciousness, education and capacity building in the field of cybersecurity, resilience and defense is the clue for a better, safer and enjoyable digital life. The ITU is continuing its efforts in all fields, involving its members as well as promoting efficient partnerships in this field. In the present issue of the journal, you will find an example of positive and proactive achievement in the field of information sharing on threats and solutions by actors of all involved sectors: private and public specialists, but also private and public users. We salute the multiplication and adaptation, by the Swiss Webacademy and its partners, of the concept of dialogue platform developed, for Central Europe, in Sibiu since 2013. The birth of the annual platform dedicated to Western Europe (in Porrentruy, Jura, aka “Cybersecurity-Switzerland) and, next May, of its counterpart to be held in Noto (Sicily) and focusing on the Mediterranean ecosystem, are very needed events, to be added to the existing ones. Above all, in our times, many congresses, conferences and meetings end on their final panel, after the last speech. The Cybersecurity-Switzerland congress delivers here, in 4 languages, a 40+ pages white paper, allowing everyone to catch the core substance of the papers of all speakers present, bringing food for thought and many ideas to develop further, as the event, supported by the ITU, and considered by many important security elements impact on or come from the digital world. The day before the Sibiu as well as the Porrentruy conferences, the Swiss Webacademy, duly backed by Romanian and respectively Swiss police specialized departments, established a new European and Swiss record on the number of children and teens to be made aware of the dangers surrounding them in their virtual life as well as the best and easiest precautions to take. Therefore, the ITU decided to join and co-organize the awareness day offered by the Swiss Webacademy to Sicilian kids and teens at Noto, the 9th of May, with the prestigious and needed partnerships of the Italian National Communications Police and the Cyber District of the Global Cyber Security Centre (foundation of the Poste Italiane). Education and cybersecurity culture, in a world where we, humans, are day after day the weakest link in the digital defensive line, are a must. We have all the duty to work together in this field to offer to the youth the necessary information to avoid the mainstream traps and dangers.
3
Trends Central Folder - Cybersecurity
4
The partners from Belfort led a huge delegation at the congress!
The members of the AR-10 of the IHEDN (Institute of Higher Studies in National Defense) with the Special VIP Guest, General 5* (ret.) Marc Watin-Augouard. First from left, Christian Arbez represents the Chamber of Commerce and Industry Belfort (in his functions of General Director), and first from right, Jean-Luc Habermacher, represents the Energy Valley Cluster (in his functions of Founding President)
5
Trends Central Folder - Cybersecurity Day “0”: 6th of December 2017
Awareness day for teens and adults
O
ne of the founding pillars of our CyberSecurity Trends congresses is to offer to the local population a free awareness day, pointing out the main dangers each one faces on the net and proposing solutions on how to protect oneself against the most common threats. The morning session was organized with two ninety minute sessions, attended by over 440 teens and 32 professors (i.e. 18 full College classes, constituting a new national record in Switzerland for the numbers reached!) The Jura State Police, represented by officer Daniel Affolter, responsible for communication and prevention, and by inspector Sylvie Allemann, responsible for the IT&C cases within the Judiciary Police, presented the main problems during a question and answer session. Our special guest, Pierre-Alain Dard, head of the Minor’s Brigade within Geneva State Police, illustrated all the problems his team is faced with, insisting on each teen’s rights but also responsibilities when acting on the net, mostly on social media. Daniela Chrzanovski (Swiss Webacademy) showed the main risks each teen faces on the net, and led an interactive quiz inspired by the “Stop. Think. Connect” concept, ending with gifts and booklets for every teen made by Swiss Federal Police. The ten “best aware” teens of each session won special prizes offered by UBS. The special evening for adults and entrepreneurs showed, a clear sign of the deep interest on the topic with 115 adults attending the event (27 entrepreneurs; 28 IT administrators from public sector and 60 citizens). The program was: Pierre-Arnauld Fueg, Lord Mayor of Porrentruy, underlined in his welcome speech, the vital importance for any adult citizen to be aware of the dangers of the digital world, in order to build a solid and resilient society. Francisco Arenas, Manager Solution Business Sales within UPC Western Switzerland, discussed a recent “new deal” which will make a clear difference between various Swiss internet providers withcybersecurity of the customer as a core pillar of the contract. Laurent Chrzanovski explained the latest evolving trends in the threat and dangers landscape and some basic yet vital measures to take to prevent most of them. On the second part of his talk, he focused, for the benefit of the SMEs, some major incidents which took place in 2017 (causes, effects and lessons to be drawn from them) as well as a new privilege for Swiss citizens: the possibility to be insured against cyber-risks at a very reasonable price, insurance contracts which are not available to the citizens of most EU countries.
6
The congress: welcome speech
M. Pierre-Arnauld Fueg
The congress was opened by the Lord Mayor of Porrentruy, Mr Pierre-Arnauld Fueg, with the following speech “Ladies and gentlemen, dear guests, As Mayor and in the name of the City of Porrentruy, it is a pleasure and an honor to address you today. We feel like the myth, which gave birth to the 13th century coat of arms of our city. The wild boar, has a legend entirely linked to security. Here is how the myth goes: « once upon a time, a singler beast, running at full speed, was able to jump over the 10-feet high city wall as if it was a small worthless fence. This providential wild boar was hence, doubtlessly, the messenger of the Protective Powers of the City, and the Municipal Council decided, that the animal would become the emblem of the noble city of Porrentruy». This episode made the Counselors understand that at certain points, the city wall was insufficiently tall to resist to an enemy’s assault, and they immediately decided to strengthen the weakest sections of the wall. Nowadays Counselors and authorities are more than aware that the digital wall of our city, of our administration, of our power grid and of our citizens› protection has to be beefed up on a regular base. We are thirsty to understand better the global trends in the now daily mutant threats to be able to take the best decisions, to adjust our standards, to enforce the correct
measures topic by topic to become as good in resilience as we succeeded to be in energy use management. Therefore, during early May, the Municipality of Porrentruy and the Swiss Webacademy created together the basic file and factsheet needed for a macro-regional dialogue platform on cybersecurity to be held yearly in our city. The 3rd of July, the City Council voted in favor of this initiative and the Municipality became co-organizer of the event, supporting it with human and financial resources. During summer, taking into account the very short time at disposition to give birth to the 1st edition, it was nicknamed by all head organizers “edition 0.0”. Today, looking at the speakers around us, with their amazing skills and positions, it is the organizers’ “0.0 brains” which cannot believe this is real. The City of Porrentruy is extremely honored. For us, as a local authority, we are very grateful to all decision-makers from SMEs and companies from the Jura Canton and from the neighboring French departments who are among the participants to this première. For helping us we are deeply grateful to the International Telecommunications Union for granting its aegis, and to the Italian, French and Swiss prestigious institutions for granting their partnership and support to the congress. We are already starting to work hard to raise next year’s participation level to the high standard set by the guests who accepted to join this very first edition. For the achievements of this first edition and for the challenges awaiting us for the second one, we would like to thank the constant involvement, of Mrs Daniela Chrzanovski and all Swiss Webacademy’s staff as well as of Mrs Jasmine Greppin, restlessly taking up the ungrateful task of local logistics and bookkeeping with Eureca’Venture, who worked side by side with the Municipality’s team constituted by Mrs Magali Voillat and Mrs Anaïs Cuenat. Last but not least, daily, head organizer Laurent Chrzanovski, with JeanJacques Wagner and Luca Tenzi engaged their amazing know-how and added their impressive networks besides ours. The result of their work is impressive: today, Porrentruy hosts VIP speakers from 8 different countries and 7 global organizations, and is a real 360° international platform. The whole Municipality hopes that the congress and the charms of our city will really blossom through the knowledge and network and personal impressions you will take home after these two days. Meanwhile, we just want to give you the warmest welcome and, with all our staff remaining at your disposition, to wish you a successful congress and very pleasant stay in our city.”
7
Trends Central Folder - Cybersecurity Day 1: 7th of December 2017 In the opening presentation “A CEO’s vision: To be agile and capable to change one’s vision when we come to think cybersecurity”, Xavier van NUVEL, CEO and founder of Digital Solutions and OpenOnline (Switzerland) delivered his vision on what innovation should be and, above all, resilience of a company thanks to the human factor and its capacity to adapt to an environment and threats in constant evolution. With three keywords COOPERATION-INNOVATION-ANTICIPATION, the speaker highlighted the vectors which depend from rational agility (pedagogy, proactivity, collegial synchronization) and those which depend from emotional agility (empathy, comprehension of the situation, constructive “rebellion”).
In a world which is every day more structured around the data (transmission or exchanged), and no matter the technological tools used, the CEO and the CISO have a duty to help their teams to develop their faculties to be agile, and to better synchronize their interactions, bringing new useful ideas to the organisation. The first speaker, Col. Marc-André RYTER (Collaborator for Doctrine within the Swiss Army General Staff ), made a precise and crystal-clear dissection of the challenges and the threats of the digital transformation any “4.0 army” is undergoing, seen as a whole and, then, as seen from Switzerland taking into account the country’s geopolitical and strategic position and the means at its disposition. The strength of the speech, enhanced by carefully chosen images, clearly showed the difficulties of the very long process, in the hands of any army decision-maker, to choose any connected device, from a simple soldier helmet to a semi-armored vehicle or to a drone.
8
As a matter of fact, the real data available during the preliminary analysis (finances, environment, demography and technology) are those which give birth to draft the masterplan which includes all the development measures, human as well as technical, allowing the army to decide to buy and adapt all the connected elements to be used within the last generation weapons and military equipment. The talk demonstrated perfectly the difficulties faced to be able to evaluate weapons with a strong connectivity component and the challenge of imaging future threats often hard to conceive in the present due to the timescales of the decision taking cycles.
The presentation rich in information is supported by his research in an outstanding article published in the Military Power Revue of the Swiss Armed Forces (nr 1/2017, pp. 50-62), available for a free download1. Following Julien Provenzano (CEO of the start-up Pré-Ka-Ré) presented a nextgen prototype of infantry connected glove, that his company develops to help soldiers give “manual orders addressed through electronic gloves”. After demonstrating the equipment with a SWOT analysis, the speaker explained all the risks and threats should it fall into
enemy hands; if it becomes out of use because of a disruptive attack or, even worse, if an attack leads it to transmit false data and orders. The public had the chance to see, not just the advantages of such a tool, but the complex range of parameters to take into consideration to secure an immense number of details where each one, can become a vulnerability. Completing the panel “army & cyber”, Alexandre Vautravers (Responsible of the Program of Global Security at the Global Studies Institute within the University of Genève and redactor-inchief of the Revue Militaire Suisse) focused on the complexity of the very concept of today’s wars, which take place on the real battlefield, with their cohort of hybrid conflicts, on the digital battlefield, which is essentially a non-military zone (i.e. strategically speaking we witness the switching between “soft power” and “smart power”). Today’s wars, cover four dimensions: 1 population and economy; 2 CIMIC actions (cooperation between civilians and militaries); 3 tactical operations and, last but not least, 4 all the strategic and operational actions. The speaker then dissected the Swiss system demonstrating clearly that today, not a single army is able to solve a conflict with its own forces, if it does not have the full support of a complex public and private infrastructure covering almost all the fields of the “law
enforcement”, to which active public-private collaborations must be added, as well as regular workshops with governments and the political world. Progressively enacted, this multi-stakeholder architecture, which sets the “cyber” dimension as its central focus point, has repercussions on all traditional security forms. It may look very complex at a first glance, but it is starting to give proof of viability and usefulness and, above all, for Switzerland is the only viable solution fitting a neutral and federal country with a traditional vocation of consensus2. The speech of Marc German (expert in cyber-crime and corporate diplomacy) made the junction between the military world, secured “by duty” and the business one, underlining that business intelligence and cybersecurity are, in fact, two actions to be done as a single, as they constitute the two sides of a same medal, the one of the company’s survival. He urged to the adoption of a proactive defensive as well as offensive attitude as the globalized economic world is an ecosystem where organizations are fighting to strengthen their competitiveness, optimizing their costs and where several companies do not play “bythe rules” or at least the same rules. For Marc German, “Competitive intelligence is to detain and exploit the useful information in order to generate lasting value in a company, through different coordinated actions: research, analysis and exploitation of all the information useful to the decision makers. Competitive intelligence is to transform information in intel and to transform brut matter in grey matter”.
Without crossing the limits of the law by ordering “black-ops” against competitors, an attitude which is alas widely spread, the author insists on the fact that in order to survive, grow and win a company must be offensive seek value from any information which can enable it to be one step ahead of the others. In the same time, it must also protect its own data, its methods and its know-how, i.e. its treasure, targets of the darkest wishes of all its competitors3.
9
Trends Central Folder - Cybersecurity The second session, devoted to the latest technological challenges, opened with a keynote speech delivered by Martin Lee (Head of Security Research within Cisco Talos, U.K.). After making a summary of the biggest attacks witnessed in 2017, the author identified a common denominator between all of them, i.e. a central point made by superposing four phenomena already well known but now blossoming: ransomware evolution and their return on investment peak, reaching 34 billion USD of gains per annum, then the “democratization of the threats “, and, third the viruses without a precise target but with a pandemic propagation power (WannaCry, Nyetya…).
