Parliamentary evidence: UK National Security in a Digital World inquiry
This joint response to the consultation recommends:
- A socio-technical approach to improving the state of cyber security and upgrading it to level we deserve.
- The foundation of acceptable definitions and actionable metrics so that state of cyber security can be observed and kept in line with the national requirements.
- Legislation better defines responsibilities and liabilities for cyber security and removes the false division of information and communication technologies.
- That amongst the legion of technologies, and their often unintended consequences, are some basic principles that define cyber decency.
- That cyber – which has gained a foothold in the lexicon of computational devices, security, and digital technologies – returns to its roots in cybernetics to recover from the period of inevitable risk we live in.
1. The types and sources of cyber threats faced by the UK
1.1. Of all the cyber threats that we face, the challenge of talking about ‘cyber’ so that it is understood by all stakeholder may be the greatest.
1.2. Even the terms cyber and security often promote such discussion as to halt the work being done to cope with them. A common lexicon of threat – and its actors – requires curation to be sensitive to the conundrum that whilst good definitions are required, there will remain portmanteau terms – like cyber security itself – that must be judged by how we deal with their impact, rather than become divided by pedantry. Strategy – from national to personal – requires this to enable it to be honed as to what is within the power of individuals and agencies to counter alone, and how collaboration and cooperation may be a natural progression rather than subject to delay of debate by boards and committees. The Institute of Information Security Professionals (IISP) has observed a difficulty for organisations to rise above the corporate culture to provide a sufficiently reflexive response. The adversaries are not constrained by the moral and ethical dampers of governance and do not need to follow decision rights or escalation paths before action.
1.3. Simultaneously – and this is perhaps the irony and the challenge of the perpetual fight of good versus evil – there is a requirement to mimic the model of wave particle duality so that defenders can both work to the professional code of practice we expect from legality, but strike with the same veracity and tenacity as criminality. Confidence in the ability to act without repercussion is paramount without resorting to cyber vigilantes.
1.4. To this end, any defined taxonomies of cyber security need to be constantly revisited (Ashenden and Barnard-Wills 2012) and dogmatic obsession with ‘who’ should be second to timely action – by humans, machine, or a combination. And all this within a state of forensic readiness (Rowlingson, 2004).
1.5. The classification of threats and the countermeasures called on to mitigate them are being labelled with the ‘cyber’ epithet in an unhelpful way. It unhelpfully separates the risks of Internet-borne threats from other threats of crime through devices with computational capabilities. The label of hacking is used in educational circles as both an art of good work in information and computational technologies, and a description of unexpected computation according to the view of the system owners.
Figure 1: The period of inevitable risk
1.6. We live in a period of inevitable risk (Figure 1) where the threat will require ever increasing levels of reaction to attack, through feedback, until trustworthiness and security becomes business as usual for our software developers and system integrators.
1.7. The simplest taxonomy of threat – which should not distract from the impact that the open-season on poor systems designs and maintenance allows – seems to be:
- International, such as hostile governments.
- Organised crime groups ‑ including ‘Hackers for Hire’.
- ‘Script Kiddies’.
- The betrayers of trust such as employees, social circles, and even family members.
- And those who may be classed as ‘Other’ in a world where the taxonomy of threat is itself threatened by emergent risk such as dual-use technologies as well as the blatant misuse.
1.8. Each threat actor will have a different motivation and end goal when entering into the cyber crime arena, and as such use will continue to deploy differing methods – whose complexity may defy simple modelling –to achieve successful action on their objectives with rewarding results and within timescales that they find attractive.
1.9. We must not allow ourselves to be overshadowed by the thought that personal information is the nirvana. Information systems must remain in a safe state whether they contain the metadata models of the would-be beneficiaries (or all too often the victims) or the direct control of the cyber physical such as in the so-called Internet of Things, transport, power generation and other utilities or areas of process control. We continue to make our own threats by failing to devalue our data. If stolen data is not actionable, it loses its intrinsic value and demotivates the criminals who might otherwise covet it.
1.10. So we see the straight forward – as well as the ingenious – vectors of attack methods comprising any one – or a combination of – these (at a high level view):
- Facilitation of gaining/moving monies.
- Gathering of Information.
- Disruption of services.
