David Lacey's IT Security Blog

The highlight of yesterday’s 17th Hewlett-Packard Colloquium at Royal Holloway University of London was an excellent talk by Ian Curry, CISO of Reuters, which gave a fascinating insight into what Information Security means to a top Information Provider. As Ian put it, we are on “the cusp of a fundamental change in the way we consume information”. And Reuters - like all media companies – must re-invent itself to respond to the revolution in personal communications generated by the Internet.

For Reuters, amongst other things, this means becoming more of an editor of privately generated news items (like mobile phone photographs) rather than relying solely on a private international network of trusted reporters and photographers. It also means taking great care to control the integrity and accuracy of its information. Because a single, doctored image discovered by the Blogosphere might be spun into a crisis of confidence. It’s a real challenge but a great opportunity for Information Security. It will involve, for example, exploring new technologies that might help confirm the provenance and accuracy of text and images. But at the heart of it all is the importance of strengthening and maintaining Reuters’ core values of independence, freedom from bias, integrity and accuracy. Because your reputation is only as good as your last story or photograph.

As a futurist, I’m always interested in the long-term impact of new trends. So what’s my take on the future of News? Well, personally I’ve always been cynical about the doomsayers’ claims that real news might eventually die. If you’re interested in their line of reasoning then you must watch the flash movie EPIC 2014, a classic, visionary piece of work, which introduced the word Googlezon to the English language. But this is the same logic that predicted that Movies would kill Theatre, that TV would kill Film, that Video would kill TV, etc. Old media don’t have to die, they just need to adapt their business model and marketing.

It’s getting to that time of the Season when many of us look ahead to a New Year with mixed emotions of hope, fear, uncertainty or just plain boredom. What will 2007 bring? Will it be more of same? Will it herald a new age of prosperity or danger? Here’s my Top 10 Security Trends of the coming Year.

I’ve already commented on the possibilities for Identity Theft in the Virtual World. Now it seems that people are waking up to the possibility of Money Laundering in the Virtual World. I’m continuing to watch sites such as Second Life with great interest, as increasing numbers of real investors invest in virtual real estate (now there’s an interesting juxtaposition of adjectives). And real media companies, such as Reuters, establish wire services to report real events in the virtual world.

It all makes me wonder how long it will be before the Revenue start to tax the virtual but real profits. And of course it’s just a matter of time before we establish security, intelligence and law enforcement functions to police this brave new world.

Intel’s announcement that they will start manufacturing processors with transistors 45 nanometres wide means that Moore’s Law remains intact. For several years pessimists have speculated that this law is beginning to break down. Clearly this is not the case. For as any student of the future will tell you, technology doesn’t develop in straight lines or follow steady curves. It evolves in leaps and bounds. As the legendary Richard Feynman, a nuclear physicist, once put it “There’s plenty of room at the bottom”. There’s also a good deal of inefficiency in many legacy platforms and systems. So improvements can and will continue at an unpredictable pace.

What does this mean for Security? Not much for the short-term. But faster computing means a change to the balance of threats and capabilities. It means better monitoring, easier compliance, faster cryptography and quicker codebreaking. It also means new opportunities to junk expensive, slow legacy systems and install secure protocols and authentication systems. So all security professionals should keep an eye on the future. After all history shows that it can take the best part of a decade to replace deep-seated algorithms in legacy infrastructure.

Last week’s highlight for me was a trip the Channel Islands to lead a one-day Sapphire masterclass in planning for the future. I must admit I do enjoy these sessions, as I always learn something new from the delegates. This class was especially good because the audience was smart, experienced and quick to grasp planning concepts and techniques.

I’m a great believer that the future of technology and security is fairly predictable. Amongst other things, that’s because the trends are strong and consistent. It's also because new technologies take many years to research, develop and productise. So we can see what’s in the pipeline if we take the trouble to look. You’ll also find that the opinions of most IT and security professionals are surprisingly consistent.

So what does the future hold? What kind of world are we heading for? Well that would require far more space than this blog posting because the future is very rich. But in general I can tell you that if we survive the expected Avian Flu pandemic, then we can expect a richer, healthier, more connected and highly automated world. But security will be very different. So my advice is to start planning now for the future because existing approaches might not survive the current decade.

Mark Twain once commented that “reports of my death have been greatly exaggerated”. And so it might prove for standalone security products. At last week’s RSA Conference, Art Coviello predicted that vendors of such products would disappear within three years. As President of RSA, he’s always guaranteed a plum platform at the Conference to promote his latest views. And he does have a point. Users do prefer broader, integrated solutions. And having been absorbed by EMC, RSA can vouch for the fact that bigger vendors are keen to respond to this market demand.

But the fact remains that not many integrated solutions deliver the most effective solution. Even established technologies such as IPS are far from commodities. They vary tremendously in their capability and effectiveness. And if you look ahead, you can see a raft of specialist, unique security technologies in the R&D pipeline.

Expecting big vendors to maintain a comprehensive portfolio of the latest, best-of-breed security solutions is likely to remain wishful thinking. Perhaps that’s what Art was really thinking when he said that “instead of working to perfect security we should be working to reduce business risk”. Because the main difference between business risk management and security is that the former generally operates at a higher level and rarely bothers to delve into the finer details of a technology solution. And with new attacks of increasing sophistication on the cards, it would be a fatal mistake to assume that all security products are equal.

On Thursday I attended an excellent seminar organised by Comsec Consulting, a company that is relatively new to the UK but with a long, pioneering history in Israel, The Netherlands and Japan. Nissim Bar-El, their CEO, is a well-known international figure in the Security world. Over the last twenty years he’s been quietly building one of the largest IT Security consultancies in Europe. You can see him on the front cover of the current UK edition of SC Magazine.

At the seminar Nissim raised the issue of complexity arising from the proliferation of security products – more than 700 at the last count – and highlighted the difficulties this presents for customers. Could there and should there be a consolidation of products? ZDNet and RSA amongst others have predicted this. A few postings ago I commented on the future of single point solutions. But as it’s a hot topic, I though I’d add a few more points and a little extra analysis of what might happen and why.

There's a sense of déjà vu about this week's Black Hat Conference, with yet another revealing presentation pulled at the last minute. Two years ago it was Cisco attempting to quash Mike Lynn's presentation. This week it's HID Global threatening legal action to stop Chris Paget, a security researcher, from demonstrating weaknesses in contactless RFID cards.

Like most people, I've always believed that such interventions are counter-productive. It's healthier to come clean about security issues than keep them hidden away. And, ironically, such action can serve to attract even more publicity and potential reputation damage. But for me, the real issue is whether society and industry is ready for RFID. Any new identification technology will present security challenges. RFID is no different. But there are some deeper issues with RFID.

Several years ago I served as a subject matter expert for the Royal Society's excellent Science in Society Programme, during which I sat with citizen focus groups debating issues associated with emerging technologies and their impact on privacy and security. I was highly impressed with how quickly they grasped the implications of these technologies and formed decisive views. Generally they were willing to accept some loss of privacy in the interests of greater benefits. Most of them favoured technologies such as Identity Cards provided that the costs were not excessive. The one exception was RFID. Many felt that it was intrusive and did not offer them clear benefits. Some found it "scary". I must admit I was surprised. But I came away with a clear learning point: that we should not introduce such technology without full understanding of the implications and a proper consultation with all stakeholders.

