Open Letter to Canberra: a cyber security policy briefing paper

Matthew Hackling

Matthew has over ten years experience operating solely in the area of information security, holds a Bachelors degree in security management from ECU and is also a CISSP. He is a former Account Director in Deloitte’s Security & Privacy Services practice. Matthew has led security testing teams on assessments of large core systems replacement projects for banking institutions. He operates more in the area of information security governance these days, despite his urges still stay a bit technical. Hence he plays with backtrack linux, metasploit and new web application security assessment tools in his rare free time. Currently he runs his own consultancy called Ronin Security Consulting and holds the title of General Manager of Security Testing at Enex TestLab. He is an active member of the Australian Information Security Association, and held the office of Melbourne Branch Executive for a number of years. Matt’s security blog is called Infamous Agenda and he is an active twitter user with the handle @mhackling

I just heard that Australia's top cyber security tsar hadn't heard of Tor, the privacy protecting software used by human rights activists and the privacy aware. Well Sachi Wimmer, this blog post is for you!

Here's a few things you should know—because common sense often isn't all that common.

1. The Internet has a lot of people on it. Approximately 39% of the 7.1 billion people in the world are on the Internet. About 27 per cent of those speak English. You have the ability to annoy perhaps 3/4 of a billion people. Don’t annoy the Internet!

There are millions of smart, bored and irritable people on the Internet. They will make fun of you, they may humiliate you or maybe even attack your systems, just for lulz.

Many people in other countries see attempts to militarise or nationalise the Internet by a particular nation as a call to arms. If you think you are smart, there is always someone out there on the Internet smarter than you.

2. There are criminals on the Internet, there are spies on the Internet, there are terrorists on the Internet. There are also businesses, mums and dads, kids, grandmothers, the disabled, and so on. Don't make life hard for the legitimate users of the Internet or remove their privacy.

Just because there are bad guys using the Internet doesn't mean you should treat everyone as a potential terrorist. We don't treat all citizens as potential murderers or put a CCTV camera in every home, we track down and prosecute murderers with no statute of limitations on prosecution and get warrants for searches from courts to gather evidence to support prosecution.

I suggest you empower and fund law enforcement to track down the bad guys with zero tolerance for serious crimes and treat people using the internet as innocent until reasonable suspicion is raised.

3. The Internet isn't like the "real world". Some things just aren't possible and don't have real world analogues. For example, encryption technology (pretty much complex math in the form of algorithms implemented in software) can secure communications from interception. The security of communications is necessary for electronic commerce to occur and to maintain the privacy of individuals.

Your citizens can even use encryption to bypass corporate attempts at thwarting net neutrality by geo-blocking content or slowing down less preferred communications protocols. The march of progress is unstoppable. Propping up out-dated business models through legislation holds back economic growth. If you can innovate with Internet technology you can have a global market beating down your door, driving rapid economic growth.

For example, any node on the Internet can connect to any other node. It means that it is possible to flood systems with excessive or erroneous data which can cause a Denial of Service. A common attack is a Distributed Denial of Service Attack, where many "zombie" computers—a botnet—under the control of an attacker send huge amounts of traffic to a specified target.

One problem with Denial of Service attacks is that if these attacks are at an application layer and communications are encrypted at an application layer, an intermediate party cannot easily identify attacks from legitimate application traffic.

Giving the government a master key for law enforcement intercept or an internet kill switch weakens the security of the systems, as parties better resourced and motivated than law enforcement will also look to gain access to these mechanisms.

It is important to note that the world is slowly crawling towards the next version of the Internet Protocol called IPv6 (the internet runs on IPv4). IPv6 has mandatory encryption built in.

4. Data can move like lightning over the Internet or it can move like treacle or be as immovable as stone. This is due to the size of data and the ability of technologies to transmit data. If data is too large to transmit, maybe t's time for "sneaker-net" where vast amounts of data could still be moved by foot on lots of tiny memory cards.

Bigger network connections may enable businesses models and technologies to become viable. For example, downloading your computer/tablet operating system every time your computer boots, creating a fresh clean secure new copy while keeping all of your data and applications on remote computers operated by others (the cloud) etc.

5. Data costs big money to store in a corporate context. If you wish parties to retain data, that data needs to be structured, managed, secured, stored and backed up in manner so that it can be easily retrieved. This requires people, planning and investment of precious working capital. There are also some really challenging technical and economic challenges that accompany it. It's a lot more complicated than you would think.

6. Beware corporations and their desire to create monopolies. Vendor lock in is a pet hate of IT professionals. Quality drops and costs go up when you are at the mercy of a corporation due to a lack of other viable choices.

Tags: cyber security

Show Comments