1.11. At the less macroscopic, these attacks are characterised by the distributed denial of service (DDOS), data that is corrupted or held for ransom, but whilst we prepare our ontologies and semantics, the adversaries are exploiting the new – or classically ignored – vulnerability and escaping with our assets or their integrity.
1.12. International groups remain highly skilled and enjoy a business model which encourages them to hire out their services (often run from the resources of the innocent) to disrupt and/or gather information. They will – at worst – protect their own computing power to conduct these attacks without outsourcing, and have the luxury of remaining unbound by timescale to keep to nurture their tenacity. At best they enjoy a self-defending network that is able to move from a compromised to fresh position with nimbleness that would be the envy of most business continuity planning. They can play the long game, deploy the ‘long cons’ as well as focusing in on short, sharp, instantaneous attacks.
1.13. Criminal skill levels vary greatly. Hacktivists will target those that they see as pursuing a course of action that is contrary to their agenda. The supply chain is complex. A simple furniture manufacturer may face the wrath of an activist group who may be targeting them as a proxy for their better defended clients. The so-called politics of post-truth, and the challenge to unsay or dissect soundbites from social media, encourages the breeding ground for those with access to promulgate their messages, without them being tempered by the traditional social norms. Organised crime gangs generally focus on applying cyber techniques in whole, or in part, with conventional criminality to either gain monies through fraud or to launder the proceeds of their monies gained from other crimes. These gangs will often outsource to hackers for hire on the ‘dark web’. The controlling factor in their ability to commit more overt cyber-attacks is based upon how much money they are willing to pay the hired hackers; the attacks of this nature are often less sustainable. The irony being that our protection comes from disharmony in the criminal infrastructure not our own efforts to suppress and redress.
1.14. Script kiddies often lack affiliation to any particular group and commit cyber security breaches more for kudos than anything else. Their dubious successes are often through the gateway of neglect by systems administration or the product developer. They will usually rely on using third-party ‘apps’ (application programs) with the aim to disrupt and/or gain information. This may be with the false notion that attacking a rival in a gaming environment – using tools outside the game creator’s intentions – are just a bit of fun. They are often only aware that a denial of service attack on another game player to win an edge, is an unequivocal offence under the Computer Misuse Act until officers arrive with a Cease and Desist Order. Others will be less fortunate depending on the target nation of the ‘bit of fun.’ This creates a compound threat of distraction and the continued glamourisation of the ‘hacker’ label as an epithet of glory rather than the badge of dishonour.
1.15. Employees become a common cyber threat, taking customer lists when leaving the employment of a company in order to steal these customers, or to use the computer systems to conduct fraud of varying levels of complexity, or take revenge for dismissal or being passed over for promotion. This is perhaps one of the most sensitive areas of threat as ‘opportunity makes a thief’ and changes of personal circumstance – which may lead one into temptation – are hard to measure morally.
2. The effectiveness and coherence of the strategic lead provided by the National Security Council, Departments, agencies, and the National Cyber Security Centre
2.1. There is a cultural tendency to expect ‘the government to do something about it’ and this is not a bad thing. However, the government cannot provide the variety required to stem the innovation in the threat, nor can it provide the pinpoint protection required by individuals, families, and small businesses who rely on digital devices – and increasingly so – to live their day-to-day lives.
2.2. We are not approaching a state of cyber security because we have abandoned governance to an ever-increasing complexity of controls. We have stolen the word cyber from Cybernetics and abandoned all that it stands for (Williams, 2013). We won’t achieve a state of security, we won’t enjoy the confidence of a managed singularity, until we embrace Cybernetics and move from cyber security absolutes to the near organic models of cyber operations.
2.3. Cybernetics is a matter of control and communication through feedback (Weiner, 1948). Cybernetics teaches us the natural law of requisite variety (Ashby, 1957). If we are to defend ourselves against N threats we must have N, or greater than N, controlling countermeasures.
2.4. We have created – and continue to create – more and more information and cyber security control sets (Table 1). We allow our developers to switch them off whilst they innovate, and then bolt on the countermeasures afterwards. Security controls in modern computing platforms are often not enabled, or are bypassed entirely to increase performance or improve usability (NCSC, 2016). It cannot be the case that security controls are an afterthought in development programmes, and the government must continue to champion the ‘security by design’ principle.
