One Last Thing

Confronting the Challenges of Cyber Security
SCOTT NEWARK  |  Mar 15, 2014

As anyone not living in a cave can attest, literally a day does not go by without some new revelation of cyber hacking, cyber attacking, cyber vulnerabilities or some new cyber surveillance scheme being perpetrated against ‘we the people’ by murky corporate interests – or our own, possibly murkier, governments.

Indeed, it is our very dependence on cyber technologies and (not so) ‘smart’ communications systems, that makes the vulnerabilities and the threats that much greater. Public realization of this anomaly probably started with realization that the ‘convenience’ of the new cyber world also created a concurrent vehicle for vastly expanded identity theft by the bad guys. No worries we were told…. “just change your passwords.”

Perhaps the most alarming aspect of our cyber vulnerabilities is that there is clearly no single problem and, consequently, no single ‘solution’. Our cyber world is multi-faceted; from basic personal use to critical infrastructure operations (that affect us all), to third party holding of personal and financial data, to proprietary or sensitive data holding by industry and government. A cyber breach in each of these areas has obvious public consequences but, unfortunately, that does not mean that a single public regulatory response or even approach is going to work. And, the cyber world is, by definition, inherently and continually ‘modernizing’ itself to serve a consumer culture that is indoctrinated to believe that ‘change’ is always good. These realities make the challenge even greater – but also more urgent.

The cyber attacks on the Target retail chain and Nation Wide Insurance revealed that the corporate entities holding our personal data aren’t always exactly forthcoming when it comes to telling us when their systems have been hacked. “Bad for business” appears to have replaced “the customer comes first” as a business strategy. Expect courthouse step civil suit settlements with no disclosure provisions, which isn’t a long term answer.

Then we were told that the manufacturer of one of world’s most-used operating systems, Windows XP, has decided it’s not going to continue upgrading security for a product it sold to hundreds of millions of users, which means we all have to buy their “new” system or be exposed to a deluge of vulnerabilities. And, of course, we have to change our passwords.

The latest cyber vulnerability revelation is perhaps the most telling of all. It turns out that some ‘upgrade’ that was developed by a young computer programmer was accidentally defective. What makes this an issue is that, in the largely unregulated Internet world, this ‘upgrade’ was adopted into the operating cyber systems of technology providers around the world two years ago without anyone noticing the flaw. The defect, known as ‘Heartbleed’, allows unauthorized hackers to obtain data from users every time a communication between entities is made. In other words, a gazillion times a day… and it’s been going on for two years.

Warnings of cyber vulnerabilities and attacks on critical infrastructure facilities also continue unabated. It’s acknowledged that SCADA (operating) systems are vulnerable to a lurking Advance Persistent Threat (APT) which awaits activation command from the folks in Beijing or Pyonyang or God knows where else. Do we even have the technological capacity to detect such APTs?

Cyber espionage targeting industrial proprietary secrets and government information is a ­continuing reality, and the line between private and public consequences is often hard to discern. Complicating things even further is the fact that the bad guys are not just foreign state actors or their state-owned enterprise frontmen but also ‘non state actors’ that include self proclaimed enemies of the current world order.

The final cyber security area of public consequence is the growing realization that governments around the world, including our own, have been using modernized technological capabilities to gather, store and perhaps use personal information about its citizens (and others) without any meaningful independent oversight. It’s called ‘metadata’ and, while it’s not an interception of actual communications, it provides significant information to the state about a person’s locations, contacts and interests.

The importance of this issue should not be underestimated because privacy is intrinsically linked to liberty. While we always want to ensure the ability of the state to use technology to protect public safety and security, there must also always be defined grounds on which specified actions for specified purposes can be undertaken by a designated authority. And that action must be pre-approved in an expedited process (including telewarrants) by an independent judicial authority. This is really just modernizing our laws to deal with modernized technology while ensuring that balancing of interests occurs.

These are complex issues which require, not only sector specific solutions, but an asymmetrical approach to how they are designed, implemented and maintained. Newly introduced Bills C-13 (lawful access) and S-4 (copyright breach) will be opportunities to ensure we take these ­necessary steps and achieve meaningful results, because changing our passwords is not a long term solution.

Scott Newark is a former Alberta Crown Prosecutor who has also served as Executive Officer to the Canadian Police Association and a Security Policy Advisor to the Governments of Ontario and Canada.
© FrontLine Security 2014