The fourth phenomenon is without doubt the most worrying one as it will take time to evolve: it is the complacency of the companies in using permeable tools, poorly programmed, vulnerable and easy to attack and, above all, used for a long time without due care, often not knowing they have already been attacked for months or even years. In his conclusion, Martin Lee insisted on the importance of the IT architecture of the companies, a structure which needs to be examined point by point with a less “techie” version, much easier to understand than the famous “NIST framework”. Concuring, Roland-Iosif Moraru (Professor and Vice-rector at the University of Petrosani, Romania) pleaded for the acquisition of a real security culture before specializing in the securing of systems. Because even if the needs are the same, the priority order is by far not identical. As an example, for the business sector, the “top 3” is constituted by confidentiality, followed by integrity and availability, while for the industrial world, availability comes first and confidentiality, last. In order to ensure the client of the availability and to counter the attacks, you must test systematically all the systems and to forecast levels of security – segmenting the control system – as well as to regularly strengthen each component of the system along with clear procedures to follow by each employee as soon as an intrusion is detected. Security, of humans as well as of machines, constant vigilance as well as a daily knowledge of incidents or attacks targeting
10
companies of similar profile are the three basic axioms without which, no technology will ever solve alone assaults which become daily more perfected, mutant and evolving. Christophe Réville (Co-founder of the IE2S Summit and specialist in strategic intelligence) discussed the dangers from a quick introduction, under the pressure of vendors, of tools with the new “machine learning” function, without knowing all the security parameters, strengths and weaknesses of each of them. Whilst often presented to decision-makers as the “allsolving” solution in terms of efficiency, cost-reduction, and errorshrinking performance, these tools can reveal themselves as the ultimate open door for any kind of in-depth attack. To illustrate, Christophe Réville declared that Artificial Intelligence “went from a reasoned and logical functioning or “left brain”, in which it lay dormant for more than thirty years (data mining, linear algorithms, a.s.o.) to a paradigm which integrates a global vision and an intuitive process typical of the “right brain “. A chaotic revolution in which behaviors induced by machines draw very improbable fractals…”.
The author also illustrated his purpose with a worrying example, the one of a group of connected computers which get rid of English (the communication language used between
programmers and machines) to start creating and using a unique language, understandable only by those machines – until they have been disconnected. Would it be the beginning of a fight of machines against machines escaping any human control? The stakes of such a possibility motivated the CEOs of the 116 largest robotic companies to address an open letter to the United Nations (on 20.08.2017) asking the world community to take the necessary measures before the fight between artificial intelligences become a real and deadly danger for mankind in case of armed use. Christophe Madec (expert in cybersecurity) and Jean-Gabriel Gautraud (BESSÉ Counsellors), explained the difficulties met by risk managers during their work meetings in different companies, as soon as the discussion on cybersecurity topics starts. As a matter of fact, basically, a risk manager is not himself an expert in cybersecurity, and, even if he has been trained in this field, he often has to deal, within a company, not with a CISO but with a simple IT manager; hence the problem to find a common vocabulary and a common field to have a constructive discussion. By lack of digital culture, most companies, define the risk as a strike targeting their strategic challenges and not their infrastructures. They delegate to the risk manager tasks of verification and of insurance of all what management does consider as “critical”4.
In consequence, the multiple impacts of a modern cyberattack, illustrated by targeting the production chain as well as the sales and supply channels, generating internal and external prejudices, remain largely misunderstood by the decision-makers. We witness this “cultural clash” where, without men in charge duly trained and secured infrastructures, it becomes impossible to insure state-ofthe-art defences. In France today, if 95% of the top-40 companies listed in the Paris stock exchange (CAC 40) are insured against cyber-attacks, only 3% of mid-size companies and less than 2% of the SMEs have insurance.
Opening the session dedicated to new generation tools and strategies, Bénédict Matthey (Cyber Security Executive within Darktrace), together with Hippolyte Fouque introduced and illustrated some of the added-value which can be brought by tools where Artificial Intelligence is used almost exclusively in the field of a better cyber-security performance. Facing exponentially growing data quantities and employees with more and more diverse tasks, it becomes essential to allow human vigilance and expertise to focus on fundamental and verified information as well as on anomalies, many of them from human behaviors or from systems which run in an abnormal way – all being signs either of a simple dysfunctionality or, worse, of a state-of-the-art attack targeting the company.
Among the new generation of connected tools, are cars. The presentation topic of Yannick Harrel (Head strategic affairs within the German-French Technology & Strategy). In his last book, Automobiles 3.0 5, the actual on-board vehicle technologies imply numerous security problems caused by native vulnerabilities generated both by the systems and by the communication means, so that today’s cars are not just the work of the constructor (the brand you buy) but also all the equipment suppliers, mostly giants of IT&C domain. Insisting on the fact that breaches are not always due to a lack of care or negligence in securing connected components by producers and suppliers, the speaker underlined that many software backdoors are, in fact, unknown until they are used by hackers to perform a Zero Day attack. It is only then, on this discovery that those breaches will be patched. Two factors are joining, creating very poor vehicle security due to an abuse of IT tools: the first is the customers’ demand for a whole panoply of functionalities within their car, rendering its technical limitation impossible for a brand, such as the impossibility to deactivate the electronic aids meant to stabilize the vehicle in any possible situation; the second is the hackers’ inventiveness, greatly aided by the multiplication of the number of access points within a modern car.
1 2
11
Trends Central Folder - Cybersecurity
Yannick Harrel’s speech concluded with a call for autonomous or semi-autonomous cars in which each single connected component would be conceived on the base of the “security by design” methodology, flanked with its cohort of tailor-made data encryptions to still provide user sensible commands of the vehicle. Back on the topic of Artificial Intelligence (AI) and its rôle in “4.0 cybersecurity”, Battista Cagnoni (Cyber Security Expert, Vectra) explained the reasons for a company to possess a SOC (Security Operations Center) with toplevel human resources perfectly mastering the processes as well as the technologies, before applying any AI techniques to security. It is the primary condition that the last-generation security applications – associating A.I. and Machine Learning – will be of a real benefit and offer true added-value, allowing for example to automate human actions in the field of data and info selection, actions which are mundane, to let the SOC focus on data revealing anomalies. These techniques have proved particularly intuitive in the field of anticipating methods used by criminals, allowing SOC team members to focus on resilience, defense in case of an attack, recovery and restoration of the infected zones and, after, time to make in-depth forensic analysis and incident investigations.
Above all, the new techniques bring more homogeneity and coherence to team actions to avoid friction during the crisis management process. But Battista Cagnoni is prudent: in his opinion, many cybersecurity processes assisted by AI are not totally up to standard, as they are new on the cyber-market.
12
One of the most important points is his illustrated advise to take care when it comes to the two keywords (AI and Machine Learning) as they become – like many other terms used in the digital world – real “open boxes for everything”. Opening the debate on new strategies to adopt, Luca Tenzi (Specialist in Convergence) underlined the simple convergence between the physical and the digital world is still not understood. He recalled a recent quote by Scott Borg, Director of the U.S. Cyber Consequences Unit: “As long as organizations treat their physical and cyber domains as separate, there is little hope of securing either one. The convergence of cyber and physical security has already occurred at the technical level. It is long overdue at the organizational level.” The largest problem of this inadequacy is that it touches the very nature of the generation holding the decision-making power today, those who have not grown up during the digital era. Luca Tenzi’s speech, highlights how SMEs and mid-size companies face the same battlefield of vulnerabilities and dangers specific, until a few years ago, only to very big companies. Using a picture showing all the vulnerable points of a standard wifi office scanner-printer –, the speaker highlighted mistakes or bad practices due to a lack of coherent digital culture (CCTVs, air conditioned systems, alarms, often linked to servers and only supervised by physical security specialists). He then showed,
the exponential growth of drones’ sales (mainly for infrastructure surveillance or small package delivery), a domain where (almost) only the specific sector of governmental acquisitions has special charts where security must be at the core of the drone’s hardware. Concluding Luca Tenzi’s final quote was merciless: “The lack of technical knowledge of physical security service providers on IP-based systems and IT platforms provides an ideal opportunity for cyberattacks” (PSIM Video Surveillance Report 2017, v.6). Artur Lazar (Deputy director of the Cyberint Centre within the Romanian Intelligence Service) brought a global geostrategic point of view complementing Luca Tenzi’s speech. Research6 – on the definition and the rôle of cyber-power, shows a real state cyberpower must, have as a base a homogeneous structure built by the
four conventional powers, but this “fifth cyber power” becomes a power by itself, available to hybrid entities as well as to non-governmental ones. Worse, we witness a total fusion between online and offline worlds, such that soon we will be unable to make any difference between them. This will expose the less resilient ones to attacks coming
“Online and offline worlds will merge to such a degree that we will no longer be able to differentiate them” from everywhere, including domains traditionally considered as belonging exclusively to “physical security”. With sober optimism, Arthur Lazar reaffirmed that today, if criminal or terrorist groups, anonymous entities and weak States can, certainly, acquire offensive capacities and create damage – sometimes even huge ones, the real cyber-power remains within the hands of the most powerful States. This reality is due, as they have at their disposition all the governmental, economic, military, social, legal bases to make new laws and rules, to innovate, to counter-attack, to reinforce their resilience by optimizing their collaborations with the citizens and the private sector, and, last but not least, to inject when necessary colossal amounts of money, all these fields being out of reach of a non-governmental actor or a rogue nation. The solution? To have “smart” States, political élites aware of the challenges, listening to experienced technocratic counsellors who understand the risks and possibilities at short, medium and long terms; in this way, a State can invest in a regular base and create the necessary dialogues to buff up a Citizens-Companies-State dialogue as well as international cooperation.
The fourth and last session of the day, on the challenge in information sharing, involved live streaming from the Regional Operations & Intelligence Center (ROIC) of the State of New Jersey, Joe Billy Jr. (former deputy director of the FBI) and Lieutenant Jeremy P. Russ (New Jersey State Police) spoke about the importance of a real and efficient collaboration between the private sector and the diverse State institutions specialized in fighting criminality in all its forms. Thanks to Lt. Russ’s actions, the Private Sector Advisory Group (PSAG) and Fusion Center, New Jersey now have a “one-stopshop” for companies, which collaborate actively on security (from signaling a single potentially dangerous person in a shop to asking or providing assistance during an ongoing cyber-attack), while the ROIC offers training, advice, assistance and meeting groups, they learn the key challenges for the economic and social ecosystem of the State. Joe Billy Jr., explained the model built by the US ROIC, where New Jersey is by far the most performant. Placed under the control of the State Police, they bring together agents from most American federal agencies (FBI and Homeland Security), shortening response time to alerts and the deployment of a ground force according to the type of incident. The financial model of the centers (public-private) involves mutual collaboration, as every one gives and receives at the same time. The very idea of such a fusion center meets the request asked by Luca Tenzi in his prior speech. It is a brand-new concept, as teams work 24/365 on all security cases, from a simple crime to a terrorist attack and from a small data hack to a massive cyberattack, including all kinds of natural of human disasters which may happen in the territory they are in charge to protect. The intel sharing on cyber dangers and threats – aiming to protect very sensitive information – was at the heart of the speech by Chems-Eddine Zair (CISO of the International Telecommunications Union – UN/Geneva). He explained the 2014 birth, and recent implementation of the STIP (Shared Threat Intelligence Platform) common to all UN-agencies, in order to build a secured environment and allowing him and his peers in other agencies, to work in coordination and to strengthen their global resilience. The defense capacity against ongoing threats and anticipating incoming threats has been multiplied, as the platform self learns to understand the anatomy of attacks on other agencies, and constantly updates the resilience procedures for each organisation, so they all become immune if any one of them is targeted with the same techniques already used for hitting another agency.
13
Trends Central Folder - Cybersecurity Information sharing in the light of its vulnerabilities was shown by Dr. Stephen Foreman (Head of metadata, data management and representation within the World Meteorological Organization– UN/Geneva). When one is responsible for data in such an importat organization, you can be the target as well as the collateral victim of an attack. The WMO receives relentless updates from 185 Member State’s specialized agencies and from many different satellites and a multitude of connected maritime or airborne transport means, hence it has to be vigilant not only on the validity of all those information feeds, but also on their implications on third parties.
The challenge is huge, as in a few decades, the same reports passed from 50 baud lines (telex), to short text messages to binary representation folders or XML documents, reaching now several gigabytes, in which malware can be hidden. In order to not be a “vunerabilizing information provider”, WMO had to work closely with many government and military agencies, maritime companies, owners and lenders of cargoes etc. For example, it had been discovered that the meteorological data transmission from each huge ship, through conventional channels, was used by pirates to locate and then attack those vessels. The day ended with Laurent Chrzanovski (Manager of the Congress and Founder of the quarterly magazine Cybersecurity Trends) reviewing the positive and negative consequences of compliance. Permanently in contact with big companies, the speaker remarked, even more with the approach of the GDPR enforcement date, an exponential growth of the quantity of senior managers and of employees used for merely administrative tasks, flanked by law and security experts, whose only activity was to redact compliance reports for internal use and to be submitted to the State regulators – when the EU State institutions themselves, will be less than 30% really “compliant” to the GDPR rules. Exactly at the point when everybody is claiming that the ecosystem lacks security specialists, Laurent Chrzanovski considers it dangerous
14
the fact that most company boards consider GDPR as merely a compliancy matter as if “confidential data” could be isolated from all the rest of the security framework… For the speaker, this phenomenon is not without parallel to the exponential growth of administrators vs. practitioneers in the American healthcare structures, where the disparity reached 200 vs. 1 and a cost boom of more than 2300% over the last 40 years … From a positive side, in countries where the insurance market is blossoming, like Switzerland or Luxemburg, the GDPR generated the recent birth, of a real citizen offer, who can choose their personal priorities on which data they wish to protect. This makes them among the very few Europeans, thanks to the insurance policies sold at very reasonable prices, to be able to afford starting a legal process in the United States, covering costs up to one million Swiss Francs7.
Finally the daye ended with Marco Essomba, Norman Frankel and Laurent Chrzanovski of Cybersecurity Trends launching the German language edition making it the 5th language of the free quarterly awareness magazine. Its official launch will take place in 2018.
The Swiss Webacademy team : Andreea Mihet, Marius Amza and Daniela Chrzanovski.