I've just got back from lecturing at a CIPFA weekend school for auditors in Blackpool. Mastering the human factor was a primary theme. It covered everything from how to spot fraud to how to change organizational behaviour. It even included a session on the controversial topic of Neuro Linguistic Programming (NLP).

Teaching fraud detection principles is more of an art than a science. You have to learn the tips of the trade from an experienced practitioner, largely through lots of anecdotes and case studies. It's not a black and white technique. There's lots of uncertainty and trial and error. Sometimes frauds come to light by accident. But often it's by instinct. And what sets off such suspicion? Generally it's a small thing that seems out of place: a total that's too high, a figure that's too round, or a behaviour that's out of the ordinary. The interesting thing for me is to try to work out how to capture and automate this valuable inituition.

There are some easy techniques for automated detection of fraud, based on simple rules. For example, highlighting totals that exceed or are just below an authorization limit. Or spotting sudden changes in the velocity or location of transactions. But experienced fraudsters do not always leave such obvious traces. So we need to create models reflecting the more subtle characteristics of fraud.

Several years ago I obtained a DTI research grant to build an experimental system for fraud detection based on a model of the human immune system. It might sound ambitious but we did get it to work, though the results were not interesting enough to persuade us to deploy the system for day-to-day business use. So-called computational immunology is a concept that offers great long-term potential but still needs a lot more research and development. Ascertaining how human immune systems actually work might help somewhat.

Artificial neural network techniques offer a simpler solution. We need good sets of data and some time and resource to train the system to recognize abnormal behaviour. It's not that difficult, though it can take a lot of effort to eliminate sources of false positives. But the important thing is to commence the journey. Because the future of Internal Audit lies not in manual checks, but in intelligent automation.

As a keen Futurist, I'm interested in the impact of the Information age on how and where we live and work. And there are some interesting trends and contradictions. Distance doesn't matter but place does. And place is becoming an increasingly important focus for IT security, especially as a consideration for authentication, authorization and espionage. Security professionals should track these trends because they will become an important factor in future strategy and architecture.

The Royal Academy of Engineering has just published a report on "Dilemmas of Privacy and Surveillance - Challenges of Technological Change". It's worth a read. Amongst other things, it claims that that with the right engineering solutions, it's possible to have both increased privacy and more security, and that engineers have a key role is achieving the right balance. The authors optimistically believe that there is a choice between the Big Brother world and one in which private data is kept secret and secure. The answer it seems is to exploit technology such as digital rights management and to tighten control over organizations and systems that process personal data.

The report raises interesting issues, but the recommendations are disappointing. There's too much wishful thinking and not enough alignment with modern business reality. Yes, we should design systems to diminish failures. Yes, we should draw on engineering expertise in assessing risks. But this is not so easy when we have a business to run and a limited set of technology and specialist resources at hand. Can we have some suggestions on how to achieve this? Because it's what every security and risk manager is already striving to do.

Some recommendations are heavy-handed: give more powers to the Information Commissioner and impose stiffer penalties. Others lack business reality: discourage organizations from seeking to identify their customers. (The press release points to concerns about shopkeepers "knowing how many donuts we have bought".) There is even a shade of neo-Luddism in the discussion on the effectiveness of surveillance cameras. Perhaps I'm overly-critical. But I expect imaginative solutions, rather than knee-jerk problem statements, from the Engineering Community.

And I do believe that Society has much to gain from the Information Age. A progressive erosion of privacy is part and parcel of this future world. It is inevitable because of the very nature of the continual improvements in monitoring, communications and information retrieval technologies. No person or system is perfect. There will be casualties. Once data is in the public domain, it can no longer be hidden away. We have to accept these harsh realities if we wish to harness the benefits of this brave new world.

Could it be that this week's RAE report on Privacy and Surveillance (see my last posting) is symptomatic of a wider wave of paranoia across Business and Society? A recent report in the Chicago Tribune suggests that paranoia about information theft runs deep in business thinking and is rife in Silicon Valley. And yesterday's Washington Times reported that the US Government would be stepping up their counter-intelligence efforts following a series of damaging spy cases.

I had rather hoped that the end of the Cold War would herald the start of a new, healthier climate of openness and trust. And that the Internet would progressively erode the competitive power of proprietary IP rights, introducing a new age in which operational excellence and information sharing would become the keys to future business success. Clearly I was jumping the gun. Because events appear to reflect a different trend: one that reflects a backlash against the benefits of greater connectivity and information flows. We are becoming even more defensive about the erosion of our privacy and intellectual property rights. Obviously it will take time for us to adapt to living in an electronic goldfish bowl.

Of course, just because you're paranoid doesn't mean people aren't out to steal your information. But I prefer to believe that future business and political success will increasingly flow from openness, collaboration and trust, rather than secrecy, suspicion and caution.

Not only are our acceptable use policies (AUPs) not keeping pace with the latest uses of business and personal technology. We are also failing to address the more radical changes that we can expect to counter in the future business world. But some organisations are waking up. Yesterday a colleague from a leading pharmaceutical company raised two challenging questions on AUPs.

The first challenge is what an AUP would look like in a de-perimeterised world. Traditional AUPs have a stack of restrictions. They're full of do's and don'ts. Mainly the latter. Don't connect non-company computers to the network. Don't send work to your hotmail account. Don't use USB devices. Don't install personal software. Don't connect your iPod. Don't blog. Don't instant message. Don't use your work email for private communications. And so on. In the future we will need to become much less prescriptive. Ultimately the AUP might well boil down to a simple commandment such as "look after company data as though it were your own". But such a vague statement might be difficult to enforce in industrial tribunals.

The second challenge is how do you manage acceptable use policy in a virtual world such as Second Life? Many companies are now beginning to explore this new environment for business purposes. What constitutes acceptable use in an imaginary world with no laws, regulation or policing? Is it work or play? Is it fantasy or reality?

These questions reflect the problems raised by the continued erosion of the traditional boundary between business and personal lifestyles. Unlike the Industrial Age, the Information Age does not require a highly structured and regulated work environment. So we can expect a steady drift towards a more flexible and less formal way of doing business. The challenge is to understand, accept and manage the risks introduced by this fundamental paradigm shift.

Three things can help. One is the use of modern security technology to enable finer-grained, real-time monitoring and management of employee behaviour against complex, fast-changing policies. The second is comprehensive and frequent education of users about new security risks and policies. The third is the introduction of imaginative and effective motivators to reward or discourage particular types of behaviour.

Doing nothing is not an option. Neither is simply advising users to "be careful out there". Because otherwise we will be slowly sleepwalking into an unmanaged and highly dangerous business environment.

Tonight I'm speaking on the Future of Security for the BCS South West Branch at the University of Plymouth. It may seem a little off the beaten track. But I've been very impressed by what I've seen of the University and its Network Research Group, which is fast becoming a UK centre of excellence for network security, under the dynamic leadership of Professor Steven Furnell. The topic I'm speaking on is a familiar one. I've been giving presentations on this subject for more than decade. So it's interesting to reflect on how my perceptions of the Future has changed over the years.

