Cloud Engineer security

Cyber Security: A Never-ending Unwinnable War

USAF General William Lord in cyber security briefing
header photo Gen William T. Lord courtesy of USAF

The words Hague cyber warfare Treaty appeared fleetingly in my twitter stream this morning.

This really intrigued me. It brought visions of uniformed generals sat around a table at the United Nations signing fancy bits of paper. Over their shoulders were clouds filled with botnet armies – millions of compromised computers waiting for the command to strike, glaring ferociously at their opposite numbers.

There is a wonderful wealth of information out there on cyber warfare and security. For example according to Lt. Gen. William T. Lord, the US Air Force chief information officer, cyberattackers have shifted their tactics from trying to breach firewalls to penetrating applications and said the service has serious application vulnerabilities. “We have over 19,000 (information technology) applications in the Air Force,” he said, noting that Electronic Systems Center’s IT Center of Excellence at Maxwell Air Force Base-Gunter Annex, Ala., examined about 200 of them. “All of them had over 50 vulnerabilities.”

The incredible pace of introduction of new technologies is a serious problem to the military which likes to take years to develop and test anything it buys. It used to be that the army would be first to get advanced technologies that would one day filter down to peaceful applications. These days it is the other way round. The army must presumably end up using applications that have had little or no security testing but are considered worth the risk (I’m not speaking from personal knowledge or experience here).

The United Nations has in fact been giving this some due consideration – it would be negligent of them not to, fair play. Last week the UN published a document updating its position re disarmament and cyber warfare was covered in pages 12 – 20 (out of 42).

In the document the UN discusses possible solutions:

  1. The security of confidential as well as less significant information and networks
    A. Security updates should be applied to all systems
    B. A comprehensive disaster recovery planning should take place, which includes provisions
    for extended outages.
  2. The creation of an international treaty which includes:
    A. A concrete definition of cyber warfare which is ratified by all signatories
    B. A limitation on the usage of cyber weapons
  3. The establishment of an annual international platform, in which experts in the computer and
    cyber field from different countries may foster dialog with one another regarding the issue of
    providing measures to regulate cyber warfare
  4. Increased effort in raising awareness about the cyber warfare and the threats it poses for the
    world in its entirety

Most of this, treaty apart, is obvious stuff and to be honest suggests that the UN doesn’t really know what to do about it. Does anyone?  I would be hugely surprised if many government really signed up to it.  After all why would a government (naming no names) want to deny itself the ability to attack Iran’s nuclear programme using bloodless electronic means?

In any case nobody would trust anyone else not to develop cyber warfare tools – it would be nigh on impossible to police. This is unfortunately in my view a battle war that is being fought but that nobody can win. I bet the proposed annual international conference would be a very interesting one to attend though maybe not as interesting as the meetings that they don’t tell us about.

We’re all doooomed!

Business security

House of Lords inquiry into cyber security

Sub-Committee F (Home Affairs) of the House of Lords Select Committee on the European Union is conducting an inquiry into EU policy on protecting Europe from large scale cyber-attacks.

That opening sentence is, in my mind, a great example of beaurocracy in action. I will say however that actually this is a good subject for their venerable Lordships to be considering.

The European Union is very much concerened about “Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience” and in March 09 issued a 400 page Communication on this subject. I’m not about to read the 400 pages but an international approach to cyber security makes sense.

In fact we really need a global approach to many interent related issues: child abuse, fraud, online copyright to name but a few.  The House of Lords inquiry is in the “Call for Evidence” phase which lasts until 13th November.

The original doc is here >  Cyberattacks call for evidence 16 10 09.