Day 2: 8th of December 2017 Rosheen Awotar-Mauree (International Telecommunications Union, Programme Officer, Europe Bureau) outlined the UN agency support to the Porrentruy Congress, and the leadership role this institution has in the cybersecurity domain, after the UN’s 2007 General Assembly decision. Here, the ITU developed a framework to help member States to develop continuously their resilience capacity, with the current situation in each State described on a regular basis in the Global Cybersecurity Index, last published in 20178.This index, classifying States according to their resilience capacity and uses a wide range of parameters regarding the digital security of
the States, includes public-private partnership initiatives, different courses and capacity building programs and trainings dedicated to increase human as well as technical skills. Christos Tsolkas (Vice-President at Philip Morris International, PMI) provided a case study of a major crisis he had to face, first as acting director of PMI Greece when the economic crisis came, then as acting director
of PMI Ukraine when Russia invaded: violence in the city and employees deeply divided on the topic. Showing a number of dramatic global pictures from 2014, he demonstrated that no one is safe and each major crisis has just one solution: to build amazing teams offering to each employee the possibility of developing both personal skills and collective attitude. Nevertheless, to succeed in this operation, one must learn to build his purpose inside the company’s business model. A purpose which must become a relatable reason for all and setting the consumer at the epicenter (user-centered design). It is in this paradigm where one can find the best possibility to resist the worst and, even better, to produce results. The second guest was Costin Raiu (Director of Global Research and Analysis Team within Kaspersky Lab). The famous researcher went through the major persistent threats (or APT) which blossomed in 2017 as well as the constant mutations and vulnerabilities which allowed last year’s most important breaches. The most preoccupying aspect revealed was displayed by the “Lazarus” case, i.e. a criminal group specialized in advanced cyberespionage techniques, who launched its own “branch”, “Bluenoroff”,
dedicated to massive bank fraud and crypto-currency mining. The attacks became increasingly sophisticated, with many forms of camouflage and increasingly chameleon-like. As such, an attack which seems to be a bank fraud can in fact hide a successful exploit of industrial espionage or, in another case, a crypto-ransomware attack can mask a real malware tsunami aiming to immobilize entire production or distribution chains. To this, we can now add, groups specialized in propaganda and counter-propaganda of very a high level, a factor which motivates the political and media worlds to affirm attributions, often to sovereign States. The “intox” as well as the “false flags” became a major goal of the best cybercriminal groups, as well as the “free” delivery of vulnerabilities or the use of open source programs. Both parameters chosen to confuse even the specialists dealing with the origins and desired
15
Trends Central Folder - Cybersecurity The Cyberint center was hence one of the pillars of the Cydex, the first national exercise in cybersecurity, bringing together no less than 60 public and private structures and analyzing their prevention, reaction and collaboration capacities.
aims of any precise attack. The actor multiplication, the ressources acquired by the most advanced groups, the voluntary use of leaks and of espionage activities aimed at financial systems disruption are in full growth, and one has logically to expect a boom of those phenomena in 2018, Costin Raiu concluded. The last special guest was 5*Army General (ret.) Marc Watin-Augouard (Founder of the Forum international de la Cybersécurité). The General made a real case for the re-birth of a sovereign Europe. For this, he unveiled a poorly known aspect of the GDPR, being a real diplomatic and commercial tool finally in EU’s hands. As a matter of fact, from May 2018, any third country desiring to trade with countries of the EU will have to harmonize its own laws in order to allow its companies to respect this directive and to be warrant of the rights of their clients and contactors if those are European. If Europe is strong, it can use the GDPR to go much further, for instance to impose a compulsory location, within its borders, of the servers holding any data listed in the directive. With optimism, the General considers the GDPR as the first real tool to allow the EU to negotiate equally with the world’s biggest powers. Mauro Vignati (Head of Cyber, Swiss Federal Intelligence Services) explained his mission. Without providing many details, due to the strict obligations of his function, he pointed out a key argument: with limited human resources proportionaal to the country’s size, international cooperation is the only solution to fulfill his duty. The same is valid with the numerous exchanges his service has on a regular base with the private sector. His main priority, is to defend Switzerland and its strategic interests, against the most dangerous permanent threats (APTs and their mutations). Col. Anton Rog (director of the Cyberint center of the Romanian Intelligence Service) explained the work of the Institution he directs as well as its priorities. Under his leadership, Cyberint took a new dimension, opening itself to numerous partnerships aimed to strengthen not only the national resilience level, but also grow the knowledge of all members of his teams.
16
The launch of an MSc in collaboration with the Polytechnical University of Bucharest, as well as the organization, with several partners, of the “Romania Cybersecurity Challenge” – where teams from all over Europe came to compete has helped. This component is reinforced by the 5th consecutive year seing the Cyberint center active participation (more than 5’000 working hours per year) within NATO’s Cyber Coalition. Nicola Sotira (Director of the Global Cybersecurity Center, Rome) framed the digital transformation of private companies, running towards clientfriendly mobile platforms. Placed between the hammer and the anvil (i.e the needs of the Marketing department and wishes of the users to have simple smartphone interfaces), any CISO must be tolerant, adaptative and “extinguish any early fires” ensuring, at a minimum, that solutions proposed are the most secure possible even if used on such a vulnerable support by the customers. Future vendorclient relationships will increasingly be smartphone-oriented, with exponential growth arising from the enforcement of the PSD2 initiative liberalizing payment methods.
The competences of the SOCs, CISOs, CSOs will have to evolve quickly as the whole defense and resilience ecosystem will need to keep pace with new vulnerabilities and the weak points of every single smartphone type, a real infinite multiplication of the risks compared to the traditional ones all those teams and professionals know well, on the “easier” battlefield of laptops, PCs, clouds and servers.
Nicola Sotira concludes by raising a question: “Do you trust the figures that appear on your mobile phone’s display as much as you trust the money you have in your wallet?” Will the individual trust only the numbers appearing on his mobile, to abandon cash money and debit cards, and to see all kind of “intruders” coming to him to propose attractive (as well as dangerous) finance methods? Mika Lauhde (CEO, 65° Security, Finland), member of all relevant European stakeholder groups (Enisa, Europol, EC etc.), debated broader naievity. The NIS, the GDPR and many other rules whilst steps forward have issues. Europe, has already lost all the technological battles, a reality that questions if the GDPR alone will be able to enhance the protection of its own citizens. Drawing a parallel between existing superpowers, he showed that in front of EU’s GDPR stands (at least) one superpower which owns the operating systems for PC and servers, standards for operating systems for smartphones, own standards for cybersecurity, own compulsory certifications, own microprocessor manufactures, own smartphone control applications and control systems on social networks. All these elements are used by every European citizen and exploitable without any limit by third party multinationals and governments. Worse, a significant amount of European research (in encryption, transmissions, specific systems) has been adopted and used by superpowers in the civilian domain up to avant-garde military aeronautics. He concluded that once the “laws and rules making” are passed, the EU will have to master basic technological tools used by everyone if it wants to survive in tomorrow’s world, if it is not to play the role of passive consumer. Margherita Natali (Legal Support to the Division of Information Technologies, Infrastructure Service Section, International Atomic Energy Agency - IAEA) introduced the interception of the communications of the organized criminal groups exploring the methods, results and legality of such tasks. In the frame of a cyberpower governance is progressively taking the place of sovereignty,
and multinational corporations as well as individuals can compete with the old States. In this sense, States, corporations and criminals have their own professional intelligence tools, their own communication means, and can generate either breaches with powerful economic impact or major successes in the fight against criminality. In this frame, nobody should escape the obligation of contributing, each one at his own level, to the prevention against criminal actions, thanks to a reinforced communication between all actors.
To explain concretely her thoughts, Margherita Natali gave as example the “Internet Relay Chat Channels” (IRC), which are replacing social networks for certain types of conversations. The challenge is that those IRC can sometimes reveal to be real traps and sometimes tools to erase any footprint of oneself, no matter the reason of this act – legal or illegal. Among those using the Deep Web (and Tor in particular) we find more and more citizens and powerful economic actors, where the role could be to stop “doubtful communications”, to make them public, in order to build, step by step, a more transparent deep web. Marco Essomba (Founder, iCyberSecurity), in his speech “Full Stack Cybersecurity Defence” highlighted the necessity to reform deeply the organigram and the working mode of big companies and industries. We witness today a dramatic segmentation of the treatment of the security challenges across seven major domains, with few people knowing more than two of them, a reality that makes even companies with the most advanced cybersecurity capacities fall into traps for which they are ironically perfectly equipped in human and technological means. Only a leadership that is holistic, flanked and counselled at all times by a very open-minded security officer, can change the situation. This is based on common and inter-department
17
Trends Central Folder - Cybersecurity
trainings, vital to face more sophisticated attacks, which target all the procedures of a company, from financial to production tools, and where the human component is by far the most vulnerable point. It is vital, among those “7 levels” of defense, to have teams motivated by a new generation of directors, specifically among the engineers, mastering each one – and then explaining to the other team members, the layers to build the needed bridge between specialists and the niche professionals whose only objective is to be the best in the layer they are responsible for. Olivier Kempf (Expert in security, member of the IRIS and of the Saint-Cyr SOGETI Thalès Chair of Cyberdefense), delivered his vision of two key elements to be handled correctly cyberdefense, and, the exponential acceleration of digital transformation. Cyberdefense is protecting networks (cybersecurity). It also deals with other functions (surveiliance, influence, sabotage). It is based on mastering the networks, the data and the fluxes, a task which often comes with a reduction of use of all those elements and with restrictions of use, and digital hygiene and more secure tools. As such, cybersecurity has a tendency to restrict uses. On the other side, we witness digital transformation. This phenomenon is based on a user-friendly attention, ultra-mobility, decentralized uses, agile product development methods.
Beyond this ultra-mobility, the underlying challenge is the one of the data, which already enormous will grow in unexpected proportions, may it be by new kinds of uses than by the IoT. The data
18
is the energy of the 21st century, tomorrow’s source of richness and power. From info-cloud to blockchain, from Big Data to Artificial Intelligence, we witness a kind of speed rush which is building a new informatics revolution; this is based on a multiplication of the data exchanges and, hence, a liberalization of the uses, within private companies as well as within public organizations. Both movements seem contradictory (restriction or liberation?). For Olivier Kempf, the first is a need, the second is unavoidable. We must face them both, frontally. Pascal Buchner (Head of ITS & CIO, International Air Transport Association - IATA) introduced the audience to a complex ecosystem: civil aviation, which is structured in “silos” and vulnerable on a multitude of points. Even if, this sector could have more means to take care of its security, the weakest points are, always the human facto and complexity of decision processes. With an example, Pascal Buchner quoted numbers given by the Aviation SAC, a cybersecurity structure created by Boeing, GE, etc., which disseminates in real time information, vulnerabilities and good practices. Alas, only 46 aviation companies joined, 20 OEM and several service providers, airports and delivery chains.
IATA priority is to build bridges between the huge geostrategic regions and the different sectors which are known for not communicating easily between them, for multiple reasons. It also strives to end parallel initiatives created by different regulators in order to establish common standards allowing confidentiality of sensitive data exchange, such as the flight data. To help with this IATA developed a real “war game”, a total crisis simulation, lasting around 1h45’, which can be used as a model by any member desiring it. Its scenario? The worse possible: a very gifted enemy infiltrates planes needing an event requiring immediate coordination, exchange and information sharing to mitigate the situation. The path towards a proactive defense is long, mostly because of reticence to constant collaboration rather than the complexity of the process itself. The speaker underlined several times the optimal defensive framework proposed is simple, but requires constant
and rigourous implementation. Its founding pillar, which must follow all employees, during their whole professional life, is and will remain the continuous capacity building in cybersecurity, an element which must bring together human and technical controls held in a more regular and systemic way, using the latest available technologies.
structures and armies are, today, exposed to the same threats. Both sectors actively collaborate, many identical systems and applications are used in both domains and several civilian technological novelties find a military use. All this happens with continual innovation, finance constraints and a global competition. Within cyberspace, almost all hostile
Col. Xavier Guimard (deputy director within the STSISI - Service of technologies and information systems of the national security, within the General Staff of the Gendarmerie Nationale) synthesized his research on strategies to adopt to counter better cyber-criminality. After an analysis led over 10 years ago, the STISI succeeded to implement its own informatics systems, more than a hundred thousand encrypted mobile phones as well as an autonomous API and an autonomous IAM, both tailor-made. The advantage of a good strategy is to succeed to go beyond
actions damage the civilian sector as well as the armed forces. In this context, damage to a national system has impacts which can endanger all the population, before causing loss or critical damage within the army ranks.
the usual frameworks and to adopt disruptive concepts aimed at a better defense and counter-attack. The key to the system is its architect, whose open-mindedness creates a system easy to defend by technical staff. In this way, there is no need to have a CISO, as each officer is a CISO helping at any moment the CIO, who becomes the head of security. The speech by Col. Marc-André RYTER (Collaborator for Doctrine within the Swiss Army General Staff ), concluded that civilian
1 Original paper in French: http://www.vtg.admin.ch/en/media/publikationen/military-powerrevue.html; it has been translated in exclusivity by Cybersecurity Trends into Romanian (Nr3/2017), German (Nr1/2017), and Italian (Nr 1/2018), while its English version will be published overseas soon. 2 cf. A. Vautravers, Cybersécurité pour Genève, in Cybersecurity Trends Edition Suisse 2017/2 3 Cf. The consequences of a poorly understood and poorly managed cybersecurity: a system that deviates from its own duties destined for implosion! VIP Interview with Marc German, Cybersecurity Trends Romania 3/2017, U.K. 3/2017, Italia 4/2017; France 1/2018 4 cf. en complément : Challenges and threats in cybersecurity seen from a top risk manager’s point of view. VIP Interview with Jean-Luc HABERMACHER, in Cybersecurity Trends Romania 3/2017, U.K. 2/2017, Italia 4/2017, Deutschland 1/2017; France 1/2018 5 From the same author, see “Automobiles et IoT : liaisons dangereuses”, in Cybersecurity Trends Romania 4/2016, France 2/2018, U.K. 2/2017, Italia 1/2017, Deutschland 1/2017 6 Cf. A. Lazar, Cyberpower, a view into future powers, in Cybersecurity Trends Romania 2/2017, U.K. 2/2017, Italia 3/2017 7 cf. Switzerland, a country where Data Protection rules become a (paying) real asset for individuals, in Cybersecurity Trends Romania 4/2017, U.K. 3/2017, Italian 4/2017, Deutschland 1/2017 8 https://www.itu.int/dms_pub/itu-d/opb/str/D-STR-GCI.01-2017-R1-PDF-E.pdf
19
Trends Central Folder - Cybersecurity
The co-organizers (Laurent Chrzanovski, Jean-Jacques Wagner, Luca Tenzi), with visible emotion, put an end to the, saying farewell to the speakers and the audience and thanking them all for a 1st edition where the number of topics presented as well as the results which will blossom from the ideas born from the speeches as well as from the informal discussions will continue to be for a long time food for thought for everyone. Disclaimer : Š This White Paper has been redacted by Laurent Chrzanovski and expresses only its author’s point of view.