In the early 90s, the Internet was not yet a business tool, but we could see its potential. It seemed the perfect embodiment of Alvin Toffler's vision of the Information Age. Its arrival in the corporate environment coincided with rapid growth in business partnerships and outsourcing. In fact it seemed the perfect vehicle to underpin the virtualization of business. But there were no strong security features to safeguard business infrastructure and transactions. It seemed inevitable that we were heading towards a long, sustained era of heightened security risk. I was particularly interested in how we might manage the contradiction between the growing criticality of IT to business operations and the dimishing security of IT infrastructures. One of my forecasts at the time was for "Two Track IT", i.e. two streams of IT development and operation, one fast, loose and risky, and the other slow, sure and secure. That division never happened. Somehow we managed to contain the risks and maintain a semi-secure IT infrastructure that stayed marginally ahead of the emerging threat.

Other forecasts were more accurate. The slow death of corporate perimeters. The breakdown of the boundary between business and personal lifestyles. The growth in computer crime and espionage. The fragmentation of IT into networks of smaller devices (though wearable technology has been slow to emerge). The need for real-time monitoring systems. The boom in Information Security as a line of business. All of which just goes to show that much of the future is predictable. In fact many of my Powerpoint slides have remained largely unchanged for more than a decade. One forecast still remains to be fulfilled, which is the rise of cyber-terrorism, although I did point out it was unlikely to mature before 2006. It hasn't yet happened yet. But it will arrive one day.

Further signs of paranoia about Information Age risks emerged over the last week. The first was a ban imposed by the Province of Ontario on access by officials to the social networking site Facebook. The second was a hint by the Head of the US National-Geospatial Agency about possible curbs on access to commercial satellite imagery to prevent its exploitation.

Of course it's right for organizations to seek to mitigate any identified risks. But holding back the inevitable advance of social networking and information availability is not the answer. As I've said before, we need to embrace the risks associated with the Information Age and find new solutions that are more aligned with its strengths, structure and characteristics. We can't uninvent digital networks. They're here for good and will continue to break down traditional barriers to information flows. Knowledge no longer resides in controlled cubby-holes. We have to accept the harsh consequences associated with this new freedom.

I was fascinated to hear that Microsoft banned journalists from Steve Ballmer's keynote at their Business Intelligence Conference yesterday. Of course that did not stop them from standing outside and recording all of the address. Or from talking to any of the thousands of attendees inside. By all accounts there were no secret or interesting announcements. So what was the point? Just more paranoia about information leakage it seems.

It was reassuring to read that Google have started to examine web pages for malicious content. But scarier to note that, having surveyed billions of sites and subjected 4.5 million pages to in-depth analysis, they had found that one in ten were capable of launching malicious code. It's clearly a big problem so it's good to see someone taking an initiative to address it. But where will all this monitoring end? At the same time the media have also spotted that Google has filed a patent outlining its plans to compile psychological profiles of millions of web users by covertly monitoring the way they play online games. It's all further evidence that we are sleepwalking into a surveillance society. And there's not a lot we can do other than embrace and accept the risks that new technology brings.

Recent breakthroughs in the development of Quantum Computing are forcing IT Security Managers to rethink their cryptographic standards. In February D-Wave Systems, a spin-off from the University of British Columbia, exhibited and demonstrated a 16 Qubit Quantum Computer. Since then, many top CISOs have decided it's time to start exploring Quantum-immune cryptographic solutions.

Quantum Computing renders many of our existing cryptographic systems insecure. What it doesn't break immediately, it will weaken considerably. Public key algorithms, which underpin most of our e-Commerce, are particularly vulnerable. It may be quicker to break some keys than to generate them. Symmetric key systems will be less affected but we will probably have to double their key length.

We may still be many years from experiencing the impact of Quantum Computing on our business operations. But it takes a long time to change our cryptographic systems. Brand new solutions might take a decade to develop, evaluate, adopt, commercialise and implement. Distributed legacy systems don't easily accommodate deep-seated, across-the-board changes. It took a major effort to upgrade our banking systems from single to triple DES. It will require a much bigger one to rethink the basis of our e-Commerce security.

My eyes were drawn to a recent report on e-voting just issued by the Open Rights Group, an independent, non-profit advocacy group, campaigning for the digital civil rights of British citizens. They're an interesting group, with a useful Wiki, led by a diverse Board including a security professional, Ben Laurie, who looks after security for The Bunker Secure Hosting. This group believes that the problems observed at the recent English and Scottish elections raise serious concerns about the suitability of e-voting and e-counting technologies for statutory elections. In particular they are concerned about the 'black box system', where the mechanisms for recording and tabulating the vote are hidden from the voter. Such a lack of public scrutiny might leave statutory elections open to error and fraud.

It's a good point. We do need to see greater transparency and better usability testing for this important process. And it's good to see someone campaigning to improve things. But I wonder if this group has spotted the bigger picture on democracy. Because it's all due to change. As Alvin and Heidi Toffler pointed out more than a decade ago, majority rule is increasingly obsolete. It's a relic of the Industrial Age and it's about to be swept away by the Information Age. We need to embrace real-time minority power across digital networks. That's what the new wave of social computing is all about. Like it or not, the future of democracy is likely to be much closer to Pop Idol and Big Brother style voting than that old-fashioned approach of counting paper slips placed in wooden boxes in village halls. This is a radical change with deep consequences which need to be debated. Because, amongst other things, we've already seen some of the problems that television style voting presents.

The Chief Executive of the UK National Archives has warned that we face a “ticking time bomb” regarding potentially unreadable digital formats. Microsoft’s UK Gordon Frazier agrees, warning of a looming “digital dark age”. They have a point. It’s hard to read old file formats. There are also lots of dodgy back-up tapes out there just waiting to fail.

But I’m not so sure that’s the real problem with old data. Personally, I’ve never seen so much historical material on the Internet. Most storage today is virtual, backed up and stored in multiple systems and locations rather than in a single archive. Technology for compressing, storing and searching for data is improving substantially. I can’t see historians of tomorrow having much of a problem finding information about the last few decades. It will just require a different approach.

The real problem is getting rid of the stuff. Every action we take over digital networks creates trails of data that are hard, illegal or impossible to eradicate. You can protect some (but not all) of it using cryptography but eventually the algorithms used will reach their sell-by date. Young people today might be less concerned about publishing personal data about themselves on the Internet, but a casual remark might come back to haunt them, especially when they’re applying for a job and their prospective employer decides to run some background checks. Because - like it or not - it’s becoming harder to be discreet in the electronic goldfish bowl we’re building for the future.

This morning’s IT Governance & Risk Management email shot from Computer Weekly carried a reference to a Burton Group report on trends in the security technology marketplace. Unfortunately it looks like you have to buy one of Burton Group’s services before you can read the report. But the Computer Weekly summary says enough. The conclusion is obvious. And it’s essentially the same as the point I was making six months ago.