2.5. We are reminded that all models are wrong but some are useful. And what is code, our connecting technologies, our end points, and processors, but models of where we want to be and the transformations that we want to achieve? We operate in a quagmire of obsession with personally identifiable information folded up as somebody else’s problem to the extent that we shall continue to require the dedicated needs to run an entire centre to suppress the risk (as long as we remember that it is still everybody’s problem, not theirs alone). It is taking the threat of fines under the General Data Protection Regulations to encourage a wider embracing or fundamental risk management principle, that ISO standards have always implied but only recently joined the UK’s IASME standard in becoming explicit.
|Number of controls||According to|
|4 or 35||Australia, 2012|
|5||UK, HMG, 2014|
|20 (headings)||SANS, 2013|
|113 controls||ISO/IEC 27001 (2013)|
|460 page||NIST 2013|
|12 ‘portmanteau’ requirements||PCI DSS 2016|
Table 1: So many controls to choose from
3. Learning points drawn from the first Cyber Security Strategy and the fitness for purpose of the second Cyber Security Strategy
3.1. The results of the first cyber strategy can be – and are – measured by ‘weight’. A number of Academic Centres of Excellence for Cyber Security Research, the number of companies certificated with the Cyber Essentials, and so on. We have yet to be forthcoming with the metrics that will draw an actionable ‘cyber security state of the nation’ and therefore be a barometer as to whether we are ‘the safest place’. In our period of inevitable risk (Figure 1) the results are likely to be difficult to palate on the respective political watch but this is a time when the direction of travel and the measures of change become the key performance indicators of success.
3.2. Although denigrated by many in the field who do not appreciate its subtlety and potential, Cyber Essentials is a remarkable step forward in that it charts the first steps to be taken amongst the variety of ways to implement cyber security. It has answered a most pressing question against the threat landscape: where does one start to make a difference to be safer on line? It has been shown (DTI, 2005) that standards contribute significantly to the economy of the UK (and the if the lessons learnt that are codified in standard are not championed then that leads to undesirable out comes (Swan, 2000). Cyber Essentials – as an audited scheme – has penetrated the business sector in both a disappointing and a pleasing way simultaneously. It is disappointing that more organisations and businesses have not taken up this up. However, it should be noted that the uptake has been faster than any other security standard to date. This latter point is likely to be a combination of its relative simplicity, its adoption of a pragmatic assurance framework grounded in the researched and tested IASME standard (which is achievable by even small to medium-sized enterprises) and the demand for compliance by certain invitations to tender.
3.3. It is disappointing that some practitioners in the professional information security community deride the Cyber Essentials as a self-certification scheme and in so doing miss the point that it is about people doing good things to be more secure on-line, not about a certificate. It is well into the category of the ‘marginal differences’ of improvement popularised by the British Cycling Team. Its ‘5-a-day’ simplicity must be protected and more must be done to encourage technology product providers, and system implementers and integrators to build the Cyber Security Essentials in, rather than expect them to be set up afterwards (often by their customers who cannot be expected to have the requisite skillset).
3.4. There are suggestions of metrics in the revised strategy and this is good. However, these metrics are not well defined at no fault of the authors of the strategy – measuring security is still an area of research and this work must be encouraged as a matter of urgency. Without it, we cannot have the dashboard of success set to define our objectives for National cyber safety, and therefore we will only be able to guess at the levers we must pull to effect better results.
3.5. Those wishing to promulgate the research and development supported by the first cyber security strategy, are still challenged to find a culture where (a) the good practice of standards is not all about ticking the boxes – if you want to defraud your clients to say you maintain security as they would wish then that is true, and (b) that standards are binary – you either comply or you don’t. If we say that (b) is true, it is also a gross simplification of not only the actuality, but also the potential to learn from the good things codified in standards. There may be 1000s of ISO/IEC 27001 certificates (it should be many more) and there may be more 1000s of companies certified to the Cyber Essentials (q.v.). Experience shows us that ISO/IEC 27001 certification process can be so flawed that the target of certification fails a test for HMG’s Cyber Essentials. Line all the certificates against each other and we find the greatest resilience opportunity. The UK has produced stalwart work to underpin future resilience. It must not be lost.