20
21
Trends - Cybersecurity Trends
Practical Human Security “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” ~ Sun Tzu, The Art of War Author: Anastasios Arampatzis (AKMI Educational Institute) and
Justin Sherman (Duke University) Abstract In today’s increasingly connected world, we only become more vulnerable by the day. Cybercriminals, spies, and enemy nation-states are just some of the threat vectors that make up the modern-day cyber battlespace. Despite all of this, however, most security policies remain focused around technicalities and in doing so entirely
BIO Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years worth of experience in managing IT projects and evaluating cybersecurity. During his service in the Armed Forces, he was assigned to various key positions in national, NATO and EU headquarters. Anastasios has been honoured by numerous high ranking officers for his expertise and professionalism and he was nominated as a certified NATO evaluator for information security. He holds certifications in information security, cybersecurity, teaching computing and GDPR from organizations like NATO and Open University. Anastasios is also a certified Informatics Instructor for lifelong training. Anastasios’ interests include exploring the human side of cybersecurity - the psychology of security, public education, organizational training programs, and the effect of biases (cultural, heuristic and cognitive) in applying cybersecurity policies and integrating technology into learning. He is intrigued by new challenges, open-minded and flexible. Currently, he works as an informatics instructor at AKMI Educational Institute.
22
neglect fundamental biases, both cognitive and cultural, that shape human behavior. In this paper we break down practical human security into three sections, using knowledge in cyber security, cyber psychology, systemic theory, social engineering, Bloom’s taxonomy, learning theory, behavioral economics, and the decision sciences to understand how organizations can design security around – and for – the human. We first understand the enemy, then understand the human, and then provide actionable steps for organizations to practically strengthen their cyber security postures.
Part I: The Enemy Introduction The news are overwhelmed by stories of security incidents and data breaches that have exposed the secret, sensitive, and personal data of millions. While various cyber security professionals are characterizing 2017 as the worst incident year to date, predictions for 2018 are even worse. In addition to a rapidly-changing threat landscape, emerging technologies such as AI, machine learning and quantum computing are fundamentally changing the way we approach cyber security in the modern age – which makes staying “ahead of the game” even more difficult. In reality, we can view the cyber landscape as a battlespace, where one key focus of conflict is information. Indeed, in today’s informationdriven society, power comes from the accurate and timely ownership and exploitation of such data. The epicenter of this battlespace is us, the human being. Many reports identify us humans as the weakest security link in the cyber domain, vulnerable to countless methods of deceit and exploitation. As we are affected by the digital situations around us, our responses in the cyber realm are not instinctive and “logical,” but are instead fundamentally shaped by each of our individual beliefs, biases, and education. Thus, we present our paper – centered around the human element of cyber security. Using Sun Tzu’s famous Art of War saying as foundation, we will first discuss the external environment, “the enemy,” that forms the human threat landscape; in our second section, we will analyze the heuristic biases and beliefs that shape human responses to these threats; and finally, in our third section, we will discuss ways to design around – and design for
BIO
– these heuristic biases and beliefs, in order to practically strengthen human cyber security.
The Enemy: Threats from the External Environment If we consider the human being as a “system” within the context of systemic theory, the external environment provides inputs to the decisionmaking processes of every human. These inputs can be benevolent, but they can also be malicious and impair the way people are making decisions. These threats form the “enemy” that we humans need to fight against in order to reach better decisions for a safer cyber domain.
The Cyber Domain As technology is evolving and disrupting our daily modus operandi, so is human behavior. Psychologists like Dr. Mary Aiken believe that people behave differently when they are interacting with the abstract cyber domain than they do in the real, face-to-face world. The term “cyber” here refers to anything digital, from Bluetooth technology to driverless cars to mobile and networked devices to artificial intelligence and machine learning. So: how is the cyber domain threatening human decision-making? Threat number one: cyber safety is an abstract term. People can understand more easily and effectively the danger of driving drunk than the danger of having an unpatched personal or corporate computer connected to the internet. As a result, people often fail to recognize security risks or the information provided to cue them, and they tend to believe they are less vulnerable to risks than others. As Ryan West quotes, most people believe they are better than average drivers and that they will live beyond average life expectancy. People also believe they are less likely to be harmed by consumer products compared to others. Therefore it is reasonable to conjecture that computer users have the preset belief that they’re at less risk of a computer vulnerability than others. Further, the pro-security choice (i.e. encryption) often has no visible outcome, and there is also typically no “visible” threat (i.e. an email interceptor). The reward for being more secure, then, is that nothing bad happens – which by its nature makes it difficult for people to evaluate security as a gain when mentally comparing cost, benefits, and risks. In fact, if we compare the abstract reward (safety) of being more secure against a concrete reward like viewing an email attachment, then the outcome does not favor security at all. This is especially true when a user does not know what his or her level of risk is, or believes they are at less risk than others to start.
Justin Sherman is a sophomore at Duke University double-majoring in Computer Science and Political Science with a certificate in Markets and Management. His focus is broadly on all things cyber, including security, warfare, ethics, terrorism, censorship, and governance. He conducts technical security research through Duke’s Computer Science Department, spanning deep neural networking, mobile privacy, encrypted tunneling, and IoT security; he conducts technology policy research through Duke’s Sanford School of Public Policy, spanning technology and poverty, disinformation, and international technology regulation; and he’s a Cyber Researcher at a Department of Defense-backed, industry-intelligence academia group at North Carolina State University focused on cyber and national security. Justin is certified in cybersecurity policy, corporate cybersecurity management, infrastructure protection, social engineering, privacy, information security, continuity planning, and homeland security planning from such organizations as FEMA, the National Institutes of Health, the United States Department of Homeland Security, and the United States Department of Defense. He’s been published numerous times, blending knowledge in computer science, policy analysis, decision science, political behavior, market sociology, philosophy, war theory, foreign policy, and human rights to understand technology in relatable and impactful ways. He also has experience as a computer science instructor, STEM curriculum developer, and technical trainer. You can read more about Justin or contact him via his LinkedIn page at linkedin.com/in/justinwsherman.
Cyber is addictive. A study has found that the average mobile phone user checks their device more than fifteen hundred (1500) times a week. This is enhanced by the very nature of the web. Internet is always there, open, 24/7, always full of promises, content and data. It is also full of intermittent rewards which are more effective for fostering addiction than continuous rewards. Do you remember the movie You’ve Got Mail with Tom Hanks and Meg Ryan? At some point Tom Hanks says that there’s nothing more powerful than the simple words “You’ve Got Mail.” This is the very essence of cyber addiction – we check our devices because sometimes we’re lucky enough to be rewarded with a notification.
23
Trends - Cybersecurity Trends When something is addictive, we make irrational decisions every time it’s involved in a set of choices. I search therefore I am; I get likes therefore I exist. We check our mail, now, and again, and again. This leads us to another threat, the time we are spending online. When we’re checking our mobile phone or when we’re typing this paper, we are effectively in a different environment; we have gone somewhere else, just not in the physical world’s time and space. That’s because cyberspace is a distinct space, quite different from the actual living space where our families,
homes, and jobs are located. A lot of us have felt “lost in time” when we are surfing online, because we haven’t learned to keep track of time in the cyber domain. This fundamentally affects how we behave and make choices in cyberspace. (And as far as online security goes, more time only equals more risk.) Finally, we must address the libertarian nature of the internet. Internet is designed to be free. But where does freedom end and totalitarianism begin? What and where is the frontier of freedom and corruption? Is “freedom of speech” in fact fake news or disinformation? And who decides that certain opinions are fake news, if anyone should decide that at all? Similarly, how does personal interest override that of the greater online community? The idea of freedom online is quite contentious, and it raises many ethical questions – but currently, though, very little regulation exists. It should be clear that our environment has an impact on our decision-making processes. Our instincts have evolved throughout history to handle face-to-face interactions with other human beings, but once we are in the cyber domain, these instincts quickly fail us.
The Ever-Evolving Technology As devices and gadgets change, the cyber environment changes with it, which impacts our behavior all over again. More changes lead to more new situations, only creating more confusion. Until several decades ago, the pace of every technological revolution was such that it allowed humans to assimilate its changes and safely integrate
24
them into their day-to-day activities. During the past twenty years, however, the evolution of digital technology has become so hectic that people cannot cope with it. We don’t have to name all the buzz terms that arise every single day to document this argument. Even “digital natives,” to use Marc Prensky’s controversial term, feel sometimes helpless in the face of the ever-evolving technology. We haven’t yet found a pattern by which we can effectively leverage this technology for good; we are not sure how to functionally and safely use this new technology; and we are not sure what the long-term (and even shortterm) side-effects of these newborn technologies will be. Certainly, there are good uses and practices for effectively integrating evolving technology into our lives, but there are bad practices as well that many of us follow. In addition, this technology has brought an unprecedented revolution in digital content creation. This raises many questions: What are the implications of exposing so much sensitive data online? Who can benefit from them? Can we protect our precious assets, or are we unlocking our homes to the worst criminals who can erase our lives with just one click? (Remember the movie The Net with Sandra Bullock?) Technology is not good or bad in its own right; it is neutral, and it simply mediates, amplifies, and changes human behavior. It can be used well or poorly by humankind – and in many ways, it’s no different from how we regard driving cars or using electricity or nuclear energy. Any technology can be misused. Thus, the central question: what are the universal acceptable ethics for using cyber technology?
The Education Education is obviously a factor that shapes human behavior. Many of us have read countless articles about the necessity of recurring education and the return of investing in it. On a macro level, a broad lack of education can result in ignorance, authoritarianism, or even anarchy. Our lack of comprehensive cyber education therefore presents major risks in the way people are perceiving cyber, its risks, and its threats. Another issue is the effectiveness of cyber education that does exist. Education should aim to answer the “why” and not only the “how” of security. It should aim at deep learning and retention, and it should certainly be recurring. Unfortunately, this is not the case. Typical learning situations rely on positive reinforcement when we do something “right.” Simply, when we do something good, we are rewarded. In the case of security, though, when the user does something “good,” the only existing reinforcement is that bad things are less likely to happen. Such a result is quite abstract and does provides neither an immediate reward nor instant gratification, both of which can be a powerful reinforcer in shaping behavior. We should also examine the opposite – how our behavior is shaped by negative reinforcement when we do something “wrong.” Normally, when we do something bad in a learning environment, we suffer the consequences. In the case of security, however, negative reinforcement for bad behavior is not immediately evident. It may be delayed by days, weeks, or months, even if it comes at all. (Think of a security breach or a case of identity theft, for instance.) Cause and effect is learned best when the effect is immediate,
and the anti-security choice often has no immediate consequences. This makes it hard to foster an understanding of consequences, except in the case of spectacular disasters. It’s also important to consider that factors such as willpower, motivation, risk perception, cost, and convenience are often more important than the lack of cyber knowledge itself.
Social Engineering Social engineering attacks, largely orchestrated through phishing messages, remain a persistent threat that allow hackers to circumvent security controls. One can manipulate people into revealing confidential information by exploiting their habits, motives, and cognitive biases. Research on phishing largely focuses on users’ ability to detect structural and physical cues in malicious emails, such as spelling mistakes and differences between displayed URLs and URLs embedded in HTML code. Humans often process email messages quickly by using mental models or heuristics, thus overlooking cues that indicate deception. In addition, people’s habits, needs, and desires make them vulnerable to phishing scams that promise rewards. Awareness of phishing messages among users has increased, but so has the sophistication of the messages themselves. Hackers design phishing messages today to activate basic human emotions (e.g., fear, greed, and altruism) and often target specific groups to exploit their specific needs. Hackers sometimes even contextualize the messages to individuals by incorporating their personal information (spear phishing). For instance, a new phishing scam has arisen on dating applications; a user (bot) triggers a conversation with another user (victim) and, after a few exchanges, sends a link (malicious) to the victim, ostensibly with a picture, in an attempt to get the victim to click on it. Research shows that such spear phishing attacks are more effective than generic phishing messages, which target a wider population.
The Malevolent Actors
who they are or when they’ll strike, and it is more difficult to attribute a hacktivist’s motives. We at least know that their main course of action is typically through DDoS (distributed denial of service) attacks, primarily to embarrass their victim. In recent years, we’ve all heard a lot about statesponsored attacks and cyber espionage. Unsurprisingly, state-sponsored attackers usually aren’t interested in our money. Instead, they want our data, and that means gaining sustained (“persistent”) access to our IT infrastructure. If an organization operates in a particularly sensitive market where proprietary data is meticulously safeguarded (i.e critical infrastructure or electoral votes), then they’re at greater risk of gaining the attention of a state-sponsored hacking group. In essence, because so much is online, state-sponsored groups will often work on multiple attack vectors simultaneously. In this way, they can collect sensitive data over a long time period, rather than simply performing a “raid operation.”
Conclusions Cyber is the battlespace where many interests collide. In the midst of the haze and dust of this collision is the human, who is the recipient of many external inputs, good and bad, that shape the way we react and behave. But even apart from these external inputs, each human’s cognitive and heuristic biases also play an incredibly important role – which we will discuss more in the second section.