Large vendors such as RSA have been forecasting for some time that the security market will consolidate and eliminate the growing army of small single-point solution vendors. In my view that's no more than wishful thinking. In fact I think we'll see the opposite. Burton Group seems to have nailed their colours firmly to the fence that divides the interest of big vendors from small security start-ups. They conclude that “consolidation of the security market will remain the norm, but best-of-breed security firms will continue to emerge to address gaps in technology”. In classic Janet-and-John style, Bob Blakley instructs us that "the bad guys are sticking arrows into the customers and the customers are therefore driving their vendors to cover up the parts of their body to which the arrows are being stuck".

It’s all blindingly obvious. As I pointed out at the start of the year, it takes a long time for new technology companies to be acquired by large vendors. Which provides a growing window of opportunity for start-up companies. And new threats will come thicker and faster because of powerful trends in the business and technology landscapes. You don’t need to employ an expensive analyst to work that one out.

Alvin Toffler pointed out a few decades ago that the 21st Century would be dominated by information warfare and espionage. That’s because intellectual property becomes increasingly valuable and powerful in a world connected by digital networks. Defending and exploiting intellectual assets is likely to present one of the biggest challenges for organisations in the future. But as William Gibson once put it, “the future is already here, it’s just not evenly distributed”.

Every now and then we see glimpses of subtle battles for information control in stories such as the alleged claims that machines belonging to organisations including Wal-Mart, Disney, Sony, the Labour Party, the CIA and the Vatican, have been used to rewrite Wikipedia entries. It raises the important question of what is fair, ethical and legal in a world dominated by information warfare. After all, it’s reasonable for organisations to aim to safeguard their interests. But where does prudent behaviour end and when do dirty tricks begin?

Information is the lifeblood of the Information Age. It should be the objective of organisations to harness the skills needed to surf, source and spin information for competitive edge. Is it wrong to manipulate information for personal or corporate gain? Or is it simply what the future compels us to do? Should we be more broadminded about competitive information exploitation? Or should we aim to stamp out any actions that might mislead the public? I’m reminded of the decision of the US Secretary of State in 1929 to close down the US code breaking office with the words “Gentlemen do not read each other’s mail”. That didn't last long.

For the last few days the media has been reporting alleged hacking attacks on US, UK and German government targets originating from China. It's to be expected of course as any new channel for covert information gathering will inevitably be exploited by zealous intelligence services. But what's really interesting about such attacks is not that they are happening, but their game-changing nature. In much the same way that communications interception transformed intelligence gathering in the last Century, so hacking and other new forms of electronic information gathering will progressively change the shape of espionage throughout the 21st Century.

Hacking presents a new dimension for intelligence gathering. It has very different characteristics from human and communications intelligence. It is cheaper, faster and easier, requiring no expensive interception platforms or networks of assets. It also offers a sharper and more immediate context for a targeted attack. But it is more intrusive than passive communications monitoring and therefore more likely to be detected and traced. And the window of opportunity for a particular exploit might also be relatively short lived. But it is very well suited to the the fast-changing competitive nature of the Information Age.

This is just the start of the new intelligence game, made possible by emerging technologies. Because we've only scratched the surface of the possibilities presented by large-scale data fusion and mining. Open and closed source, intelligence gathering will become increasingly powerful, competitive and volatile. That's the nature of the new business and political landscape. How should we respond? The answer is to go with the flow. Putting up barriers or isolating yourself from the rest of the global, networked community is not the answer. Because the real edge is in exploitation rather than possession of information. As I've often said, in the new world of electronic networking, openness, trust and risk management will increasingly beat secrecy, suspicion and caution.

I often sit back and reflect on whether we are really winning the war against malicious security threats. The answer of course is "Yes". Otherwise we'd already be in dire straits. But it's sometimes a case of one step forward and two steps back. And two stories in this weeks press suggest that we might have lost a few battles.

The first was the BBC story about the emerging commercial market in hacking kits (with full technical support) and boutique virus writing services producing malicious software to order. Of course there's nothing new in the capability on sale. It's always been available to those in the know. But commercialisation of powerful offensive software at affordable prices brings it within reach of any interested individual or organisation.

The second story was the announcement that the US Homeland Security Department has scrapped their ambitious $42 million anti-terrorism data-mining tool after investigators found it was tested with information about real people without the required privacy safeguards. No doubt many people will be pleased to see the abandonment of a programme that threatens the pricay of citizens. But this technology will not go away. It represents the future of intelligence gathering. We need more research, not less, into these technologies in order to minimise the risks to individuals.

So one step ahead for the offensive capabilities of our potential enemies, and one step back for the technology we will need to defend against their attacks. Let's hope we can swing the pendulum back the other way.

The blog postings have been a bit thin these past few days as I’ve been head-down, writing up a lengthy feasibility study report on the potential for analysing security behavior in digital communications. It might sound very ambitious, but there’s a lot of interesting things you can do to detect various forms of behaviour and misuse. And there’s a surprising breadth and depth of prior research in this area. Remember that IDS technology has been around for more than a decade and anti-malware scanning for twice as long. Unfortunately the trickle of innovative products in this area has not kept pace with the potential being mapped out by blue sky researchers. So you can’t yet exploit the most promising techniques.

So what can you find from communications analysis? Quite a bit if you put your mind to capturing, analysing, profiling, mining and fusing message content, traffic patterns and IT activity. And even more if you apply modern visualisation techniques to high-speed graphical user interfaces. Psychological and linguistic profiling is still in its infancy but it offers huge potential for the future. Data fusion and mining have already achieved many spectacular successes. And neural networks are an established tool in the fraud detection armoury.

Privacy is clearly an overriding issue, but effective security solutions exist or can be conceived to contain the risks for many applications. Ignorance of privacy considerations is a bigger problem, as demonstrated by the recent decision by US Homeland Security to scrap an ambitious $42 million anti-terrorism data-mining tool after investigators found it was being tested with information about real people without adequate privacy safeguards. Of course it might sound like Big Brother, perhaps something to be resisted. But you can’t reinvent the science behind digital communications analysis. The best approach is to take it forward and develop the necessary safeguards.

The past week has seen three developments likely to fuel future growth in the use of mobile devices. The first is Apple’s UK i-Phone launch, which might not be the most advanced device in terms of functionality but certainly represents a step forward in usability. The second is Google’s announcement of their new open platform for mobile devices, which is likely to accelerate the longer term growth of mobile applications and features. The third is the start of manufacturing of Nicholas Negroponte’s one laptop per child machine which introduces mobile computing, and programming skills, to previously inaccessible regions of the world.

Fast forward a few years and we can expect wireless, mobile operation to be the norm for most people, at both work and play. There’s nothing surprising about this, except for the fact that few organisations have given this channel sufficient security attention. Many security managers were caught off guard by the unexpectedly rapid uptake of wireless LANs and Blackberrys. And, until recently, few organisations had even considered encrypting laptop data. Traditional corporate perimeters don’t safeguard mobile business operations. We need new solutions, new practices and new user behaviour. And time is running out to put them in place.

I take a close interest in Innovation. It’s vital to Security because the problem and solution spaces are constantly changing. It’s also a fascinating problem: a simple concept but one that organisations find very hard to grasp. In theory it all boils down to a basic skill possessed by all called creativity and a simple organisational process to collect and take foward ideas. It should be trivial to implement. But in practice, organisations struggle to make it happen.