4. Whether the UK has committed sufficient human, financial and technical resources to address the scale of cyber security challenge
4.1. We lack the skills but we are in more danger of trying to address the skills shortage buy encouraging the specialisation of cyber security rather that realising that security just part of the necessary quality attributes of technology. There is no doubt about the good that will come from training specialists and finally realising the strength in neurodiversity, but we are setting ourselves up to fail if we do not establish our education, training and ethos to make good behaviours into ‘business as usual;’ and build systems to complement the too-often lamented human frailties of trust and our susceptibility for deception.
4.2. The Internet has evolved with the good intentions to offer communication and exchange of data. It does this very well in the main. However, a lack of attention to deriving its non-functional requirements has left us with numerous, inbuilt weaknesses which cyber security as a discrete discipline cannot hope to fill or at least provide countermeasures. We cannot expect rebuilding of the infrastructure and one may expect the penetrate and patch culture to pervade in any successor.
4.3. The conventional wisdom of law enforcement to locate and prosecute offenders – principles of following the money and tracing the communications back to their source – have become obfuscated by technologies designed to assure anonymity and discourage attribution. Technology such as block chain and the onion router (TOR) have become inevitable denizens of dual use supporting the perpetuators of cyber crime to operate from a position of relative security (sic!). Offensive capabilities are limited and any defensive methods involve taking greater control of the Internet environment which is counter to the culture we expect and indicative of political cultures that we abhor.
5. The development of offensive cyber capabilities and the norms governing their use;
5.1. Offensive cyber capabilities are well established but have the double-edged sword of being seen as the tools of the miscreants. Malware, botnets etc. that are used by the cyber criminals have demonstrated their effectiveness. They are easy to use and easy to obtain. However, current legislation forbids their use in most circumstances and for good reason. The Computer Misuse Act 1990 states that a person is guilty of an offence for:
- causing a computer to perform any function with intent to secure access to any program or data held in any computer or to enable any such access to be secured;
- gaining unauthorised access to computer or enabling it to be secured; and
- knowing at the time when causing the computer to perform the function that that is the case.
5.2. Section 10 includes an exemption to this relating to the powers of inspection, search, or seizure but this would appear to be in relation to search warrants and after their seizure using a lawful power. The Regulatory and Investigatory Powers Act (RIPA) does allow law enforcement agencies to access communications data and this is monitored to a high level in order to balance a person right to privacy against the prevention of crime and arrest of offenders. But this leads us into whether the data held in a computer is a communication, and it refers to the data’s interception as opposed to any offensive cyber technique. Intelligence becomes unobtainable unless the target data is overtly catalogued.
5.3. RIPA second part grants clear law enforcement powers for surveillance using the computer and with the correct authorities. But this would only cover such things as malware or a remote access Trojan (RAT) to view information held within the computer. It does support the more aggressive methodologies that are used against the law abiding such as an offensive DDOS, encryption of an offenders computer to prevent further offences, or even access to the remove software or data that links a machine to a botnet. The levels of authority for this action are high such as a chief constable or the Home Secretary. Asynchronous governance against the speed at which the criminals can operate. A time for further distribution of authority – perhaps to a suitably cyber aware judiciary – could be more responsive and appropriate. Timely sharing of intelligence through security, law enforcement – and eventually the Cyber information Sharing Partnerships (CiSP) would strengthen our defences.
6. Ways in which the UK Government can work with the private sector to build cyber resilience and cyber skills
6.1. This requires attention to computing resources, complementary skills, and outreach to those who should not be expected to have to acquire responsibilities for their on-line resilience to any great degree other than having access to the right people and resources.
6.2. Cyber resilience may be a war of attrition based on who has control of the most computing power. Many connected computers are stronger than one, hence the success of DDOS attacks, Beowulf clusters (although they are limited) and Botnets. We must consider how computing power and resources can be put to best use. Licensing of cyber security professionals may be considered as part of greater professionalization and chartered institute status should be awarded to IISP. A skills model across a spectrum which recognises competencies, qualifications, and experience – using the current industry model requires nurturing.
