Roger Clarke's Web-Site
© Xamax Consultancy Pty Ltd, 1995-2013
|Identity Matters||Other Topics||Waltzing Matilda||What's New|
Version of 24 June 2012
Unchecked notes for a presentation to the Danish Council for Greater IT-Security and the Danish Society of Engineers (IDA), Subgroup on IT (IDA-IT), in Copenhagen on 25 June 2012, organised by Niels Christian Juul, CBIT, Roskilde University
Roger Clarke **
(c) Xamax Consultancy Pty Ltd, 2012
This document is at http://www.rogerclarke.com/EC/SforS-120625.html
The supporting slide-set is at http://www.rogerclarke.com/EC/SforS-120625.ppt
Available under an AEShareNet licence or a Creative Commons licence.
There are many different answers to the question 'Security of what, and for whom?'. Unless there is clarity about which aspects people are talking about, discussions about security can easily become confused. This presentation distinguishes several different scope definitions for security, and offers some thoughts from 'the end of the world' - as an Australian looking at Denmark, and in the apocalyptic sense.
Within the computing and communications arena, the foundations of security are technical and relate to data on the one hand and information technology on the other. The scope is most commonly defined by the boundaries of the particular organisation by which, or for which, the data is processed.
In Australia, as in many others, security is seen by most organisations as a contingency not as business-as-usual. There is a strong tendency to suppress bad news, not only beyond the organisation, but within it as well. That makes it even more difficult to justify the investment and the ongoing expense that is involved in effective security management. The problem has been exacerbated by the outsourcing mania, which has resulted in IT and even data security being mostly 'out of sight, out of mind' and inculcating the attitude that 'we have people to do that kind of thing for us'.
Security events force themselves on every organisation from time to time, so there are occasional outbreaks of fervour for risk assessment, risk management, and security governance. But the flurries of enthusiasm are mostly too negatively oriented and too short-lived to result in a coherent and comprehensive approach to security safeguards.
Beyond the level of the individual organisation, industry sectors or value chains rely on inter-operability, and the member organisations are thereby exposed to one another's security weaknesses. There are also broader economic interests variously at local, national and supra-national levels.
Tensions that arise between the various scopes of security. For example, a country's government may identify an organisations as having 'critical IT infrastructure', and seek to encourage, or impose, higher security standards. One particular concern is with Internet-connected SCADA, because of the vulnerability of telemetry and control data to unauthorised access, blockage or manipulation.
In Australia, a particular concern exists about zombie detection and eradication. The ISPs' industry association responded to government concerns and established a Code intended to alert customers whose devices were detected as being part of a botnet, while holding at bay the spectre of having to disconnect customers or intervene into their devices in order to clean up the mess.
Many governments, including that in Australia, are seeking to directly intrude into the technical operation of the Internet and its use by organisations. There is always a moral minority that has desires regarding censorship - usually of pornographic or anti-religious materials; and those desires are closely paralleled by the desires of governments themselves to detect and suppress incitement to violence and instruction in violence (which in Australia are subject to the same regulation as pornography), plus whatever that government defines to be 'dissent'.
The hopelessly slow maturation of IP -dependent corporations from the old world of controlled distribution to the current, networked-distribution era has seen pressure brought to bear on the US Administration and hence on governments throughout the world to permit music and video companies to intrude into network operations and to transfer enforcement costs from their own budgets to the public purse. A current serious concern is the attempt by the ITU to survive by playing to the interests of nation-states, and to exercise control over Internet technologies.
Other scope definitions are relevant as well. At the most remote levels, the security of human society as a whole needs to be considered (e.g. why have we not yet deployed asteroid protections?); and the security of the bio-sphere is a major concern (in particular, do we yet have a coherent plan regarding green IT, and carbon tax-and-trade?).
A further important scope definition is less grand than those, but is mostly overlooked. The missing scope is the interests of users outside the organisations, and usees (i.e. people who are not users, but who are subject to or materially affected by particular data and IT). In Australia, one current issue in this area include data breach notification (in which we are a decade behind even the USA), and the more important question of civil and criminal liability for organisations that fail to apply well-known protection principles and safeguards. Electronic payments insecurity is emerging as a serious problem in the mobile context, and with unauthenticated transactions using Visa PayWave and MasterCard PayPass. Also in dire need of attention are social media's seriously anti-social business model, and the associated unconscionable Terms of Service, actual abuse of consumer data. The coming merger of Google and Acxiom will present yet greater challenges to consumers.
Further areas of concern include the designed-in insecurity and promiscuity of mobile devices, particularly in relation to their location, and abuses associated with smart meters. And smart meters are merely a harbinger of the threats that are embodied in the notion of the Internet of Things.
Even more sinister is the manifold incursions of 'national security' into both organisational and individual life. Key principles that are applied to privacy-invasive projects are Justification, Relevance, Effectiveness, Proportionality, Transparency and Accountability; but since 2001 any initiative that is proposed by government agencies and labelled 'national security' has been granted exemption from these requirements.
Balance has been lost during the last decade of combined 'religious fundamentalist extremism' and 'national security extremism'. A vast array of social control mechanisms has been implemented and expanded, including data consolidation, identity consolidation, nymity denial, and surveillance in many forms, including of physical behaviour, human communications, data, location and tracking, and content experience and behaviour.
Denmark is the world leader in national identification schemes (CPR/CRS), in government-controlled communications channels between citizens and government (E-BOKS), and most recently in the extraordinary NemID scheme, which takes personal data consolidation to a new level, provides government with enormous power of the individual, and imposes trojan client-software on citizens' electronic devices.
Every country in the world is in danger of sliding into an un-free state, as a result of the triumph of national security extremism. No country is in a more vulnerable position than Denmark, because its government already has a comprehensive set of tools available that enable brisk implementation of despotism. There are tensions among the various scopes of security, but none are as serious as the tension between the dramatically over-exaggerated national security orientation and the security of society.
Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., and a Visiting Professor in the Research School of Computer Science at the Australian National University.
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.
From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 40 million by the end of 2012.
Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, 6288 6916
Created: 24 June 2012 - Last Amended: 24 June 2012 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/EC/SforS-120625.html