Security can’t be purely the responsibility of the government, the police, the security industry, the ISPs, the public sector, private industry, or any permutation thereof.
Here are some further thoughts arising from the ACPO National Cyber Crime Conference held recently in the UK*.
DAC Janet Williams, ACPO’s e-Crime lead, summarized the current initiatives along these lines (apologies if I’ve introduced too many of my own preconceptions):
- The UK intends to tackle cybercrime and make this one of the safest places to do business, safe for business and for the general public, as well as countering cyberthreats against the Critical National Infrastructure. The cyber-realm is not seen as a battle space, but as an enabler: whereas some states see it as an issue of national sovereignty and focus primarily on control, the UK view is focusing on protection online for individual privacy and expression. This is too important to be left to governments.
- UK law enforcement is increasing its capacity and capability with the intention of gathering and understanding better threat intelligence, and providing an appropriate response. To this end, it is working towards a different way of working with industry.
I interpret this to include recognition that a one-way flow of intelligence towards law enforcement agencies isn’t sufficient: the police need to work with industry and academia, and build trust. I’ve spent a certain amount of time liaising more-or-less informally with police forces in various contexts in recent years. Most of the time, the information flow has been almost entirely one-way. Given the nature of some ongoing investigations, that’s probably inevitable and necessary, but it inevitably restricts the outsider’s capacity to contribute information. I understand, for instance, that the complexities of legislation governing forensic examination of media containing child-abusive images makes it unfeasible to allow first-hand examination of a disk image, but there’s often little information a security vendor can supply on the basis of a partial AV scan log and no indication of the nature of the investigation. The constantly recurring conference theme of working with other sectors rather than using them purely as an information feed into a black box, seems a more positive approach, if not risk-free.
I do have a concern that many speakers seemed to see industry’s primary role as a provider of the statistics that are needed to underpin law enforcement’s claim to the available resources. That’s not only a limiting view of what intelligence the security community in particular can provide: it also introduces the risk of placing too much emphasis on quantification of what is essentially unquantifiable. The world (or at any rate, the media) is obsessed with crime and threat statistics, and the security industry is eager to fill that vacuum in return for column inches, but those statistics are almost invariably based on extrapolation from a limited population. That population may represent many millions of Internet users, and yet not be truly representative of the 2,267,233,742 users estimated by the Miniwatts Marketing Group to have Internet connectivity as of December 31st 2011. The police service in the UK may be primarily concerned with the welfare of the UK, but it recognizes that online crime is not restricted by geographical borders. In terms of apprehending cyber-criminals, that was rightly addressed by DAC Williams in terms of attributing an attack to a real person, not just an IP address, a “handle” or alias, or even a country. But how often is that degree of granularity feasible in the wider statistical context, when it can be a significant forensic task to trace the origin of a single email?
Subsequent speaker Inspector Alan Seldon added another dimension to the issue of engagement with industry and academia by talking about “Cyber Specials”: industry specialists working with the police, either with the support of their employers or as volunteers in their own time. The advantages to the police service – and the budget-allocators behind it – of this approach to reducing an acknowledged skills gap within the service are obvious. The security community (and by that I mean security specialists in all industries and sectors, not just the security industry) has a head start on experience and information security expertise, as well as “the best toys” (although CSI: New York already seems to have those…). But what does industry get in return? DCC Peter Davies (CEOP) suggests that our drivers are a sense of altruism and social responsibility, benefits by association, and opportunities for staff development. All true – the security community would be infinitely smaller if we were all incapable of altruism, and security isn’t always the optimum career choice for those with an overpowering need to be loved and respected – but there is also a stern practical reason. Markets where criminal activity is effectively controlled are also better places to make and keep (legitimate) profits, unless your marketing is based purely on fear. If partnership with industry gives the police service enhanced capacity and capability, intelligence and operational capability, and that makes for a safer community.
Another persistent motif of the conference was the need to raise awareness and understanding. Firstly, in the context of mainstreaming: that is, “raising the bottom bar” by giving non-specialist police training in and better understanding of the field, so that they are better equipped to handle investigations – it seems to be a given that cybercrime (or crime with an IT dimension, to avoid getting too entangled in definitions), is where the money is, certainly at all levels of fraud, and already dwarfs what we might call conventional or street crime. And, of course, to improve the quality of the advice they’re able to give the general public.
It’s a short step from there to educating the public. In the security industry, there are many very bright people who believe that if education was going to work, it would have worked by now. They’re right: education is not going to fix this. And they’re wrong: technology isn’t going to fix it, either. Get Safe Online, about which Tony Neate talked at some length, is an initiative co-sponsored by government, law-enforcement and the commercial sector (notably the security industry), and seems to be prioritizing helping the man-in-the-street to take some of the responsibility for his own safety by raising his awareness of risk and understanding of how he can reduce that risk through better understanding. If you see that approach as an acknowledgement of a failure of resourcing, policy or technology, get over it. A very high percentage of Internet crime could be reduced purely by the application of common sense and a little knowledge of the (wicked) ways of the online world, and Get Safe Online is providing some well-thought-out resources for distributing that knowledge.
A survey quoted by Neate indicated that 34% of the survey population felt they knew the basics of infosecurity, and 35% feel that it's primarily their own responsibility to look to their own safety. That in itself seems to me to demonstrate the size of the challenge, but also shows just how necessary it is to try to meet that challenge. Security can't be purely the responsibility of the government, the police, the security industry, the ISPs, the public sector, private industry, or any permutation thereof.
And if you think it’s odd that someone with longstanding ties to a company marketing technological approaches to consumer safety should be advocating generic educational approaches, perhaps I can direct you to an example of a somewhat similar initiative in the US with which ESET North America has been heavily engaged for some years now.
It’s not my place to speak for ESET as a company (I'm just a consultant), or even for the security community in general (not everyone in the community agrees with everything I say!), but it seems to me that security companies are increasingly aware that in the context of what the World Economic Forum calls “risk and responsibility in a hyperconnected world”, responsibility goes beyond corporate balance sheet, and a degree of altruism and concern for the community is in itself a survival characteristic.
(Apologies to the many speakers I've not mentioned by name: I may not return to the topic of the conference itself, but I'll be digesting the information absorbed there for weeks to come.)
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
*Photograph by permission of Small Blue-Green World