So I was interested to catch up in New York with Howard Wright, former Head of Innovation for the Royal Mail Group and architect of its famous Innovation Lab. Howard has more experience of transforming business thinking than anyone else I know. He’s also run some excellent planning sessions for CISOs which have helped us all gain a better understanding of the future challenges we face. He also has an excellent blog on the subject.

At first sight you’d never expect to find innovation excellence in an old-fashioned, conservative business environment. But that’s where the business need is greatest. So it’s not really surprising to hear that he’s now working as Director of Futures Strategy for Pitney Bowes, an old-fashioned organisation that sells franking machines. Like Royal Mail, it needs to adapt its business products for the Information Age. And that also requires a new focus on security. So look to Pitney Bowes for the latest ideas in Innovation. As with many good things in life, best practices are often where you least expect to find them.

Returning from a trip up North yesterday I ran into security colleague and fellow blogger Jonathan Care. He posted a nice comment about my appearance :-) on his excellent blog. An excellent start to the week.

Bruce Schneier paints a rather downbeat picture of the future in a discussion with Marcus Ranum on Security in Ten Years. Fortunately they are wrong. When looking a decade ahead, you cannot simply extrapolate today’s trends, nor consider them in isolation. By 2017, many changes in perception and practice will have taken place. It won’t be just a case of more of the same.

Go back twenty five years and imagine what a law enforcement expert would have projected for the future of crime in New York. It would have been grim. But many things in life, such as average GDP per person, continue to improve, and their impact over a decade can be transformational. Relative certainties for 2020, identified in recent long-range research projects, are that the World economy will be substantially larger, that energy supplies will still be sufficient, and that people will be healthier, wealthier and live longer.

It’s also likely that we will have addressed the root causes of today’s security problems, and become more accustomed to many of the fundamental changes to business and society introduced by the information age. Technology of course will become increasingly complex and remain spectacularly vulnerable. But it’s also highly resilient, and can quickly bounce back. The trick is to accept and address the weaknesses of modern technology, and to harness the technology itself to help solve these problems. Faster, complex and more pervasive technology presents bigger risks but it also offers more powerful security solutions.

We’re approaching that time of the year when pundits and their sponsors like to look back on how things went, and what the coming year might promise. For me, an enthusiastic futurist and a serial forecaster, it’s a fascinating time. So I was pleased to respond to a Computer Weekly request for ideas on the CIO agenda for 2008.

In my view the dominant issue for 2008 will be Security which will stand out as a surefire case for increased spending in a tough year of belt-tightening. It will be driven by fear, as Boards grasp the uncomfortable fact that they simply don’t have sufficient control or assurance of their management of sensitive personal data. Human factors will be an obvious focus, because it’s fashionable and it’s the area with the weakest impact that attracts the lowest security spend.

Compliance will continue to be the safest area for vendors to focus on. Imaginative business cases with payback periods of more than a year are likely to be consigned to the back burner. Unless of course you can persuade your Management Board that it’s a strategic business investment. Few IT investments hit that spot. But there’s increasing evidence that IT professionals are becoming more business-aligned. So perhaps we can anticipate some long-overdue innovation from those highly-paid CIO appointments.

Social networking, or Web 2.0 if you prefer, might be the card to play to engage the more innovative Board. But personally I’ve yet to encounter an organisation that has got to grips with the issues and the imaginative solutions needed to deliver business value. So I’ll stick with the old, and very sensible, adage of not implementing a point zero version until the service pack appears. Social networking presents huge risks. If you don’t know what you’re doing, sit back and wait for the dust to clear.

It’s always a useful learning exercise to look back on earlier perspectives of security. This time last year I set out a Top 10 Security Trends for 2007. The list included some obvious trends such as security threats getting nastier, databases being the new target and compliance getting tougher. It also contained hot topics such as true de-perimeterisation remaining beyond reach, social computing making an impact on everyday business and security professionalism making slow progress. And I took a stab at a few higher risk predictions such as CISOs getting tough, technology taking centre stage and security vendors uniting. Finally I suggested that the electronic Pearl Harbour is probably just around the corner and that we could certainly do with a not-too-damaging wake-up call.

How did I do? Well the electronic Pearl Harbour didn’t strike though we did come close with events such as the Storm worm, the Far Eastern espionage attacks and the large-scale data breaches at TJ Maxx and HMRC. Most of my high risk bets also failed to materialise. CISOs didn’t get tougher. In fact more of them went native, supporting rather than challenging their business managers. I was also disappointed with the lack of imaginative new technology solutions on display, especially considering the increased amount of security research and VC funding for security products that’s been taking place across the world.

In defence I can claim that my first six predictions were spot on, so at least I achieved an above average return. And I still stand by most of my forecasts. The problem with predictions is always in the timing. Anything less than two years out is always a difficult forecast. Business cases, hype curves and development delays slow down the adoption of emerging trends. In the end the true art of predicting future generally comes down to estimating time lags rather than spotting the general trends.

In keeping with tradition, it’s time to dust off the crystal ball and look ahead to the key trends we can expect to encounter during the next year. Here are my Top 10 predictions for 2008.

One of the inevitable trends of the Information Age is the progressive convergence of network services. It’s dangerous but unstoppable. Over the last two decades many people have asked me if networks will proliferate or combine. The answer is simple. As they say in Highlander, "there can only be one". That’s because of the leverage of network effects, which deliver increasing power to any network that enables collaborative operations.

So I’ve been keeping a watchful eye on the slow but relenting progress of IP convergence. It hasn’t had the sensational press coverage I anticipated but it presents major challenges. And by all accounts we’re not prepared. You’d think that after the experience of the security risks we’ve experienced from the introduction of wireless networks that the vendor community would be making a major effort to develop secure protocols and architectures. Not so.

The risks are creeping up on organisations. VOIP experimentation is only the start. It strikes me that this technology drives a coach and horses through firewall policies, introduces software developed with insufficient attention to vulnerability management (when did you last patch your phone?), exposes corporate networks to a new raft of potential access points, and creates a single point exposure of epic proportions. But I don’t see a lot of vendor or corporate action to develop new security architectures to meet the challenge.

Am I being paranoid? Or just plain realistic? Time will tell. In the meantime, guidance on what to do is thin but slowly emerging. The latest paper on the subject, which has just come to my attention through the excellent FIRST Newsroom, is a SANS paper. An excellent overview of many of the issues, but we need a lot more guidance on this subject.

A glimpse of the new Apple MacBook Air reinforces the growing gulf in desirability and performance between the latest consumer-oriented technology and the outdated laptops issued to business executives. At the same time Nicholas Negroponte’s One Laptop per Child initiative is dragging down the cost of basic laptop technology well below the traditional price point that industry is used to paying. Of course we all know that the cost to manufacture a laptop drops by a half every eighteen months or so. But for years we’ve been blinded by the continuing bloating of operating systems and applications to meet the modern equivalent of Parkinson’s Law, i.e. that laptop software expands to fill the available memory.

So it’s time to take a good look at where all this is leading. We struggle more each day to adapt our rigid desktop architecture to meet the requirements of a rapidly evolving business world in which business partnerships, supply chains and customer requirements demand frequent changes to desktop systems and connectivity of external client devices. Why not take the plunge and begin the journey to a brave new World in which users can select and connect their own clients? It’s a natural evolution. After all, most organisations have ceased selecting, purchasing and maintaining company cars for their staff. Isn’t this the same?