6.3. Resilience may be established through the quality of hardware and software configuration but people – far from being the ‘biggest problem’ ‑ are key to the solution because we are part of the variety; people power if you would. It is the national centre (NCSC for the UK) that analyses, informs and takes action. It is the parents who takes an interest in their child’s on-line activity and take action, it is the business people who work out how to recover from a breach and take action to test their plans. Cyber security is people identifying their data treasures, protecting them, detecting and deterring the criminals, nursing those struggling to cope, and responding to – and recovering from – cyber attacks of every nature. But how do we communicate the route map to that state with all the pathos needed for it to be absorbed? There’s the rub. The cyber security of networks is an art which cohabits with the science of cybernetics – or at least has to if we are going to afford any certainty of resilience at all from our technology outcomes. It’s where the term ‘cyber’ originated from – a genuine approach to science rather than the flimsy psychedelia of cyberpunk that distracts so much of Internet fashion. So, in the absence of the complex, managed models, we need to look at slices of reality that we, with our Miller-limited consciousness, can handle and see the marginal differences that can be made. We must look to the community and embed the skills of the defenders and make safety on-line the sixth sense of every man, woman, child, and device. Safe-on line becomes a state, adjusting itself in electronic homeostasis and a state in the societal sense of communities and nations. ‘No man is an island’, the poet reminds us (Donne, 1624). Let’s update his view and be conscious that Each man’s hack diminishes me, for I am part of the network. So ask not for whom it is a vulnerability…
6.4. Perhaps some sort of community outreach for the vulnerable, such as the elderly who are increasingly involved in an interconnected and ‘cyber’ world without the knowledge to protect themselves. Local libraries could take on a new role as cyber hubs.
7. The balance of responsibilities between the Government and private sector in protecting critical national infrastructure
7.1. The theft of records from the United States Office for the Department of Personnel Management was a tragedy for each individual whose personal information can become the weapon of choice in fraud directly against them or unwittingly to impersonate them to perpetrate fraud against others and the subsequent angst to restore reputation. However, its greater danger may arise from the modelling that criminals – or more likely – enemy states may derive from it to identify the day-to-day operations of federal America in their understanding of how personnel are deployed and the likely access to sensitive information they may have.
7.2. It is this challenge we will see – already have seen to some extent – in any adoption of the Network and Information Security Directive (or similar principles in legislation). The recording of National Infrastructure – which may be either retained in obscurity – could become the attack vector as suppliers into National Infrastructure take on registration and breach notification requirements supplying potential for wider infiltration and intelligence for actors on the threat list.
7.3. The model for these responsibilities requires attention to:
- Responsibility and authority for cyber security.
- Cyber security risk management strategy.
- Acquisition: implementation and operation of information and cyber physical systems.
- Conformance to good practice and forensic readiness.
- The part of stakeholders, the systems’ thrall, and the supply chain in the realisation of psycho-cyber, balanced systems.
8. The appropriate role for Government in regulating and legislating in relation to cyber both nationally and internationally
8.1. Cyber security measures must be agnostic to changes in the political landscape both recent and future. It is an unfortunate observation that any individual, community, or nation can be held under cyber siege from criminals and nation states who can remain distant from their homes and borders. The Government should of course take advantage of existing agreements where they are in place but recognise that instability in international relationships will be taken advantage of by those who wish to exploit the impunity for ‘traditional’ as well as cyber crime.
8.2. The Government should recognise that there is probably very little that can really be classed as cyber crime but rather the age-old ignominy of theft, fraud, and physical harm perpetrated using digital devices as tools within the process of felony. We have seen attacks on epileptics and know the potential to interfere with medical devices. The psychological effect of data theft itself has reportedly led to death. History has shown – instances like the Therac radiotherapy machines and the California Telephone system – that small and grand scale death and disruption is merely a malfunctioning system away. As the insurance industry develops its offerings in cyber liability insurance, the regulatory regime must develop the maturity of its attention to the liability of technology providers to supply safer technologies. This has become even more prominent with the society-wide vulnerability to cyber attack caused by the so-called Internet of Things. Principled work has been done (Jones and Price, 2016) in this and needs to be developed for adoption.
