Roger Clarke's Web-Site
© Xamax Consultancy Pty Ltd, 1995-2016
|Identity Matters||Other Topics||Waltzing Matilda||What's New|
Notes of 10 January 2013
For a Presentation to the Oxford Cyber Security Centre, on 30 January 2013
Roger Clarke **
© Xamax Consultancy Pty Ltd, 2012
Available under an AEShareNet licence or a Creative Commons licence.
This document is at http://www.rogerclarke.com/EC/WS-1301.html
The supporting slide-set is at http://www.rogerclarke.com/EC/WS-1301.ppt
Security conversations involve considerable ambiguities about scope and perspective. Executives in government agencies and business enterprises, and their organisations' IT staff, focus on different parts of different elephants. Meanwhile, many security discourses are conducted at more abstract levels, such as industry sectors and nation-states. Ambiguities of scope and perspective hamper discussion and analysis. They also create challenges for empirical researchers: Which biases should be prioritised when selecting and framing research questions? Which unit of study is appropriate?
This presentation identities key aspects of various scope definitions of security, and teases out tensions among the perspectives and the players.
Within an organisation, IT staff tend to focus on on IT security, whereas people in the business areas are more concerned about information security. Executives, meanwhile, have concerns about the security of the organisation and its business, rather than merely about the infrastructure and information that support it.
A broader view considers the industry sector or (depending on the fashion at the time) the value-chain, supply-chain or strategic-partnership. A recent emphasis has been on sectors that operate 'critical infrastructure' such as transport, energy, water and communications.
Discussions of information infrastructure / 'cyber'-security are sometimes from the perspective of one or more categories of user, but may have a local, regional, national or universalist flavour. Meanwhile, a perspective that is all-too-often overlooked is that of IT infrastructure usees, i.e. the people whose security is affected by the use of it by other individuals and organisations.
Further questions about motivation and scope arise in relation to the concept of 'national security'. Dictators use security as a justification for content monitoring and censorship. Government agencies in less un-free countries do likewise, and share common ground with IP-dependent corporations. The term is also applied variously to public safety and prominent-person safety.
Law enforcement agencies have taken advantage of the enormous latitude granted to national security agencies, in such forms as communications surveillance by the NSA, GCHQ and their equivalents in other countries, the UK's mass traffic surveillance programme, and the US FISA powers over US cloud computing providers.
Leveraging off those 'ideas in good standing', social control agencies are trying to use 'public revenue security' as a justification for consolidating all data about each individual, and imposing singular identity.
Given that so many scope and perspective choices exist, it's little wonder that discussants on security topics so often talk past one another rather than engaging. Added to that, the interests of players at each level are often in conflict with one another; so mutual misunderstanding and mutual distrust pervade the field. Observers and analysts need to be armed with ways to recognise scope differences. Discussants who actually want to achieve understanding and progress need models and a dialect that overcome the ambiguities.
There are many different answers to the question 'Security of what, and for whom?'. Unless there is clarity about which aspects people are talking about, discussions about security can easily become confused. This presentation distinguishes several different scope definitions for security.
Within the computing and communications arena, the foundations of security are technical and relate to data on the one hand and information technology on the other. The scope is most commonly defined by the boundaries of the particular organisation by which, or for which, the data is processed.
In Australia, as in many others, security is seen by most organisations as a contingency not as business-as-usual. There is a strong tendency to suppress bad news, not only beyond the organisation, but within it as well. That makes it even more difficult to justify the investment and the ongoing expense that is involved in effective security management. The problem has been exacerbated by the outsourcing mania, which has resulted in IT and even data security being mostly 'out of sight, out of mind' and inculcating the attitude that 'we have people to do that kind of thing for us'.
Security events force themselves on every organisation from time to time, so there are occasional outbreaks of fervour for risk assessment, risk management, and security governance. But the flurries of enthusiasm are mostly too negatively oriented and too short-lived to result in a coherent and comprehensive approach to security safeguards.
Beyond the level of the individual organisation, industry sectors or value chains rely on inter-operability, and the member organisations are thereby exposed to one another's security weaknesses. There are also broader economic interests variously at local, national and supra-national levels.