Well not quite. It’s all technically possible these days, but such a radical change will have a massive impact on enterprise architecture, security, procurement and maintenance. Not to mention the shock to organisation culture, service level agreements and outsourcing contracts (which can run for up to ten years). It’s certainly not a trivial exercise. Which is all the more reason to start planning now. Because consumerisation is an inevitable trend that’s coming everyone's way.

De-perimeterisation is a reality. "You've already been de-perimeterised" as we say in the Jericho Forum. But reports of the death of Network Security have been exaggerated.

Network World have just published a piece by me on The Future of Network Security. It's a regular Jericho Forum column, so worth tracking. In the article, I've tried to contrast the benefits of placing security controls in networks rather than end points. Each approach provides a different perspective. In practice you need a combination of both.

I’m regularly accused of being a prophet of doom because I forecast back in 1999 that the average risk profile would climb to a dangerous level by around 2006. That was my suggested starting date for the long-awaited e-Pearl Harbor. It hasn’t happened yet, though we’re certainly overdue for a major incident. But despite that I remain relatively optimistic about the long-term future, as long as we implement the right strategy and solutions. That will come with time. Major Incidents have a habit of containing excesses if risks get seriously out of hand.

My original predictions were based on road mapping exercises carried out by leading subject matter experts that considered all dimensions (social, business, government, legal, technological, etc.) as well as the impact of future trends in research and solutions. Unfortunately we’re surrounded by less sophisticated analyses, based on single-isssue arguments. Such forecasts should be consigned to the security dustbin.

The latest example is Roger Grime’s InfoWorld article on Computer security's dubious future, which assumes that security is doomed because things life is getting more complex. Don't believe it. He hasn’t taken the trouble to properly assess the problem space or the potential for solutions.

There is no reason why problems caused by complexity can’t be tackled by the right technological approach (students of Stafford Beer would understand this) or by initiatives to reduce diversity (there are many techniques for achieving this). You can find plenty examples in life of control systems that can handle complex threats. The human immune system for example is just one example.

Richness of choice in products or services is to be welcomed. Security needs to respond to this of course. But there is no reason why we can’t develop an effective antidote.

If 2007 was the year in which the public and media became aware of the risks of large scale data breaches, then 2008 might prove to be the year that they finally grasp the dangers posed by cyber warfare. There’s certainly a lot of business and publicity building up in this area. Last year’s Die Hard film was only the start.

This month Wired magazine has an interesting feature on the intense competition by 15 military towns to host the Air Force's new Cyber Command. Clearly there are big budgets to be won playing this new great game. It’s also hitting the conference circuit. Next month I’ll be speaking at Cyber Warfare 2008 in London. And I keep coming across an increasing line of training services from specialist companies such as Abacus IT Security.

Of course one worries about the value we get out of all this. Just what do tens of thousands of cyber soldiers do when there’s no war to fight? Does it mean that we now have a new form of cold war being played out in secret? At the height of the last cold war we had huge numbers of intelligence officers doing little more than creating false trails for the other side. It's poor value for the taxpayer. But it does create lots of interesting work for IT security professionals.

Yesterday’s Jericho Forum workshop was focused primarily on developing a position paper on collaboration-oriented architecture. This might sound like a pretentious new buzz word. But it’s a natural progression in IT architecture, which has been slowly evolving from products to services to processes. It's a little early for breakthroughs, but it’s worth watching this space because the discussions were interesting and mature.

However the thing that really caught my eye at the meeting was Paul Simmond’s demonstartion of de-perimeterised Internet filtering and monitoring. He could connect his laptop to the Internet via the local office network and browse web sites with full filtering and logging in accordance with ICI security policies. It’s not rocket science but it’s something you don’t see every day. The technology used was a service delivered by AT&T based on ScanSafe technology. It’s not brand new but it’s the first time I’ve seen it in use and working.

Today we can deliver secure services over the Internet, with secure remote access by clients and full filtering and monitoring of content from any access point. It’s another step closer to a full de-perimeterised business environment.

It might sound like science fiction, but Cyber Warfare is real, growing and important. Today saw the kick-off of a two-day conference in London on this subject organised by Defence IQPC.

It’s a timely reminder of the importance of this subject, especially following the attacks experienced by Estonia last year. That was a wake-up call for many institutions. They’ve since swung into action to identify ways of defending us against potential attacks.

Have they got it right and is it working? The answer has to be no. We’ve made a start, but there is a long way to go. We need a lot more resource and imaginative thinking trained on this issue. It’s encouraging that the awareness of the problem is growing. But the solution space needs filling out. And that’s far too thin.

One thing is clear. The answer lies in co-operation and leveraging the power of networks. Industry has a role in supporting government. We're all in this together. We should be doing a lot more to connect our risk assessment and incident response processes.

It’s sad to think that future historical records might be no more than a print-out of an electronic image. The forthcoming auction this week of Presidential manuscripts at Sotheby's in New York, especially the letter from Abraham Lincoln, illustrates the attraction of physical mementoes. I’m tempted to revert to snail mail.

It’s interesting to speculate on the future of intellectual property. Will open source collaboration and peer-to-peer sharing lead to a world where information becomes a free resource? Or will patents and copyright restrictions continue to rule?

Two interesting stories this week provide contradictory insights. Computer Weekly reports that Eli Lilly, a leading US pharmaceutical company is putting research work out to open tender to enable its transformation to a networked organisation. In contrast, the Economist reports on the growth of patents in China and the opening of 50 courts to deal solely with intellectual property cases.

As with many things in life, there are contradictory trends. On the one hand we have the growing power and knowledge sharing and collaboration to develop valuable new intellectual property. And on the other there is the need to protect the increasing value of intellectual assets which are becoming more significant in an information-driven age.

One thing is clear though. Copyright restrictions have been growing throughout the last century, ever since Walt Disney made a fortune out of ideas lifted freely from the Brothers Grimm.

It’s always a problem organising an information security conference, as there are so many competing events that might clash with yours. I had a similar problem last week with invitations to events in both Manchester and London on the same day.

But now you can see what’s planned across the Globe, as far ahead as you wish to look. The answer is to be found at INFOSECDIARY, a free online diary of forthcoming security events.

As if it wasn’t bad enough to have organisations losing sensitive citizen information, we now have hackers publicising the stuff to make a point about the need for better security.

The incident, in which a Chilean hacker published confidential records on six million people, illustrates the fact that it’s increasingly harder to keep anything secret in a highly networked society. Even with good perimeter security, insider threats remains a possibility.

We need to move faster towards a society that has less dependency on keeping things secret and can recover quickly from large scale breaches. That’s the only long term solution.

A few weeks back I was interviewed on film by Sarb Sembhi. The results have just appeared on Virtually Informed, a video news web site aimed at the security industry. It's an interesting concept. There are filmed interviews with CISOs and other well-known industry personalities including Howard Schmidt and Lord Errol. Worth checking out.

Today I shall be at the Epsom Derby trying to pick a winner on incomplete information. I shall probably go for Tajaaweed as he's around ten to one and appears to have a better chance than that of winning. 