Part II: The Human Introduction
These days, cybercrime is far more organized than ever before. Cyber criminals are well-equipped, well-funded, and they have the tools and knowledge they need to get the job done. But to really understand cyber criminals, we mainly need to know one thing: their motives. Overwhelmingly, cyber criminals are interested in money. Either they’ll use ransomware to extort money, or they’ll steal data that can be sold on dark web markets. Their main course of action is through phishing campaigns, which can come pre-designed at a low cost and can have a truly staggering return on investment. Typically these campaigns are used to deliver malware (often ransomware), and emails usually include a strong social engineering component. For instance, recipients are often asked to open or forward attachments such as false business documents, which activate malicious software when opened. Unlike cyber criminals, hacktivists are generally not motivated by money. Instead, they are driven by revenge. Hacktivists work alone, making their attacks extremely difficult to predict or respond to quickly. Sometimes these hacktivists are insider threats, who know how to bypass an organization’s security defenses, but the real risk still lies in that there’s no way of knowing
In the first part of our paper focusing on the human side of cyber security, we discussed “the enemy” – the external environment that introduces threats to which humans must respond. In this second section we will focus on the human beliefs and heuristic biases that shape our actions in the cyber landscape. Combining knowledge in behavioral economics, cyberpsychology, social engineering, and the decision sciences, we will answer a fundamental question in cyber security: why is the human the weakest link?
The Human The factors that make up an organization’s cyber security standing are innumerable, from firewalls and encryption standards to incident reporting protocols
25
Trends - Cybersecurity Trends and overall security culture. On top of the fact that most organizations are still playing “catch-up” when it comes to robust cyber security tech, their human employees are left largely vulnerable. Humans are flawed both in retention of information (e.g. from security training) and use of information (e.g. decision-making while using technology), which makes us a particular risk to all modern organizations. This is reflected in the numbers: reports from this past year indicate that well over two-thirds of all cyber security incidents are either directly caused by human error or made possible by human exploitation and manipulation – such as with phishing and spear phishing attacks. Hackers are fully cognizant of the particular vulnerability of us humans, and they are more than happy to exploit it (as discussed in our first section).
movie. We make these passwords memorable because we need so many of them; it’s nearly impossible for any of us to memorize the passwords to all of our accounts, from email, social media, and streaming services to online shopping, work databases, and mobile banking. This tendency for creating memorable passwords existed under old NIST guidelines (when best password practices meant nonsensical combinations of letters, numbers, and symbols), and it still does today – even as NIST recommends the use of long passphrases. Simply, it’s easier to remember personally-significant information than it is random symbols and words – so we’re more likely to select passwords like 125elmST (i.e. an old address) and johnlucyjacksarah (i.e. children’s names) than something like e7@4j8!9.
Decision Heuristics and Cyberpsychology Our brains are evolutionarily wired to decrease our decision-making time through decision heuristics – essentially, simple and efficient rules that guide our judgments. While these cognitive shortcuts are for many reasons extremely beneficial, they also leave us prone to heuristic biases, which lead us to make misjudgments and incorrect assumptions when evaluating a set of choices. These are fundamental to understanding how humans behave in the cyber domain. Separate but related to this point is cyberpsychology, the up-and-coming field of understanding how humans interact with, and are shaped by, technology. Whereas decision science broadly studies human decision-making processes and their applications, cyberpsychology is specific to technology – asking which behaviors change when we’re “in” the cyber world, and which ones don’t. Perhaps unsurprisingly, it’s more often the case that human behavior significantly (arguably, sometimes, even radically) shifts as soon as we sit down in front of a screen. Field expert Dr. Mary Aiken broadly refers to this shift as the cyber effect, which encompasses everything from behavioral amplification to online disinhibition. We’ll come back to this shortly.
Passwords and Logins Security experts and IT professionals are constantly recommending best password practices – yet the majority of people don’t follow them. This is because password creation and retention poses a significant challenge to most human beings. First of all, most of us tend to select memorable passwords – be they the names of our family members, an important date in our lives, or the title of our favorite
26
There are undoubtedly tradeoffs to be made between password strength, variance, and memorability; having many memorable passwords is a tradeoff against a single but very complex (and unmemorable) one. The problem is, though, memorable passwords are easy for a social engineer to crack. A few minutes perusing Kali Linux or another penetration testing toolkit will quickly reveal the plethora of robust software available for this task, from pre-assembled dictionaries of popular passwords to scripts that scramble information on a target (e.g. name, spouse, hometown, etc.) into custom password dictionaries. Our predictable behavior inherently leaves us – and by extension, our friends, families, employers, and services – vulnerable to being hacked. When we’re forced to change our passwords, whether because of an operating system requirement or a workplace policy, we tend to overlap new passwords with old ones. If my current password is strongP@ssw0rd!123, I’m likely to make my new password something like strongP@ssw0rd!456 or even strongerP@ssw0rd!123 so I don’t have to memorize a new phrase. Patterns and habits, particularly in cyberspace, are important – hence status quo bias, or our preference for defaults (in other words, leaving things as they are rather than exerting effort to deal with change). Again, though, this predictable behavior leaves humans vulnerable. If a hacker was using an employee’s login under-the-radar, and suddenly notices the password was changed (because they can’t log in anymore), they’re prone to leverage knowledge of this bias and just guess passwords surrounding the old one – e.g. by altering a few numbers or letters (as the above employee just did). The password’s strength is suddenly meaningless.
Detecting Threats: Phishing, Social Engineering, and More Heuristic biases make us humans incredibly vulnerable – and ineffective – when it comes to detecting cyber threats, which is only compounded by our lack of cyber lexicon and lack of “instincts” in the cyber domain. As previously referenced, this is exactly what attackers target. Humans want to be trusting, and this is evidenced in the effectiveness of phishing attacks. We might be trained on what phishing emails look like; we might be told to never trust an email sent from an unknown source; we might even be told to not trust suspicious emails sent by our friends. In practice, however, this modum of education largely falls apart. While many phishing emails will pass through our inboxes each year (and data on workplace security breaches confirm this fact), the majority of emails are likely not phishing attacks. Each time we open a semi-suspicious email that’s safe, we are falling (like it or not) to confirmation bias. The preconceived notion that we don’t need to scrutinize every email is reinforced each time we open a suspicious email without negative consequence. Thus, the attention paid to each suspicious email decreases over time – only increasing the likelihood that a phishing attack will succeed. Representativeness also comes into play here. When we routinely perform a task, our brains naturally categorize small variants on that same task together to reduce decision-making time. If a manager sends out a “weekly recap” email every Friday, for instance, employees won’t look twice at a “weekly recap” email, sent out on Friday, that is in fact not actually from the boss’ email. Our tendency to incorrectly group new circumstances in with previous experiences can be deadly; this is why social engineers actively look for ways to insert malicious URLs, documents, and more alongside existing patterns of cyber behavior. Adding online disinhibition into the picture illustrates why we’re even more vulnerable to social engineering attacks: pioneering research in cyberpsychology shows that we behave far more recklessly online than in our physical day-to-day interactions; Dr. Aiken even compares some of our daily cyber behavior with drunken intoxication, as we trust others easily and disclose our personal information more quickly. Combining this with hyperpersonal online interaction (reduced social barriers to intimacy and information-sharing) and stranger-on-the-train syndrome (the tendency to share sensitive information with those we feel we won’t see again), we’re already very prone to sharing too much information online – made all the worse by malicious actors who additionally exploit our heuristic biases. The way we behave online, and the way we make decisions about what we click
on and what we divulge, are critical reasons why humans are indeed the “weakest link” in a cyber security posture. Linked to these ideas is something all of us face: optimism bias, or thinking we navigate the world “better” than others do. In the physical world, this arises all the time. We tend to exempt ourselves from rules, policies, and standards that we hold others to just because we think we’re above them; for instance, many people text and drive, despite hard numbers that show the extreme danger to themselves and others, because they think that they (unlike everyone else) can multitask on the road. (Of course, many studies show “multitasking” in its fullest sense is actually impossible.) This carries directly over to the cyber domain, where we all rank our performance above the “average” and thus let ourselves fall below standards of secure cyber behavior. If another employee causes a data breach because of a weak password, we’ll likely reprimand them for it; however, we likely allow ourselves to save passwords in a browser or circumvent multi-factor authentication without that same reprimanding. Similarly, an employee may be entirely aware of the danger posed by social engineering and yet put no care into preventing phishing attacks, simply because they feel they don’t have a need – and while we may scold them in our head, most of us probably do the same. Humans are also prone to recency bias, which makes us more concerned with information that’s been presented most recently. If an employee was just trained for three hours on the dangers of malware, for example, they’re much more likely to worry about Internet downloads then they are to scrutinize an email for signs of phishing. This is arguably an obvious point, but the underlying heuristic bias is critical to human cyber vulnerability – because the “latest” threats will implicitly receive greater priority. The ordering of security training, then, suddenly becomes important. Frequency bias, or the favoring of reinforced information, similarly affects human takeaways from security training. It makes sense that the more an issue is discussed, the more its perceived importance increases – but in security, where there are simply too many topics to all be covered in-depth, this presents an especially complicated problem. If a company spends 5 hours training on a difficult topic like email encryption or password creation, and spends only 3 hours on phishing and social engineering attacks, employees are more likely to prioritize defending against the former (when in fact, social engineering poses a far greater risk). Balancing the time spent covering a cyber security threat with the rate of its appearance is obviously challenging (and will be covered in our next section), but we must recognize this bias in the first place.
27
Trends - Cybersecurity Trends Conclusions Human behavior in cyberspace is incredibly flawed, from the vulnerability of decision heuristics to the bizarre behaviors we adopt simply because of technology’s unfamiliarity. By better understanding the decision science, behavioral economics, and cyberpsychology behind human cyber behavior, we can better attain practical human security. Thus, with “the enemy” and “the human” both analyzed, our third and final section will focus on “winning the battle” – that is, designing cyber security with the human in mind.
Part III: Winning the Battle
proves to be quite advantageous for effective teaching and curriculum development, a far cry from bureaucratic styles of education that value quantity over quality, and look to inherent motivation. Through techniques and methodologies such as open discussion forums and hands-on exercises, people in small groups may develop critical thinking, learn to mobilize toward common goals, and rely on a collective intelligence that’s superior to the sum of each individual. In accordance with Bloom’s taxonomy, though, teaching activities should not just focus on transmitting information; they should also focus on application. Leveraging old information to solve a new and challenging problem is essential to fostering retention and developing new knowledge. Perhaps predictably, this quickly becomes cyclical – with old knowledge reinforced through application, and application yielding new knowledge to be applied, and so on and so forth. The byproduct of this process is often referred to as deeper learning. Gamification and simulation are just two examples of implementing this deep learning process.
Introduction Defaults and “Nudges” The first part in our paper, “The Enemy,” focused on the external environment and the threats it introduces to the cyber landscape, while our second section, “The Human,” discussed the heuristic biases and beliefs that shape human responses to these threats. In the final part of our paper, we are going to discuss how “not [to] fear the result of a hundred battles,” or in other words, how to design security policies around – and for – the human.
Theoretical Background Several decades ago, child development psychologist Jean Piaget stated that “the principle goal of education is to create men who are capable of doing new things, not simply of repeating what other generations have done – men who are creative, inventive and discoverers.” Building on this, we can view learning as a process of acquiring and building knowledge with strong social and experiential components. Educational research has identified that people learn more effectively and deeply through engagement, motivation, cooperation and collaboration, and
participation in real experiences; thus, conventional teaching methods cannot meet the learning requirements of today. Building and sharing knowledge
28
Economists Richard Thaler and Cass Sunstein outlined, in their 2009 book Nudge, the idea of libertarian paternalism – a decision-modeling framework where nobody has their choices altered or limited (the libertarian element), but by framing choices in a certain way, decision creators can help people pick the best option (the paternalism element). In essence, the idea is to nudge individuals in the right direction without restricting their freedoms. There are many ways to achieve this “nudging,” including reordering options and increasing the amount of available background information, but we want to focus on one method in particular: changing the default. Defaults are incredibly powerful when it comes to decision-making; the decision science and behavioral economics studies on this are plentiful. Because of status quo bias – essentially, our aversion to putting effort into change – most of us are likely to stick with the default option in any given decision scenario. Nudge specifically shows this to be true with everything from college dining hall buffets to corporate 401K plans. For these reasons, security-by-default is one of the most effective ways to “win the battle” when it comes to practical human security. Making cyber safety the status quo will all but guarantee overall more secure behavior, because most tech users will just stick with that default. This idea of “defaults” has many implications for how organizations design, execute, and reinforce security training, but that will be addressed in the next section; for now, we’re going to focus on how organizations can institute security-by-default in technology itself. Implement the strongest possible encryption on all devices you buy for your organization, be they smartphones, laptops, or IoT sensors. Install, and set as the default, encrypted communication software – from Signal
with its perfect forward secrecy to PGP-secured email applications. Restrict Internet access (e.g. to work-only websites) and ensure all accounts, by default, have a minimum level of access required to perform basic tasks (e.g. prevent software installations). Enable email filtering, mandate multifactor authentication, and set baseline password requirements. Configure malware removal software, internal and external firewalls, and automatic account “lockdowns” after a certain period of inactivity. Constantly monitor new industry guidelines and cutting-edge research to adapt these security defaults – for instance, what constitutes a strong password. And overall, stop employees from dealing with complicated and undesirable issues of distrust whenever possible; if they’re going to be annoyed when you ask them to double-check their personal USB hasn’t been hacked, then don’t let them plug it in to begin with. When security is the default, more employees and users will almost automatically become more secure. It’s also important to understand that just because some of these cyber security elements are “defaults” doesn’t mean they should be presented as options in the first place. Largely, they should not. Encryption and multifactor authentication are two perfect examples of a human-side security factor that shouldn’t have an “opt-out.” Just as it shouldn’t be an option for employees to disable or weaken encryption, it shouldn’t be an option to only use single-factor authentication (i.e. just a username and password). When it comes to security, defaults without the libertarian element are often best.
Decision Heuristics, Feedback Loops, and Security Training As we discussed in the first part of our paper, security training and education are currently inadequate for addressing environmental cyberspace threats, as well as the heuristic and cognitive biases that guide our cyber behavior. Even with security-by-design, as addressed in the last section, we still aren’t protecting for situations in which (a) organizations can’t make security the default, because control inherently lies with the human, and (b) humans change that default, becoming less secure in the process. The classic (and currently pervasive) solution to this problem is to impose a clear corporate security policy – for instance, that users cannot use portable USB storage devices. On its face this seems effective, as the structure of the organization inherently incentivizes compliance with these policies...right? Wrong. From a human perspective, this is likely to fail for many reasons: Users will disrespect the policy because they don’t understand the risk involved. They may not be aware of the policy, or they may even forget the policy. Environmental situations may arise where the users have to use a removable storage device, so the employees will make functional exceptions (convenience over security). Humans are prone to optimism bias – thinking we’re better at certain behaviors than others (e.g. cyber security) – and will thus exempt themselves from secure behavior even when functionality or convenience isn’t directly part of the equation. If employees violate the policy once and there are no negative consequences, they will likely do so again. And this is without even addressing many other issues with current security training, which were discussed in our previous piece.