Tensions arise between the various scopes of security. For example, a country's government may identify an organisation as being a provider of 'critical infrastructure', and seek to encourage, or impose, higher security standards. One particular concern is with Internet-connected SCADA, because of the vulnerability of telemetry and control data to unauthorised access, blockage or manipulation.
In Australia, a particular concern exists about zombie detection and eradication. The ISPs' industry association responded to government concerns and established a Code intended to alert customers whose devices were detected as being part of a botnet, while holding at bay the spectre of having to disconnect customers or intervene into their devices in order to clean up the mess.
There is always a moral minority that has desires regarding censorship - usually of pornographic or anti-religious materials; and those desires are closely paralleled by the desires of governments themselves to detect and suppress incitement to violence and instruction in violence (which in Australia are subject to the same regulation as pornography), plus whatever that government defines to be 'dissent'.
Many governments are seeking to directly intrude into the technical operation of the Internet and its use by organisations. The USA, EU countries, Australia and some others are working against the attempts, led by Russia and Middle Eastern countries, to use the ITU as a means of imposing much greater national control over Internet matters. Yet, at the same time, free countries are themselves meddling with Internet infrastructure, based on 'national security' justifications.
IP -dependent corporations have actively resisted the transition from the old world of controlled distribution of atoms to the current, networked-distribution of bits. They have used their poewr to bring pressure to bear on the US Administration, and hence on governments throughout the world, to permit music and video companies to intrude into network operations and to transfer enforcement costs from their own budgets to the public purse.
There are further scope definitions that give rise to additional tensions among competing interests. At the most remote levels, the security of human society as a whole needs to be considered (e.g. why have we not yet deployed asteroid protections?); and the security of the bio-sphere is a major concern (in particular, does the world yet have a coherent plan regarding green IT, and carbon tax-and-trade?).
A further important perspective is less grand than those, but is mostly overlooked. The missing scope is the interests of users outside organisations, and usees - i.e. people who are not themselves users, but who are subject to or are materially affected by particular data and IT. In Australia, one current issue in this area include data breach notification (in which the country is a decade behind the USA). A more important question, which has yet to reach the mainstream, is the need for civil and criminal liability for organisations and their Board members for failure to apply well-known protection principles and safeguards, and for the active design of insecurities into protocols, standards and products.
Electronic payments insecurity is emerging as a serious problem, in the mobile context generally, and particularly in relation to unauthenticated transactions using Visa PayWave and MasterCard PayPass. Also in dire need of attention are social media's seriously anti-social business model, and the associated unconscionable Terms of Service, and actual abuse of consumer data. The coming merger of Google and Acxiom will present yet greater challenges to consumers. Further areas of concern include the designed-in promiscuity of mobile devices, particularly in relation to their location, and abuses associated with smart meters. And smart meters are merely a harbinger of the threats that are embodied in the notion of the Internet of Things.
Even more sinister is the manifold incursions of 'national security' into both organisational and individual life. Key principles that are applied to privacy-invasive projects are Justification, Relevance, Effectiveness, Proportionality, Transparency, Mitigation Measures, Controls and Accountability; but since 2001 any initiative that is proposed by government agencies and labelled 'national security' has been granted exemption from these requirements.
Balance has been lost during the last decade of combined 'religious fundamentalist extremism' and 'national security extremism'. A vast array of social control mechanisms has been implemented and expanded, including data consolidation, identity consolidation, nymity denial, and surveillance in many forms, including of physical behaviour, human communications, data, location and tracking, and content experience and behaviour.
Differences of scope and perspective undermine many conversations about security topics. Serious analysis and research depend on clarity about whose security is being focussed on, and whose interests are and are not being considered.
This presentation further develops ideas first presented to the Danish Association of Security Professionals, in Copenhagen, in June 2012.
Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., and a Visiting Professor in the Research School of Computer Science at the Australian National University.
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.
From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 50 million in early 2015.
Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916
Created: 24 October 2012 - Last Amended: 10 January 2013 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/EC/WS-1301.html