Predicting the outcome of events that you know little about is a bit of a mug's game. Yet we do it every day with risk assessments, and amazingly, we even place numbers on our decisions. Some people rely of inside knowledge. Others look to statistics. But everything in life is a mixture of chance and consequence. 

I was reminded of this earlier this week when I was reading an interesting interview in The Sunday Times with Nassim Nicholas Talib, author of "The Black Swan: The Impact of the Highly Improbable". He posed the question:

"You toss a coin 40 times and it comes up heads every time. What is the chance of it coming up heads the 41st time?"

Every statistician will immediately shout 50%. That's the way they're trained to think. But as Nassim rightly points out, you must be a sucker to believe that. The chances of a coin coming up heads-up forty times are vanishingly small. Clearly the coin is loaded.

Last week I was fortunate to catch an excellent presentation at GC 2008 by Martin Sadler, Director of HP Labs' Systems Security Lab, on the future of security and identity management.  

If you haven't been tracking this topic then I suggest you check it out. For several years HP and others have doing some excellent research on how to develop a secure architecture to enable a client platform to run multiple applications of varying sensitivity and risk, whether business or personal.

The future solution, if it can be realised, is to maintain a single client platform with a secure firmware base that can switch between numerous operating system environments, each running a particular environment. This would enable you to separate your business, personal, banking and other operations, reducing the risks to business systems from personal devices and eliminating the phishing.     

This approach also transforms the nature of identity management. You can have as many individual persona as you wish. It sounds perfect. But there is one further challenge. The firmware has to be bullet-proof. A single flaw can undermine the whole concept. Let's hope HP can get this right. 

JP Rangaswami, Managing Director of BT Design, gave an excellent speech last night on the "The Future of Corporate Information" at the Computer Weekly 500 Club. JP is a superb, original thinker and has a tremendous wealth of up-to-date knowledge.

I cannot fault JP's analysis of the problem space. Trends such as consumerisation and Web 2.0 technologies are revolutionising IT, in ways that traditional IT functions are not keeping pace with. We are culturally behind, and, worse, holding back the introduction of forward-looking methods of working. Young people can see this and will be less attracted to work in our old fashioned IT environments.

At the same time there is a growing shortage of computer science graduates. Human beings can't be scaled up in the same way that technology can. We are heading for "talent wars" as companies fight to attract scarce young graduates, with a growing realisation that future organisations will be more a collection of capabilities and relationships, than a set of business processes and services.

On hearing that, many CIOs will no doubt take a hard look at their conservative middle manager and sharpen their axes. But it need not be that way. Talent wars are a zero sum game. It's wrong to assume that young people are the only ones who can grasp the new skills. The failure to modernise the IT workforce lies with CIOs not their staff.

Human beings of any age are not much different. They take their cues from their roles, their peers and the environment. Change the context and they will act differently. And it's better to have an experienced workforce that gets it, rather than a younger one that doesn't have the experience to understand know why we needed some of those old-fashioned controls.

The BBC News Website carries an interesting article on text message analysis. This technique is becoming a new, powerful tool for solving crime cases. It's already been used to help secure a murder conviction this year, by showing that text messages sent from the victim's phone were similar in style to the accused person.

This forensic work focuses on the stylistic features of messages, such as the choice of personal pronouns. Experts such as Dr. Tim Grant, from the Centre for Forensic Linguistics at Aston University, are building and analysing specialised language databases from thousands of text messages. As he puts it "You have show expertise over and above that of the average jury member - we're all language experts".

It seems inevitable that, in the not too distant future, we'll be able to fingerprint people, analyse their personality, detect changes in mood and tell whether they are lying from their messages. Whether you like it or not, Big Brother is coming your way.

My briefcase has been weighed down lately with large paper documents, things such as the manuscript for my new book (one and a half inches thick printed double sided on A4 paper) as well as numerous documents I'm either researching or reviewing. So I just couldn't resist buying one of the new Sony e-readers. It's an absolute delight to use: small, slim and svelte, though the software is a little clunky. 

It also made me think about the speed to market, or lack of it, for new technologies. Around the turn of the Century I recall seeing a demonstration of electronic paper at MIT Media Lab. The prototypes seemed fairly well developed. I asked them how long it would take before we saw it in the shops. "About two or three years" they suggested. In fact it's taken the best part of a decade.

As I've often said, you can get a pretty good idea of what's likely to emerge over the next decade by taking a look at what's in the research labs now. The future of technology is quite predictable. We're just never quite sure exactly when these new ideas are going to arrive.

I have long held the opinion that the next big security wave will be focused on information integrity. Both the problem space and the solution space are highly immature. They operate at many levels.

Take the problem space for example. Networks are leading to growing potential for extortion, Chinese whispers, spin, FUD, rumour, urban myths, disinformation, changes in context, as well as the traditional margins of error.  

Even Sir Tim Berners-Lee is now raising some of these concerns. We need to raise our game substantially in combating these problems.    

The UK Government ruling on the legality of Phorm is just the beginning of a long series of wars to exploit personal information for good or bad purposes.

As I've been saying since the turn of the century, we're at the start of a paradigm shift in information security that I've called "spy versus spy", a new world in which all stakeholders race to exploit personal information of all kinds for the purposes of espionage, crime, commerce or security.

It's the nature of the 21st Century, which, as Alvin Toffler correctly pointed out many years ago, will bedominated by information warfare and economic espionage.

I've just got back from several days in Madeira, attending and speaking at an exclusive Pitney Bowes conference on "The New Media Landscape". I'd advise all security practitioners to aim to attend events on subjects other than information security. You can learn a lot more, and it opens up new dimensions, which is essential to tackle a solution space that is increasingly becoming an inter-disciplinary one.

I picked up many new learning points about marketing communications, customer experiences, Generation Y, trust and privacy.  These are all important points for understanding the new type of people-focused security we need for the future.  

Key learning points for me were the shift from "push" to "pull" in communications, and the need for greater emotional engagement, especially with Gen Y staff and customers. We need to move from an anonymous "sell" approach for our products to a deeper, more personalised "pull" relationship with our customers.

We can't build trust and good security behaviour through ad hoc, one-way communications of corporate dogma. We need a new, more sophisticated approach. All security practitioners should start thinking about this now, and assigning much bigger budgets to future security awareness initiatives.

I was interested to see that Google's new Android phone has a built in compass, introducing yet another dimension to your cyberspace footprint. Added to GPS, cellular triangulation and built-in cameras, it's clear that we're progressively sleepwalking into a surveillance society. Not only can we pinpoint your position, we can also tell which way you might be facing.

Now I'm not an expert on these technologies, so I can't really judge just how accurate these technologies might become at pinpointing your position. But I do recall Peter Cochrane, BT's original futurologist, telling me around ten years ago that with a combination of these positioning technologies we could eventually pinpoint people to around half an inch. Peter was always inclined to make dramatic statements, but he's a very smart technologist.

The interesting question is "Does anyone care?" The impression I get is that out of every four people, one seems to be obsessed about privacy, another doesn't give a damn about it, and the other two take a risk assessment. In other words, concern about privacy seems to follow a bell curve. Let's hope that the designers of our corporate policies and information systems are more inclined to the cautious end of the scale.