The most reliable way to prevent the risk, then, is to take the user out of the equation. But this is equal to amputating an aching arm. We cannot divorce humans from technology, or technology from humans – so while this works in theory, it’s unacceptable in practice. So the question remains: what about the underlying issues of risk perception and diffusion of responsibility (from which many other risks arise)? In these cases, it’s necessary to raise user awareness of security issues and actively engage them in the security process, without creating an environment of paranoia. In short: it’s about designing security training and security policies for the human. Awareness and training programs are important mechanisms for disseminating security information across an organization. They aim at stimulating security behaviors, motivating stakeholders to recognize security concerns, and educating them to respond accordingly. Since security awareness and training are not only driven by requirements internal to the organization, but also by external mandates, they must align with regulatory and contractual compliance drivers as well. Current literature and guidelines such as ENISA and NIST additionally emphasize alignment with business needs, IT architecture, and workplace culture. Target participants of awareness programs include senior management, technical personnel, employees, and third parties employed by the organization (e.g., contractors, vendors, etc.). Awareness programs are essential because organizations need to ensure that stakeholders understand and comply with security policies and procedures; they also need to follow specific rules for the systems and applications to which they have access. However, as we explained previously, stakeholders’ behavior is influenced by individual traits and biases which impact their compliance with security policies and procedures. Thus, security awareness must be designed to tackle beliefs, attitudes, and biases. Designers of security systems should consider adopting the systems approach to training, considered an effective education practice in the field of human factors and ergonomics. Central to this approach is identifying participants’ cultural biases, which can facilitate needs assessments and provide an alternative criterion for grouping program participants. Because individuals’ cultural biases influence their perception and decision-making calculus, they also affect an individual’s risk assessment. This goes unaddressed in most contemporary security training programs, which is immensely problematic for how employees individually frame their knowledge after the session concludes. Without a relevant cultural framing (and this culture can take many dimensions), employees will fail to fully understand why security is so important.
29
Trends - Cybersecurity Trends Thankfully, framing cyber security in light of cultural biases can be done without expending significant additional resources. For instance, while convenience is heavily prioritized in technology, there are many cases in which users find a system’s aesthetics to be far more important. It is therefore possible for employees to value security over convenience – it’s just about making them understand why they should in the first place. Understanding where groups of employees are coming from (e.g. does their job value convenience, collaboration, speed, etc.) will help frame security’s relevance in the correct light; we might, for example, find that a litigation team best understands security in the context of risk avoidance, whereas an accounting team best understands security in the context of the confidentiality, integrity, and authenticity of data. Thus, it’s essential to design security policies with cultural biases in mind. In addition to creating and selecting culturally-relevant training materials and simulation exercises, it’s important to back this up with a strong corporate security culture. Along a similar vein, organizations must build strong feedback loops during and after security training; with weak feedback loops – meaning pro-security choices don’t yield any visible rewards (other than the unspoken “congrats, you didn’t get hacked!”) – employees are not behaviorally conditioned or incentivized for safe and secure cyber behavior. During training, the best source of guidance is past “success stories” in which security controls prevented security incidents, smart behavior blocked social engineering attacks, and clear reporting procedures resulted in the quick trapping and containment of an active breach. Post-training, techniques such as randomly spotlighting employees for smart security practices will further solidify feedback loops that promote cyber-secure behavior. (This specific example of using intermittent rewards is also extremely effective in conditioning.)
Implementing simulations and gamification during training will then strengthen these existing feedback loops. Every time we can link secure cyber behavior
30
with increased reward – even if it’s in a “fake” environment – we can shape smarter behavior in the workplace. If employees experience the value of screening an email during a simulation (e.g. preventing a phishing attack from a foreign competitor), then they’re more likely to scrutinize suspicious messages in real life. This is because self-realization and application, as previously referenced, are incredibly important for knowledge retention and re-application. Closely linked with strong feedback loops is positive association. Research on cognitive biases has identified that individual judgments are affected by exposure to positive or negative stimuli (e.g. smiling or frowning face), which decision scientists refer to as affect bias – our quick emotional reaction to a given stimulus. Thus, associating security messages with positive images (i.e. happy customers means more profit) is quite effective for ensuring users’ compliance with your security policies. Rewarding strong performance on security tests (whether scheduled or “spontaneous” – e.g. sending employees phishing emails) will also help achieve this end. Anchoring bias, or our tendency to rely on the first piece of information presented on a topic, also heavily influences attitudes towards new security practices. If employees are told that strong passwords have at least six characters, for example, they’re likely to just use six characters and not opt for any stronger; they won’t deviate from this anchoring information. This has implications from email scrutinization all the way to online browsing behavior. Similarly, us humans are prone to frequency bias, or prioritizing issues about which we have more information, and recency bias, or prioritizing issues about which we’ve been educated most recently. If an employee is trained for five hours on password creation but only for three on phishing attacks, then they will pay greater attention to the former (despite the latter being a greater and more complicated threat). Since our brains rely heavily on the order and frequency with which information is presented, we need to design security policies for these tendencies. To design for anchoring bias, we should start out a topic by providing the strongest and most effective security practices (e.g. say passwords should be length 12 instead of 6); to design for frequency bias, we it’s imperative to try and balance the time spent on a topic with its importance (e.g. spending the most time on social engineering threats); and to design for recency bias, we should end security training (and security retraining) by covering the most prevalent threats. Continuing with the order and timing of information: humans tend to attribute greater value to short-term costs and benefits than long-term ones. In other words, security experts should emphasize not only the longterm and macro-level benefits of secure cyber behavior (e.g. better growth) but also the immediate, short-term benefits. We only need turn on the news to see a plethora of examples for this emphasis, from avoiding massive monetary loss to preventing a legal and PR nightmare. Instant costs will resonate effectively with us humans. We already discussed positively reinforcing secure behavior, but it’s also (obviously) critical to punish violations of security policies. Having a corporate security policy that is not monitored or enforced is tantamount to having laws but no police. Organizations must monitor employee behavior – in addition to the behavior of those doing the monitoring – and act when rules are broken. This connects back to strong feedback loops and the idea of humans favoring the immediate effects of our actions: the best deterrent to breaking the rules is not the severity of consequences but the likelihood of being caught.
A final consideration to take into account is how to reduce the human cost of implementing security. This encompasses many of the ideas in our paper, from security-by-default on the technology side to effective designing of security training, framing of cyber security issues, and conditioning of secure cyber behavior on the human side. Evaluation of training programs is necessary to ensure they’re effective. To evaluate a program, measures of successful learning such as retention of information and usability should be examined. If a training program is deemed ineffective, a new needs assessment should be conducted and new training techniques should be considered during an iterative process (design, test, redesign, test, etc.). Unfortunately, the aforementioned practices alone are not enough to totally win the battle; despite the title of our piece, presuming to be “victorious” in the truest sense of the word would be delusional. Security awareness must be a nationwide strategic goal. It requires a holistic approach, from governments, policymakers, and tech leaders to citizens, consumers, and students. Security awareness programs must be carefully designed to run through the backbone of our society and should become an integral part of our educational system. Curricula should not focus only
on programming or technical literacy but also on cyber security literacy; we need to build a cyber lexicon and a common framework to understand cyber behavior. There’s still much to be done.
Conclusions Peggy Ertmer argues that changing one’s attitude is a hard thing to do but can be achieved through practice, cultural support, and challenging beliefs through community. There’s a long path to follow until we reach a safer cyber environment, much like the path of Areti (Virtue) in the labors of Hercules: narrow and full of difficulties in the beginning, but wide like an avenue at the end. In the military they say that if you want peace, you have to prepare for war. Considering our paper and its ideas in their entirety, this is exactly what we have to do. If we want to change the security culture of our society, we need, as Dr. Mary Aiken says, to stop, disconnect, and reflect. We need to remember the human.
REFERENCES Part I: The Enemy Aiken, M. (2016). The Cyber Effect: A Pioneering Cyberpsychologist Explains How Human Behavior Changes Online. London, UK: John Murray. West, R. (2008). The Psychology of Security. Communications of the ACM 51(4), 34-40. Goel, S., Williams, K., & Dincelli, E. (2017). Got Phished? Internet Security and Human Vulnerability. Journal Of The Association For Information Systems, 18(1), 22-44. Recorded Future (2016, Aug. 23). Proactive Defense: Understanding the 4 Main Threat Actor Types. Retrieved from https://www.recordedfuture.com/ threat-actor-types/. Part II: The Human Boulton, C. (2017, Apr. 19). Humans Are (Still) the Weakest Cybersecurity Link. Retrieved from https:// www.cio.com/article/3191088/security/humans-arestill-the-weakest-cybersecurity-link.html. Aiken, M. (2016). The Cyber Effect: A Pioneering Cyberpsychologist Explains How Human Behavior Changes Online. London, UK: John Murray. Thaler, R. & Sunstein, C. (2009). Nudge: Improving Decisions About Health, Wealth, and Happiness. NY, NY: Penguin Books. Part III: Winning the Battle Aiken, M. (2016). The Cyber Effect: A Pioneering Cyberpsychologist Explains How Human Behavior Changes Online. London, UK: John Murray. García-Valcárcel, A., Basilotta, V., & López, C. (2014). ICT in Collaborative Learning in the Classrooms of Primary and Secondary Education. Media Education Research Journal 42(21), 65-74. West, R. (2008). The Psychology of Security. Communications of the ACM 51(4), 34-40. Tsohou, A., Karyda, M., & Kokolakis, S. (2014). Analyzing the Role of Cognitive and Cultural Biases in the Internalization of Information Security Policies: Recommendations for Information Security Awareness Programs. Computers & Security, 52, 128-141. National Research Council. (2000). How People Learn: Brain, Mind, Experience, and School: Expanded Edition. Washington, D.C.: The National Academies Press. Thaler, R. & Sunstein, C. (2009). Nudge: Improving Decisions About Health, Wealth, and Happiness. NY, NY: Penguin Books.
31
Focus - Cybersecurity Trends
When sport can become a national security issue. It seems that history repeats itself and you never learn the lesson. It was the year 2010 when the Foursquare service invited its users to do the “check-in” in popular places and then transmit all these data publicly by mistake.
Author : Nicola Sotira
Are not you convinced yet? Try to open Google Maps and select from the menu «Timeline»; unless you have disabled Google access to your location data, you will see a clear map of your movements punctually referable also temporarily enabling the calendar view. We must summise the data represents the entire business model for these companies and it is therefore difficult for them to find a reason to stop the collection. You may wonder why we are still talking about this topic, why the umpteenth article on data sharing? Because recently all the newspapers have talked about Strava. This is an application for monitoring athletic
BIO Nicola Sotira is Director General of the Global Cyber Security Center of Poste Italiane and Information Security Manager in Poste Italiane. He is in the field of information security for over 20 years with experience in different international companies. In the previous experience, Nicola Sotira was sales Director UC&C & Security Practices in Westcon Group Italy and VP Sales Italy in Clavister AB. Professor at the Master in Network Security of La Sapienza University, Member of the Association for Computing Machinery. Promoter of technological innovation, was member of several startups in Italy and abroad.
32
activity, Strava is able to manage and elaborate with great details the data of runners and cyclists. Everything starts, as always, from our smartphone, the Strava App is free and is available for iOS and Android, the application allows us to record the GPS track of our race or ride. The app tells us what were our times, the paths, the miles and we can make transform this solitary training in a viral challenge. Some numbers? In December 2016, Strava announced that more than 300 million sports activities were loaded; of these activities 26.90% have been carried out in group collecting more than 1.3 billion Kudos (Kudos are the correspondents to the likes of Facebook).
What happened ? Strava in November 2016 published the maps that collected all the sports activities, which, referred to a total of 27 billion kilometers. The issue was that some of the App users work for military or intelligence agencies. At that point some security experts were able to connect the dots and create a relation between bases or locations of US military / intelligence operations. All was accelerated by Nathan Ruser, a student studying international security at the Australian National University; he started to post on Twitter a series of images that pointed out Strava user activities potentially related to US military bases in Afghanistan, Turkish military patrols in Syria, and much more. The Department of Defense is going to revise the IoT and wearable device policies and said it encourages all defense personnel to limit their public presence on the Internet and of course the guidance is even stricter when troops operate in sensitive locations. As we have written several
times the awareness in the use of these tools, plays a fundamental part and we need to work a lot more on the awareness to create a generation of users aware in the digital world. Many areas of improvement in this area that must see manufacturer, service companies and consumer associations work together. And last but not least, programs in schools that educate on cybersecurity.
33
Trends - Cybersecurity Trends
The hidden risks of mobile phone systems Author:
Giancarlo Butti Area control
For security, the use of mobile systems can come with important risks, which, very often, are not seen as such by companies. Yet knowing of these risks is an absolute must in order to be able to implement the adapted preventive measures to limit, as far as possible, eventual damages. When thinking about the intrinsic risk of the use of a mobile device such as a smartphone, one has the natural tendency to think of the possible interception of the communications between the two actors of a conversation. In reality, the complexity of these devices and the richness of the functionalities they propose to their owner render them particularly insidious, where we now have to evaluate the authorization of their use by employees and visitors within a company, above all in the areas where activities requiring an adequate level of protection and/ or confidentiality do take place. A precaution which is in total contrast with the way we live daily, where such devices, may be the company’s property or owned by private individuals, are almost everywhere, and used in the most important moments of a business’life, such as talks focused on strategic decisions or executive board meetings.