8.3. Cyber attacks on our peace of mind, and the computational or digital devices associated with it, (whether they are connected or not) have become components of de rigeur processes that form models for illegitimate processes. Where as there may have been a pool car and a selection of number plates, or a cache of weapons for purchase or hire, criminals who do not have the wherewithal to program their own cyber weapons can hire them from elsewhere. The government must engender a society of care, caution, and legal means to counteract these nefarious cyber supply chains of illegality.
8.4. Cyber-crime is cross-border. An international stance to cyber security is essential and achievable. Broad opportunities for collaboration need developing as the speed of the technology life cycle and cyber threats measures unfairly against the speed of political decisions. As the UK realises its aspirations to be the best place to work and live on-line, the counter argument is that we need good intelligence, understanding on dealing with the enclaves which are the worst places and the pathways from then that invade the legitimate communities.
8.5. Innovation in legislation needs to become as responsive as innovation in technology. We have yet to bridge the gap between the well-obfuscated boundaries between information and communication technologies. Boundaries that either no longer exist or need to be redefined in an adaptable layer model that can be used as a universal language. We need to set ourselves a high level set of principles beyond which we would be acknowledging a level of risk appetite beyond the capabilities of citizens, security and law enforcement, and military services to digest its outcomes. The principles – that form the foundation cyber decency – would do well to be no more complex than:
- An information system may not store, process or transmit an information asset in such a way that will allow harm to come to that asset, the subjects of the information asset, or the thrall of that system, or through inaction or negligence, allow any of them to come to harm. (Protect)
- An information system must only store, process or transmit an information asset as instructed by its builders or operators and by owners or custodians of the information asset with which the information system interacts, except where such orders would conflict with the First Law. (Operate)
- An information system must protect its own existence as long as such protection does not conflict with the First or Second Laws. (Self-preserve)
9. How the UK can co-operate with allies and partners on the development of capabilities, standard setting and intelligence sharing.
9.1. We try to model abstract architectures of security and all efforts must be encouraged because you never know where the next lever that will move the world will emerge from. But rather than only looking to fill the half empty glass, let us rejoice in what we have in it already. As we try to understand the highly visible, we overlook the understated. Consider the island – and politically island-like – communities. They are not worlds apart but rather worlds in part. They are used to siege and fighting invaders. Local knowledge is adapted creating an ecosystem that allows requisite variety but feeds back the lessons learnt. The idiosyncrasies – and attitude of the community – protect them.
9.2. We’ve been casting our net too wide for too long. The models we need are small and scalable, not huge. We can find enclaves standing up under siege with veracity that no one can help but be inspired by. Our challenge is to embrace people power, codify the tacit and release the explicit into our digital lives using the technologies we can build on now and develop for the future.
Written evidence presented by:
- Dr Daniel G. Dresner FInstISP, University of Manchester; Research Director – IASME Consortium
- Thomas Chappelow, Principal Consultant, Data Security People
- Melanie Oldham, Chair of the Yorkshire Cyber Security Cluster
- Ryan Mackenzie, Greater Manchester Police
- William Roebuck, CEO of E RADAR
Ashenden, D. and Barnard Wills, D., Securing Virtual Space: Cyber War, Cyber Terror, and Risk, Space and Culture 15(2) 110-123, 2012
Department of Trade and Industry, DTI Economics Paper No. 12, The Empirical Economics of Standards, June 2005
Dresner, D. G., Jones N., The three laws of cyber and information security, CyberTalk issue 6, November 2014
DTI Economics Paper No. 12, The Empirical Economics of Standards, June 2005
IASME Consortium, The., The IASME Standard for Information and Cyber Security, Issue 4.0, 2016
Jones, N. and Price, N., Security, safety and trustworthiness in: Smart-living, IAAC 2016
National Cyber Security Centre, Secure by default platforms white paper, September 2016
Rowlingson R., Ten steps to forensic readiness. International, Journal of Digital Evidence Winter 2004; 2(3)
Swann, G. M. P., The Economics of Standardization, Department of Trade and Industry, 2000
Wiener, N., Cybernetics: Or Control and Communication in the Animal and the Machine, Hermann et Cie, 1948
Williams, C., The army of redress marches again, Cybertalk, April 2013
What are you waiting for?
Discover our programmatic solutions to your complex security challenges: contact the team at Data Security People for an informal chat.