6 minute read
Take me to cuba
by Stuart Corner
OF CUBA, CARS … AND CYBERSECURITY
Are you old enough, and fortunate enough, to have experienced air travel in the 1960s and 1970s? It was, Kendra Ross told the AusCERT2021 conference, “The golden age of flying … a glorious time, for those who could afford it.”
What’s this got to do with cybersecurity? In a presentation titled Take Me To Cuba, Ross and her co-presenter, Mike Seddon, drew parallels between cybersecurity and the history of airline security, along with parallels between cybersecurity and vehicle, building and worker safety.
Their most important conclusion was that, in many industries, effective regulation is rarely pre-emptive and comes only after a major event or when safety failures reach epidemic levels; and that we are on verge of one, or possibly both, of these in cybersecurity.
In the halcyon early days of airline travel, security was non-existent. “You could just rock on up and grab a ticket before your flight because there was no prescreening of passengers or anyone before you got on the flight,” Ross said.
“And you could take whatever you wanted in your hand luggage. In 1976 my mother actually packed her vegetable knives because she said those in the motels were too blunt. Security was all about
protecting you on the ground from pickpockets, and from thieves.”
Air travel security changed for ever after 9/11 but in the eighties and nineties was progressively ramped up, in the US at least, after hijacking became an almost daily occurrence, perpetrated by people
wanting to go to Cuba. Hence the title of their presentation.
“Between 1968 to 1972 there were 326 hijackings around the world. One hundred and thirty of those were in the US alone, and of those 91 went to Cuba,” Ross said. “People would actually get on the plane and say to the hostess ‘Take me to Cuba’.”
HAVE A HIJACK HOLIDAY IN CUBA
Rather than being a terrifying ordeal for passengers, Ross said these experiences were rather good fun, for passengers at least. “The airlines were footing the bill. Flight staff were trained to comply with all the hijackers’ wishes. Pilots, no matter where they flew the US, carried maps of Havana Airport. Once there, passengers and crew were put up in five star hotels. There were endless cocktails, beautiful food and exotic entertainment.
“Castro built quite a little empire off the back of this, because he would charge the airlines and the US government for releasing the planes. Usually within 24 hours the planes were back in the air and returning to US soil. … During that period, over 1000 Americans went to Cuba unexpectedly.”
Of course, it didn’t last. By the early 1970s, some US flights carried armed air marshals. One shot and killed a hijacker. The pilot decided to make a statement by dumping his body onto the tarmac. The world’s press were watching. Under pressure, then US president Richard Nixon mandated that all airports install X-Ray machines and metal detectors.
Fast forward to 2001. In the intervening years there were few hijackings, and security had become lax, Ross said, such that the 9/11 hijackers “actually set off the metal detectors, and subsequent photos and images showed they were carrying box cutters and small knives. However, those were allowed domestically at the time. Some of the hijackers didn’t have proper ID, but they were allowed onto the plane.”
PUTTING PROFIT BEFORE SAFETY
More telling were the systemic failures in airport security. “Perhaps the biggest failing was that aviation security had been outsourced to private companies. It had become an increasingly competitive landscape, and often the lowest bidders won. It was simple economics. There was little investment and staff training. They paid minimum wages so they didn’t attract the best of the best. Their equipment was old and outdated.”
The US Government took control over aviation security “because they could see that private enterprise was about returning a profit to shareholders.”
Seddon then took the AusCERT2021 audience— online and at the Star Hotel on Queensland’s Gold Coast—through the history of buildin, worker health and safety and motor vehicle standards: the latter not always welcomed by customers.
“In the 1950s the Ford Motor company made available an upgrade called the Lifeguard Package. It included lap belts in the front seat, a padded dashboard and safety glass. It didn’t sell well, customers didn’t demand it.”
SENDING THE WRONG SAFETY MESSAGE
And manufacturers worried that any promotion of safety might backfire. “The car manufacturers were scared. They were fearful that, if they offered a safety upgrade, their customers might think their cars were unsafe when compared to competitors’ vehicles when those competitors weren’t offering a safety upgrade.”
That started to change in the 1970s when independent crash testing enabled customers to understand the safety features and flaws of different models.
“That safety rating has evolved. We all know it now as the NCAP five star safety rating that consumers can now use to compare apples with apples,” he said. “They are looking at a simple metric, and are able to pick a safer car over on less safe car. Insurance companies have also been able to incentivise customers to buy safer vehicles by reducing the premiums for those that have a five star safety rating.”
In the case of building safety, regulatory intervention is centuries old. “The Great Fire of London resulted in building and urban planning standards that didn’t exist before,” Seddon said. “Similar catastrophic events, in those days often fires, in other countries evolved into building standards.”
In the case of worker health and safety, regulation has been effective in reducing death and injury. “New Zealand’s Health and Safety at Work Act was introduced in 2015 …. As it came into effect the number of fatalities dropped to about 50 to 70 percent of what they been in previous years. … One of the reasons is that boards of directors and CEOs are personally liable, which has resulted in health and safety featuring on the agenda of every board meeting.”
THE HUMAN FACTOR STAYS THE SAME
Safety in all these industries might seem to have little in common with cyber safety, but Seddon said there were some things in common. “One of those is people; why they do what they do, or don’t do what they should. Every industry may be unique, but people generally act the same. Those within that industry may understand the problem and how to fix it, but without understanding the issues, those outside the industry don’t know what controls are for until it affects them personally.
“So people are resistant to change until they understand the benefits. Being more transparent about safety controls will allow the consumer of a product or service to make a more informed choice. And as people see companies valuing their data and privacy, they are increasingly turning this into a competitive advantage.”
ANTICIPATING A CYBERSECURITY CATASTROPHE
A more important lesson from these industries, Ross suggested, was that “We’ve seen that terrible events have been the catalyst for governments and regulatory bodies becoming involved. We believe, on the infosec side, we’re on that pathway now.
“A common theme across all of those industries was that they did well when there were global standards that could be deployed at a local level. We can take really good local standards and take them out to a global level. We need to do it at speed. And our legislation and regulation needs to keep up because we’ve done five years of digitisation and transformation in the last nine months.
“We’re heading down the track of a pandemic or epidemic level, of cyber incidents. And we’re hoping this conversation has created some new thinking and provoked a conversation around some of the lessons and ideas we can bring in.”