Registration devices Each mobile device is now equipped by many instruments enabling them to record all the area in the proximity of the device itself: Video cameras (often two), thanks to which one can take video records with sound, or to take pictures – including HD ones – of places, people, documents or screens displaying interesting content. Microphones, thanks to which one can take audio records without being noticed by the surrounding persons.
34
The control of an area with a mobile device can happen simply when the phone is left on a desk (a situation considered as absolutely normal) or during an audio record made in the area or even during the activation of the device by a call leading to a remote tool which will register the record. The activation of the record can be made by the owner of the device but, on this topic, we also have to take into consideration the possibility that the area surveillance through the mobile device in question has been activated by a third part, via a spyware, without any knowledge of it by the legitimate owner of the device. The use of IT “captors”, which are in realty apps or software installed unbeknown to the user can activate the microphone to record conversations or, in make a surveillance of the area of the user. Such software, sometimes, allows complete control of the device, hence access also to emails, agendas and any other document or file existing in the device itself. Recently, the Italian Penal Code as well as the law in other EU member states, has been modified to allow Law enforcement agencies to use these kind of tools even if, in this case, the limits of such use and the perimeter of control are clearly limited. As a consequence, the good faith or the reliability of the collaborators – at all levels – as well as of visitors, clients or contractors accessing the company are no longer relevant. When important or confidential topics are discussed, the best precaution would be to forbid any single mobile device nearby, to avoid any information leak.
Archive devices A smartphone can be used as an external hard disk. It is enough to connect it, through a cable or via WIFI, to a PC or to another device to extract a huge quantity of data, which will pass in this way from the company’s network to the private device. Such a transfer can be observed in real time if the company set up traceability systems or can even be forbidden, if USB ports are sealed and the users do not have privileged accesses allowing them to activate WIFI connections on their professional PC. Nevertheless, the transfer and the exfiltration of data can also take place through other systems which are not traceable and cannot be confined, like a videoconference record via the smartphone video camera. Even if such a practice is not easy to enact, it is possible to do and, when we speak about vital information whose exfiltration is of highest importance for a third part, the costs of acquisition
of skills and techniques of extraction and eventually also of decryption are perfectly justified. It is useless to recall here that everything recorded on a device, may it be on a legal or illegal way, is also the object of all the risks coming from a possible loss or theft of the device or from a poorly monitored management of the WIFI and USB connections as well as of the device itself. Of course, it is obvious that in the case of an illegal information exfiltration, the criminal using the device has certainly taken all the necessary precautions to avoid such a risk.
WI-FI routers devices and similar Another possible use of the device is to become a WIFI router, through which one can connect all the poorly protected devices of the company, simply using the internet network. If the company’s devices are, at the same time, connected to the intranet, one can create a breach inside the security perimeter, in other words the new connection will not be stopped by the firewall and other tools of protection against external threats. For this reason, and also in order to avoid any exfiltration of documents through WIFI connections, companies should disable even the possibility itself to create new connections to its own devices.
BYOD (Bring your own device) Even if an ever-growing number of companies allow use personal devices for professional aims, it does not mean it is safe: it comes with several risks, sometimes very important, threatening the company itself. The security problems of the device can have a knock-on effect on the confidentiality of the company’s information and this, despite even if well-articulated and complex rules and norms are implemented on the precise conditions of use of such practices. Even the simple possibility to access the professional mails from the mobile device, avoiding a risky direct access to the network, is an all but safe practice. Accessing the emails implies, to be able to download attachments as well as the emails themselves, constituting as many pieces which become hosted inside the mobile device, where the security level can in no way be defended in an appropriate mode by the company. Moreover, objective difficulties could exist, for the company, to make controls on the employee’s device. In this sense, the companies should acquire tools able to recognize any device attempting to connect to their server remotely, identifying it as a company’s one or a private one and, in the second case, forbidding the connection.
Time occupation within the company It may seem banal to recall here that the availability of a mobile device, whose multiple communication channels are activated (vocal, sms, mms, whatsapp…), means that during work hours, a part of the employees’ time is devoted to relations within their own personal network. This fact is not necessarily a negative connotation as balancing work and private life is
BIO Giancarlo Butti, MBA in Business management and organization development by the Polytechnic University of Milan, is a passionate of ITC, of their organization and rules to be implemented, as many topics he deals with since the beginning of the 80’s. He held several positions within major banking institutions (security manager, project manager and auditor) before becoming a security and confidentiality senior consultant for a huge number of companies of different sizes active in diverse sectors. Besides his professional activities, he likes to share his knowledge through articles, books, white papers, technical manuals, lessons, seminars or speeches in congresses. He is a regular teacher on topics covering confidentiality, audit and ITC conformity within ABI (Italian Banking Institute) Training, but also within CETIF, ITER, INFORMA BANCA, CONVENIA, CLUSIT, IKN, and at the State University of Milan. Author of more than 700 articles, regular collaborator of more than 10 online media and 20 traditional ones, he published 21 books / white papers, some of them used as university manuals; he also participated to the redaction of nine collective volumes published by request of ABI LAB, Oracle Community for Security, CLUSIT… He is a member and coopted expert of the AIEA, member of the CLUSIT and of the BCI. He takes part to the working groups within the ABI LAB on Business Continuity, Digital risks and GDPR, while also active within the working groups of ISACA-AIEA dedicated to Privacy EU and 263, of Oracle Community on security and fraud, eidas, transactions security, SOCs, and of UNINFO on professional profiles confidentiality, of ASSOGESTIONI on GDPR… He’s a member of the ABI Training Faculty, of the Roster of Experts for Innovation within OMAT360 and is among the coordinators of www.europrivacy.info. He hold the LA BS7799, LA ISO/ IEC27001, CRISC, ISM, DPO, CBCI, AMCBI certificates.
increasingly the focus of the companies as well as of the lawmakers, and recently established and highlighted by the new Italian normative on the topic of agility at work. It is hence opportune not to build the company’s policies around a concept of access impeachment, which would be in a contrast with the reality. What companies must do, is to establish clear rules on the use of mobile devices wherever effective risks on its own security exist.
35
Focus - Cybersecurity Trends
Cyber criminals have no boundaries! Dakar, Senegal The relentless growth in cyber attacks We tend to think of cyber crime as a western threat. But it’s just as real in developing countries where progress is accelerated and technology tends to ‘leapfrog’. From cyber criminals, state actors and hacktivists conducting DDoS attacks to industrial espionage, intelligence gathering and attempts to steal sensitive information, the rise in cyber attacks affects businesses everywhere. According to Forbes, cyber crime costs are projected to reach $2 trillion by 2019.
Author: Marco Essomba
Dakar – major trading hub in West Africa
CTO, iCyber-Security Group Ltd
Sometimes life as an entrepreneur and business founder, can take you to some unexpected places! Recently, I spent a week in Dakar, Senegal, West Africa on a project to train security engineers from the Government’s Tax Office to protect their network infrastructure and online applications against cyber attacks. Like most countries, organisations in Senegal are battling with the growing worldwide threat of cybercrime and the urgent need to protect their digital assets, to safely conduct business online.
The Republic of Senegal, Africa’s westernmost country, borders the North Atlantic Ocean, between Guinea-Bissau and Mauritania, it has a beautiful coastline and beaches. Business here is buzzing; Senegal is considered a very
BIO Marco Essomba is a Certified Application Delivery Networking and Cyber Security Expert with an industry leading reputation. He is the founder and CTO of iCyber-Security Group, a leading edge UK based cyber security firm providing complete and cost effective digital protection solutions to SME’s. iCyberSecurity’s cyber defence platform (iCyber-Shield) gives total visibility & control over your entire security infrastructure. The product is listed on the London Digital Security Centre MarketPlace. Let’s connect on Twitter: 22K+ followers –> @marcoessomba Let’s connect on LinkedIn: 10K+ followers: https://uk.linkedin.com/in/marcoessomba
36
peaceful and stable democracy compared to many other African countries. In 2016, a constitutional referendum reduced the term of presidents to five years with a maximum of two consecutive terms. Senegal’s capital Dakar, is now the major trading hub in West Africa. To reinforce this strategic position, the Government is embarking on a huge digital transformation driven by online services (e-services). Businesses and citizens will soon be able to pay taxes online, from anywhere, any device, and anytime! Senegal is leading by example in Africa’s digital revolution.
Frictionless e-borders Upon landing at Leopold Sedar Senghor International Airport, the passport checking process is very smooth. Fingerprint readers, passport digital scans, and luggage scanning on the way out of the Airport. Security seems very tight.
Hustling with the locals
Defending-in-depth. Defending-in-layers.
I take a taxi from the airport – most African taxis are painted yellow so are easy to spot. I want to experience the local “hustle” common in Africa where price is relative and can always be negotiated. My win-win style of negotiation stands me in good stead. I sit in the front of the cab to get the most out of the taxi driver and put my French to good use. Soon I succeed in getting a discount – happy days! Off to a great start and with my French in full swing, the driver spots my English accent and instantly switches to English. He’s keen to show off his own skill and I’m happy to oblige. He’s confident and fluid. “How do you speak such good English,” I ask. “I had no schooling. Just talking to people here at the airport”, he replies.
Back to my mission – training and empowering security engineers at the Government of Senegal Tax Office and helping them plan, design and implement a full stack secure infrastructure to assist the digital transformation. To make various government services available online via an e-portal, there is a growing need to make the network infrastructure and applications very fast, secure, and always-available. It requires country-wide data centres that can scale on demand allowing businesses and taxpayers to update their tax online. Of course, all this also comes with risks associated with online services and e-commerce. And that’s exactly why I find myself here, in my role as security consultant in one of my most exotic work locations ever! It’s clear to me that Dakar means business. Where there is connectivity and online business cyber criminals will come. But by recognising and addressing potential threats in advance, local organisations in Senegal will be well prepared and ready for them. And if they need any extra help – I’d love to come back!
Internet boost I can feel the huge connectivity boost here. I have 4G on my phone. The Internet connection is very fast. Response times are negligible. Everywhere I look, people are on their mobile phones. Texting, chatting, and on social media. It’s clear that connectivity is not an issue here in Dakar.
th
Be prepared for 25 May 2018 – get a GDPR Readiness Review Apply for a GDPR status review based on the context of your own organisation to understand how prepared you already are for GDPR. The review takes into account both processes and technology, and if they are private and secure by design. The review also identifies shortfalls in existing documentation. The Action Plan delivered in your report includes staff training, insurance, breach reporting, disaster recovery and much more that needs to be borne in mind. Your Readiness Report summarises GDPR, the context for your organisation, your own Action Plan, your milestones, available support & Appendices re GDPR relevance to you. As a business leader, you need to understand how GDPR will impact your organisation, including what preparations are required to align your processes to comply with GDPR.
For further information contact Mark Sipe: mark.sipe@icyber-security.com / +44 7712 272844.
37
Focus - Cybersecurity Trends
C4, Cyber and Digital Transformation Since the 1980s, we have seen several successive computer cycles: the first was that of personal computers, in the 1980s. Then came the Internet, during the 1990s. It was then the age of social networks and Web 2.0 in the 2000s. Today we are facing a fourth cycle, that of digital transformation (DT), which is shaking our societies, especially the economic world, more violently. One could of course designate all this massive computer world of “cyberspace”. Author: Olivier Kempf
These different cycles had their correspondent in the strategic field. It was the network-centric warfare, it was then the cyberdefence / cybersecurity couple. The current DT will also create a particular strategic incarnation. Let’s try to find out which
I. Network-centric warfare We are finally not very far from the digitization of the battle space and the networked warfare. The rise of computing has given rise to strategic concerns very early on. Far back in the early 1960s, the United States founded the DARPA to cope with Soviet efforts in calculating what was then called cybernetics: this fact deserves to be remembered when we know the role played by DARPA in the invention of the Internet. This concern was later transformed by a Zbigniew Brezinski who, as early as 1975, was talking about the Technetronic Revolution (then for him computer power is considered the means of victory over Soviet power). More recently, we must
BIO Olivier Kempf is a strategist specialised on cyber for a decade. Member fo the scientific panel of “Forum Internaiotnal de Cybersécurité” of Lille, he holds a PhD in Political Siences and directs the collection “Cyberstratégie” of the Economica edition house. He is the editor of the strategic intelligence newsletter La Vigie (www.lettrevigie.com).
38
plunge back into the debates of the 1990s on the Revolution in military affairs (RMA): it was at that time to take into account the effect of personal computers but also mass networking. All these debates illustrate a single perception: the use of the computer power provides new means to the armies. IT is only seen as a tool, a power multiplier. It applies to both weapons and staff. The networking of staff, the boarding of computers in weapons will cause an increase in effectiveness. We are now talking about weapon systems, command systems. And it is true that efficiency is achieved: observe the accuracy of missiles or the capabilities of a modern fighter... Now, a plane is no longer a bomb carrier, it is a computer that flies and that transports computers that explode on their previously identified and designated targets by other networked computers. This embedded computing is therefore the natural target of cyber attackers. We could only take shelter in the face of a falling bomb, now, one can imagine sending him a malicious code that gave false information will deflect the projectile from its trajectory. But it is in terms of command that the evolution is clearest. The Anglo-Saxons use the term Command and Control to designate it, simplified in C2. During the 1990s, the computerization of the command function led to the building of a C4, then C4I, then C4ISR then C4ISTAR and then... I do not know anymore. Let’s go back to our C4 (the ISR function is specific to intelligence): it is not only Command, Control but also Communication and Computer. The command function has been automated through networked computing. It was, remember, to dispel the fog of war but also to accelerate the OODA loop. The method was able to give results (think of the two Gulf Wars) without persuading that it was enough to win a war (think of Afghanistan and Iraq).
Basically, this network war is a very utilitarian and very “top-down” war. All practitioners are aware that command-and-control networks are often used to feed up information and increase micro management by the higher command.
