David Lacey's IT Security Blog

The National Journal has an interesting article on cyberwar, pointing out some of the opportunities and hazards associated with this new form of conflict. It's very different from anything we've seen before and it demands very careful consideration to avoid attacks damaging valuable business assets. It's also a very sneaky form of conflict. As I've often said, it's more the art of illusion than the science of sabotage.

It's also far too easy to trigger covert attacks. Minor, local conflicts can quickly escalate and cause global impact. In cyberspace, as John Suler points out in his online book The Psychology of Cyberspace, people can be tempted to go much further than they might in the physical world, exploring dark subjects, taking risks and becoming unusually hostile.

Cyberspace is a surprisingly dangerous medium in which to conduct warfare. Let's hope that future cyber warriors are alert to the dangers. 

The Global Security Challenge finals which took place at London Business School last week were a revelation to anyone who believes that security innovation is dead. There's certainly little imagination and innovation to be seen in the products emerging from big vendors and research establishments. But many breakthroughs are initially developed by clever individuals or small start-up companies.

So it's no surprise to find an impressive range of unique and imaginative new security solutions in the Global Security Challenge finals, which is specifically aimed at small enterprises. Many were game-changing developments, such as a technology that can detect liquid explosives in suitcases, a new form of lightweight body armor that can survive point-blank grenade attacks, and a video camera that takes such high resolution pictures that you don't need an optical zoom capability. The cyber security finalists were also impressive, including two technologies that offer a step change in real-time vulnerability management, using very different approaches. (I'll cover these in a later posting.)

So if this initiative is delivering the new security solutions we need, what else is needed? The answer is a lot more of the same. We need more attention and support for the SME and start-up sectors. Many of the finalists in the Global Security Challenge have less than half a dozen staff and exist primarily on research awards and prizes. Yet they have also managed to develop complete products and gain real customers. We need more pump-priming investment to stimulate these sectors.

Last week I was fortunate to have been presenting at a MIS Training CISO Executive Summit in Muscat. The Sultanate of Oman has long been my favourite business and holiday location. It's also a place where managers understand the importance of the human factor in business and security.

In the past, the people perspective has been low on the management agenda of Western organisations. The only time an executive board pays attention to staff is when they need a headcount reduction. But the business world has changed. Networks are empowering people to unprecedented levels of influence. We need to educate and listen to employees, customers and citizens, because the focus of decision making has shifted from the corporate centre to the front-line workforce. Managers, staff and customers are the engine of intellectual property generation, as well as the thin red line that safeguards these assets.

This is why I was highly impressed with The Sultanate of Oman's new information security awareness programme. It's a government sponsored, nationwide initiative, and it's tailored to the local culture. Madison Avenue executives might not be especially impressed with the simplicity of their images and messages. But they would be wrong. What counts for success is a good understanding, empathy and a resonance with the target audience.

From that perspective, Oman has set the bar for an initiative that other countries must also meet. There might be a wave of technology coming from the West. But there is also a wave of best practices in citizen education building from the East.

A few weeks ago I reported that I could sense a new, much more determined mood across the UK business community to embrace electronic channels to overcome the postal strike. You can really see the aspiration in the eyes of sales executives to turn a major disaster into a business opportunity. So what has the response been so far?

My contacts in Mimecast, a leading vendor of cloud-based email security services, tell me that they noted a 20% increase in the volume of email on the first day of the Royal Mail postal strike. In fact they've seen this level of increase before during previous strikes. So is this just a routine knee jerk reaction? Or is it something different?

In fact I believe we've hit a tipping point. Things are different this time around. One of the main characteristics of tipping points, as articulated by Malcolm Gladwell in his groundbreaking book on the subject, is the 'power of context', the particular conditions and circumstances of the time and place.

In this case we have several factors coming together. Firstly, there is a greater recognition that electronic channels are now the norm, rather than the exception, for many forms of business. Secondly, there are now plenty of easy-to-implement security products to help companies make the transition from snail mail to secure email. And thirdly there is less fear of deploying complex technologies such as encryption to solve business problems.

But above all, there is a new confidence that a paperless business environment is now a viable, as well as a desirable objective. Years ago, we used to joke that the paperless office would come after the paperless toilet. Perhaps we were mistaken...

It's hard to ignore the report by Northrop Grumman Corporation on the Capability of the People's Republic of China to Conduct Cyber Warfare and Computer Network Exploitation, if only because of its size and authoritative style.

The title gives a hint as to what to expect: a lengthy, 88 page assessment which any good journalist or diplomat could have condensed down to a page with a bit of effort. Even Bruce Schneier has declined to read it, relying on his readers to pick out the salient points.

Written in the style of a military standards manual but littered with superfluous adjectives and acronyms, the report tells us that the Chinese are serious about cyber warfare and aim to penetrate our systems to steal information and perhaps change the data.

Yes, that's what we'd all assumed for many years. So what else is new? 

I've long argued that security should take note of lessons from the safety field, and there are a lot of important learning points set out in the Nimrod review. Many of these repeat the points made two decades ago by Richard Feynman following the Space Shuttle Challenger disaster. Unfortunately, it seems that either our memories are short or the learning points were not widely disseminated.

It's disturbing that we continue to make serious mistakes decades after we have discovered how to prevent them. Perhaps that's an inevitable human weakness. But what counts is that we fix these flaws when they come to our attention, and that we educate others in how to prevent future incidents.

All of these lessons apply equally to security. We can learn much from the model of safety culture spelled out in the report. As the report correctly points out, safety depends on leadership, culture and priorities. It is delivered by people, not paper, and it takes a whole community to ensure that we achieve it.

Big conference web sites seem to be evolving into on-line magazines. RSA Conference and Infosecurity Europe publish news items and blog postings all year round. During last week;s RSA Conference Europe, Dawn Erska of SolutionSet was circulating with a Flip video camera filming opinions from speakers and attendees. You can view her montage of clips on the RSA Conference web site.   

Not a week goes by without a news item about yet another breach of personal data. The latest one is a compromise of data on the Guardian newspaper's jobs website. I think we all agree that there's a pressing need for a step change in the standards we apply to the protection of personal information. That's certainly what was agreed by a group of experienced practitioners at a recent ISSA UK debate. The findings from that debate were written up and published in a white paper, supported by former Home Secretary, The Right Honourable  David Blunkett MP. It's essential reading for anyone working on systems handling sensitive citizen information.

I was intrigued to read that the equivalent of $144 million was traded in the second quarter of the year on the LindeX, the official currency exchange of Second Life. This growth reflects the increasingly virtual nature of money in an information age society.

I've long taken the view that, progressively, the most significant assets in an enterprise will be hard-to-value, intellectual assets, residing in perception, information flows and relationships. Safeguarding these assets requires a very different mindset and approach to locking up physical assets.