II. Size and inaccuracy of cyberspace When we talked about cyberspace, it was a question of understanding and characterizing this distributed and networked computer science, but also of identifying its strategic characteristics. Little by little, we have forgotten the notion of cyberspace to switch to cyberdefence and cybersecurity. This shift occurred during the 2010 decade. The first cases of cyber aggression dates back to the 1980s (Cuckoo’s egg in 1986, Morris Worm in 1988). With more systematic attacks (first denial of service attack in 1995, first known attack against the DOD in 1998, first “international” affair with Moonlight Maze in 1998), the strategy takes hold of the phenomenon. It joins the debate of the time on the Revolution in Military Affairs which evokes the network-centric warfare. Arquilla and Ronfeldt merge the two approaches and announce in 1997 that “Cyberwar is coming”. These questions infuse during the 2000s. The creation of a cybercommand (2009), the Stuxnet case in 2010, Snowden’s revelations about the NSA (2013) show that the United States is very advanced on the subject. In France, from the 2008 White Paper, cyber is identified as a new strategic factor, an approach highlighted even more in the 2013 White paper. NATO seizes the subject following the aggression against Estonia, commonly attributed to Russia, although almost always in cyber, the evidence is lacking (2007). Of interest, cyber is on the scale of threats. From now on, cyber aggression could, if need be, bring about the implementation of Article 5 of the Washington Treaty. The Allies even agree to define cyber as “a fighting domain of operations”, just like other physical environments. Without going into conceptual debates about
the correctness of this assimilation, let us note that this globalizing approach stuffs everything that is computer into a cyber pot. Is it so simple? It must indeed be noted that the notion of cyber has evolved. Other prefixes and adjectives have succeeded him: electronic (e-reputation, e-commerce), Internet or simply digital. This semantic evolution causes a cantonment of cyber in the field of security, defense, strategy. Our colloquium is a cybersecurity conference, the Lille Forum is an International Cybersecurity Forum, the US Command is a Cybercommand. Basically, if ten years ago there was fear of the lack of awareness of the danger of cyberspace, it must be noted that finally the transplant took and the cyber precisely designates the protection function that surrounds the computer activities of all nature. From now on, when we talk about cyber, we talk about the conflict associated with cyberspace, whether it’s about crime or defense: on the one hand, we have the characteristics of protection and defense proper, on the other aggression characteristics, typically espionage, sabotage and subversion. This activity is practiced in the three layers of cyberspace (physical, logical, semantic). For simplicity, cyber is now dealing with the fight using computers to achieve their ends. Networks and computers are the means of various weapons (worms, viruses, Trojan horses, DDOS, fakes, hoaxes...) to reach
39
Focus - Cybersecurity Trends the opposing device and neutralize it, corrupt it, destroy it, lure it. Cyber defense is primarily a matter of network protection (cybersecurity). It carries other classic functions, more aggressive (monitor, influence, sabotage). It relies on the control of networks, data and flows, which often requires a quota of these and restrictions on use, whether it is computer hygiene or more secure devices, hardened depending on the information manipulated. In other words, cybersecurity tends to restrict usage.
It is not a question of a dispossession of the prerogatives of the top. On the contrary, since the low is gaining in competence and autonomy and at the same time it provides much more reliable and considerably more data, the top can devote itself to more complex tasks, especially since it benefits even new tools of the computer revolution: Big Data and Artificial Intelligence are globally made possible thanks to the data volumes but also to the ever increasing power of computers. Basically, the computer revolution is not going to transform social and hierarchical relationships. It is in this sense that the big companies started their own reform and the armies follow suit.
III. What is new in the digital transformation? So we are in the presence of two ways to use computers. On the one hand, IT is seen as a tool. We will digitize existing processes but respect the intrinsic logic that existed before, that of the hierarchy. On the other hand, we see IT as a tool that can attack other similar tools and thus reduce the efficiency sought in the first place. Is the new computer revolution we are experiencing radically changing things? why and how? To answer it, let’s try to characterize it. We can of course mention the new tools and focus on the technical angle: from cloud computing to blockchain, from big data to artificial intelligence, we are witnessing a kind of speed race that constitutes a new computer revolution. This is based on a multiplication of data flows and exchanges, and thus a liberation of uses, in private companies as well as in public organizations. However, this technological approach does not seem to us the most relevant. It is better to watch the actors. DT is based on ultra mobility, attention to users, decentralized uses, agile product development methods. Whereas until now the system was the actor, now the individual is at the center of the system. It consumes and produces data in ever greater numbers. Its behavior and uses change accordingly. Its local decisions gain importance and permanently affect the functioning of the system. It now has a lot more initiative and skill. It is immersed in an increasingly computerized environment, with sensors multiplied and integrated into complex processes, which considerably reduces the data input, increases their reliability and allows better use of their increasing number. Basically, quantity makes quality. This primacy of the individual causes a radical transformation of professional relationships. The leader is no longer the one who distributes the tasks, but the one who maintains the meaning and direction of the action of the group, the latter being able to better self-regulate thanks to the tools. Basically, while the previous logic was top down, the new one is structurally bottom up.
40
Beyond this ultra mobility, the underlying issue is that of data, whose already huge number will grow in unsuspected proportions, whether by new uses or the Internet of Things. Data is the energy of the 21st century, the source of wealth and power of tomorrow. Each new energy has caused a strategic transformation: the steam has caused the railroad and a wider logistics; gasoline has given rise to the mechanization of forces and the tank-plane combination; nuclear power has given rise to deterrence whose strategic effect is well established. The data will trigger a strategic transformation of the same magnitude.
Conclusion But what are the consequences on our two previous computer cycles? That of the C4 will undoubtedly give way to greater decentralization and therefore a new mode of command and control. But it will benefit from the advanced computing tools of Big Data and AI, and access to ever more data sources, those of its own systems as those of open systems. That of the cyber poses the question of the attack defense: in other words, the old dialectic of the ball and the cuirass. It is likely that this dialectic will persist. Note, however, that the ball and the armor agree on the same goal: to pierce (or protect) a fortress that houses within it a treasure (the city, the dungeon, the secret of state, nuclear codes). Is this logic relevant? Should we always protect “the data� (or the network)? Should we not think about the defense of a use, a mobility? think not of perimeter defense or defense in depth (which are the major cybersecurity systems) but a mobile defense based on fugacity? Here are the strategic issues that will open up and that will spark a fruitful dialogue between strategists and technicians. This debate is open...
A pearl of culture: Bluetooth Author: Laurent Chrzanovski
BIO Laurent Chrzanovski (HDR Postdoc Phd MA BA) is a Professor at the Doctoral and Postdoctoral School of Social Sciences at the University of Sibiu (Romania). Thanks to his work experience in 12 European and South Mediterranean countries, he has since 2010, expanded his fields of research into cyber security, social, behavioral, cultural and geopolitical aspects. As such, he is a member of the ITU (UN-Geneva) cyber-security expert group and a contract consultant for the same institution, as well as for several Swiss and French think-tanks (PPP). He founded in 2013 and continues to run, the “Cybersecurity in Romania”, a macro-regional public-private platform (www. cybersecurityromania.ro), supported by the ITU, all related public institutions in the host country, as well as many other specialist organizations from France, Switzerland, Italy and the United Kingdom. In the same spirit, he co-founded in 2015 and is editor-inchief of one of the very few free quarterly cyberprevention journals (a PPP) designed for the general public. Originally, intended for Romanian audiences, Cybersecurity Trends is today published - with the collaboration of prestigious specialist partners - in multiple languages adapted to French, Italian, English (as of June 2017) and German (as of September 2017) audiences (https://issuu.com/cybersecuritytrends). It should be noted that the Congress and the magazine have been promoted and supported by the ITU since 2015 as the “Best Practice Example for the European Continent”. Laurent Chrzanovski is the author / editor of 23 books, of more than 100 scientific articles and as many other texts intended for the general public.
Nowadays, it would have been possible to communicate via club-foot. That reality would have happened if a consortium of Indian and Soviet industries had adopted, for commercial use, the Frequency Hopping Spread Spectrum, patented in 1941, under the name of Secret Communication System, and conceived to be used to guide navy torpedoes.
Logically, a simple name linked to a common great historical personage, the consortium would have opted for Timur (Tamerlane), the conqueror who left us, among other beauties, Samarkand, Bukhara, Khiva but also, thanks to his sons who conquered the Northern part of India, the Taj Mahal. His name, Timur-i-lang, means Timur the lame or Timur club-foot, a lifelong consequence of a heavy horse fall during his youth. Yet destiny had decided otherwise. A Scandinavian consortium bringing together Ericsson and Nokia, in its research to connect wireless different devices between them, created in 1998 a Special Interest Group for this goal, in cooperation with the American giants IBM and Intel as well as the Japanese Toshiba. When the group finalized the operational details and before going to the market with this new technology, a long closed-doors conversation took place, with the aim to find a name, even provisory, to this new connectivity tool. Then, an engineer within Intel, Jim Kardach, passionate of history, suggested to use bluetooth (Blåtand), the posthumous1 nicknameof Harald Gormsson, the first Viking king to become a Christian. With this new religion, he succeeded to federate all the Danish tribes2, exactly as the new connectivity will federate all IT&C tools already equipped with a wi-fi functionality. Such was the technical commission decision, waiting for the marketing teams to come out with a more attractive brand.On the contrary, the last, working on Harald, succeeded to build the logo in a record time: they just fusioned, in an oval frame of blue colour as the teeth, the two runic initials corresponding to H (from Harald) and B (from Blåtand).
41
Focus - Cybersecurity Trends Today, more than 2.5 billion devices are equipped with this functionality and Bluetooth is promised a bright future3. But is it safe to use this technology? As with any very popular tool, the answer is yes, but with caution. As an open system, Bluetooth was not born to be particularly resilient, but to be extraordinarly performant in its tasks.There is a huge amount of ways to hack any device with Bluetooth enabled, and we know many countermeasures to avoid it4. In September 2017, the US Cert5 as well as almost all niche media sent an alarm about a new vulnerability, exploited by an intruder – nicknamed Dubbed Blueborne 6 – which took the place of the legitimate connection, to be able to infiltrate PCs, smartphones and tabletsvia their Bluetooth captor, and affecting all existing systems(PC, iOS, Android, Linux-Kernel). Apple and Microsoft delivered quickly the necessary patches, meaning that iOS10 as well as Microsoftusers, duly updated, are now safe, but not smartphones running on Android. Nevertheless, the first essential precaution to take as a simple user is to systematically switch off Bluetooth when not needed, exactly as thearticle on Dubbed Blueborne underlined in its subtitle: “A good reason to turn off Bluetooth when you’re not using it”. As a matter of fact, as with many other exploits before, Dubbed Bluebornecould not rob its victims outside the transmission/reception perimeter of the hacker’s device and only if the Bluetooth function was enabled. If you are active in the field of business security, there are many precautions to take and perimeters to establish. For this, the National Institute of Standards and Technologies (NIST) published in 2016 acomplete manual, the “Guide to Bluetooth Security”, nowadays at its second consultative version. This booklet, dedicated to CISOs, CSOsand CIOsbut also to Risk Managers, is a “must” to download and read to be able to take the best decisions according to each area of the ecosystem to be defended7. Else, the seminar booklet “Bluetooth Security” by Prof. Antan Giousouf of the Communications Security Department of the Ruhr University8, is crystal-clear and well-illustrated, could be a more agreeableto-read alternativethan the NIST guide, allowing to make oneself quickly a holistic idea of the problematic and how to mitigate it.
1 The nickname seems to appear some 30 years after the death of the king. There are no attestationsof it on the documents we have, contemporary to Harald’s life, like for instance the famous sacred runic stone the monarch erected into the sacred sanctuary of Jelling ; cf. A. Pedersen, Monumenterne i Jelling Fornyet tradition på tærsklen til en ny tid (The Jelling Monuments – Expressions of tradition on the threshold of a new era), in M. Manøe Bjerregaard, M. Runge (eds.) At være i centrum Magt og minde – højstatusbegravelser i udvalgte centre 950-1450 Rapport fra tværfagligt seminar afholdt i Odense, 10. februar 2016, vol. 1, Odense 2017, pp. 5-22. On Harald, see the excellent booklet by Prof. Sven Rosborn from Malmö as well as the book J. Langer, M. Lutfe Ayoub (eds.), Unraveling the Vikings: Studies of Medieval Norse Culture (Desvendando os vikings: estudos de cultura nórdica medieval), Pessoa 2016 2 Cf. H. Janson, Vikingar och kristendom. Några huvudlinjer i och kring den kyrkopolitiska utvecklingen i Norden ca. 800-1100, in Historieforum : Tidskrift för historisk debatt, nr 2 (2009), pp. 58-88 3 Information from the reading of “A short history of Bluetooth”, an article publishedby Nordic Semiconductor, available at: https://www.nordicsemi.com/eng/News/ULP-Wireless-Update/A-shorthistory-of-Bluetooth 4 cf. K. Haataja, K. Hyppönen, S. Pasanen, P. Toivanen, Bluetooth Security Attacks. Comparative Analysis Attacks and Countermeasures, Cham 2013 (Springer ed.), 88 pp. 5 Technical description on Dubbed Blueborneand its functionalities : https://www.kb.cert.org/vuls/ id/240311 6 https://www.theverge.com/2017/9/12/16294904/bluetooth-hack-exploit-android-linux-blueborne 7 https://csrc.nist.gov/publications/drafts/800-121/sp800_121_r2_draft.pdf 8 https://www.emsec.rub.de/media/crypto/attachments/files/2011/04/seminar_giousof_bluetooth.pdf
42
A publication get to know!
and
edited by:
Copyright: Copyright © 2018 Pear Media SRL, Swiss WebAcademy and iCyber-Security. All rights reserved. Redaction: Laurent Chrzanovski and Romulus Maier (all editions) For the iCyber-Security edition: Norman Frankel ISSN 2559 - 6136 ISSN-L 2559 - 6136 Addresses: Bd. Dimitrie Cantemir nr. 12-14, sc. D, et. 2, ap. 10, district 4, 040234 Bucarest, Romania Tel: 021-3309282 / Fax 021-3309285 Griffins Court, 24-32 London Road Newbury Berkshire, RG14 1JX, UK +44 800 086 9544 www.icyber-security.com https://cybersecuritytrends.uk/ www.icyber-academy.com www.cybersecuritytrends.ro www.agora.ro www.swissacademy.eu