I was eager to read the latest blog posting by Vint Cerf, Google's Chief Internet Evangelist, on the next generation Internet. What does he have to say? 

Vince says that most of us will have access to the Internet at increasing speeds. Many things will be on the Internet. They will know where they are and be able to discover other devices in the neighbourhood. The Internet will transform the video medium. The choice of content will be under consumer control. RFID tags will help us find our car keys. And there will be Internet-enabled washing machines. Er... that's mostly it.

So what happened to global information warfare, virtual business worlds, Big Brother, electronic cash, large scale cyber crime, real-time espionage, minority democracy and all the other important trends that will transform our life? Not quite as significant, I guess, as finding those car keys and sorting out the weekly wash.

It's yet another forecast that brings to mind that classic Basil Fawlty quote: "Can't we get you on Mastermind...specialist subject: stating the bleeding obvious..."

One of the fascinating things about networks is what goes on behind the scenes. Few people are aware of the mass of filtering, monitoring and eavesdropping that takes place across international, or even enterprise, networks. We often imagine that we're surfing an open network. In fact, nothing could be further from the truth.

So I was particularly interested to hear Rob Carolina assert that the Cyberspace Frontier has now closed. Rob is one of the finest and most experienced lawyers operating in the IT and information security field. He doesn't make statements like that lightly.

In fact, Rob first announced this in a recent address to the first Royal Holloway Information Security Group Alumni Conference. But I didn't hear this until I ran into him at this week's Gartner IT Security Summit. His point is that the Internet now has borders, and has entered an age of de-globalisation.

Governments, law enforcement officials, lawyers, judges, and policy makers have caught up with the Internet and brought it back to Earth. It's organised around geographic borders. You get different results if you access the same news sites from different countries. 

The big question is whether this is a temporary relapse or a permanent state. I suggest the former. The information age needs no perimeters. Asserting national borders is merely the last gasp of an outdated, though powerful network of ancient institutions.  

I've been saying for the past two decades that in the future we'll all have a lot less privacy. It's logical really. As networks and storage technology make it increasingly easier to access, capture and move information, it will become harder to keep secrets. The only uncertainty has always been anticipating precisely how and when the implications of all this is will unfold.

There are many dimensions to this problem, and they're already becoming very visible. Data leakages will become more common. Intelligence services will have to operate in a more open fashion (though they'll have vastly more scope for interception). And there will be a growing privacy backlash.

Just in the past week, for example, we've seen press reports of data breaches, reports of China spying on Skype messages and UK government proposals to store details of citizen communications and Internet use. We've also seen privacy arguments about BT's proposal to roll out Phorm, a controversial consumer tracking system. There's a clear trend in all of this, and we can expect it to continue.  

Business and security will need to respond to the threats and opportunities presented by this. As competitors and enemies increasingly exploit the ease of gathering and mining previously private information, we will be forced to do the same. For the past ten years I've referred to this scenario as "spy versus spy". It's a paradigm shift for all stakeholders. If you can't beat them, you have to join them.

I was interested to read a brief spot check survey of three F500 CISOs about security budget projections on Jim Reavis' Riskbloggers site. This suggested that CISOs have yet to feel the impact of the credit meltdown on their budgets. Increases in budgets are still planned for next year but the best case scenario is that they'll remain unchanged. That sounds about right.

Every vendor and journalist I meet these days asks me for my opinion on next year's security budgets. It's an interesting question. It's often suggested that information security is recession-resistant career. That's true. It might change its name and activities, but it will always be needed. And it's not optional like some other corporate functions, such as marketing and brand management. But there will certainly be changes. Operational security processes will be largely unaffected in the short term, but we can expect non-urgent IT and security investments to be postponed. And there will be fewer banks, which means fewer staff and less external spending.

But demand might also increase in some areas. Mergers in the financial sector will create new demands for security architecture, identity management and testing to support integration activities.  Business risk management will be taken more seriously. Regulatory compliance demands will increase. There will be more organisational reviews. And headcount reductions might push up external consultancy spending. There will be more demand for Software-as-a-Service security products that can cope better with variable user demand.     

The main thing to remember is that most security spending reflects trends in risks and incidents, rather than in the state of the economy. And all projections are that cybercrime and major data breaches will increase. So don't expect a complete meltdown in security budgets. 

One session that caught my eye at this week's RSA conference in London was a talk by Christopher Novak of Verizon on the growing capability of hackers to disguise their traces. The ease of applying anti-forensics to cover tracks seems to be advancing very rapidly. It demands a step change in our approach to detecting and establishing evidence of criminal activities.

Almost nine out of ten cases are now believed to involve anti-forensics. And the software tools are developing rapidly. Techniques in everyday use involve data wiping; clock manipulation; overwriting or modification of audit logs; laying false trails; using foreign alphabet substitutions to disguise file names; encryption and steganography (data hiding).

Where is this leading? Well, it's already becoming almost impossible to detect the direct signs of a professional attack. Today's forensic expert needs to be much more of a Sherlock Holmes: looking for signs indicating a possible attack, rather than traces of the attack itself, spotting things like the dog that didn't bark in the night. We can also expect to see an escalating arms race between criminals and law enforcement. Future advances in techniques to hide data are likely to be pioneered by hackers, rather than governments or business. It's a fascinating, but scary, thought.   

My postings have been a bit thin lately as I've been away on holiday, armoured only with an ASUS laptop loaded with open source software. In theory this should work fine. In practice, however, it seems to be a little incompatible with the blog software. Now I'm a great supporter of open source, but I feel it has some way to go. The software is great value but it doesn't always interface with other systems and devices without a lot of messing around. I have several USB devices, for example, that it fails to recognise. I'm sure I can get them all to work. But I shouldn't have to make the effort.

The change in perspective on returning from abroard is also interesting to observe: going from two weeks of sunshine and optimism in the Middle East to a gloomy, despondent Western outlook. A large part of this is media spin rather than actual substance. Take the article in today's Times, for example, which reports on a "frighteningly bleak" assessment by the US National Intelligence Council. Then read the real report: "Global Trends 2025: A Transformed World". It's an excellent, thoroughly researched analysis of the World in 2025. I judge it to be a positive assessment, presenting as many opportunities as threats.

The key thing with all forecasts is to use them wisely. As the forward to the report puts it: "If you like where events seem to be headed, you may want to take timely action to preserve their positive trajectory. If you do not like where they appear to be going, you will have to develop and implement policies to change their trajectory." Let's hope that Barack Obama takes careful note of this excellent assessment.

I expect we'll all remember 2008 for the credit crunch. Not many saw it coming, and those that did could not have foreseen the depth of the financial meltdown. It was a classic case of a "black swan", a large, unexpected, disruptive event. The truth is that there might be many "givens" when forecasting the future, such as the strong likelihood that, in the long term, most of us will be healthier, richer and live longer. But there are also many nasty surprises along the way. 

What about my own forecast for information security in 2008? Did I get it right? Or did I fail to see the important developments?

It's the time of year to dust off the crystal ball, look ahead, and take the plunge at forecasting the key trends we can expect to encounter during the next twelve months. Here are my Top 5 predictions for 2009.

Fraud hits the roof - When times are hard, expectations low, and loyalties hit rock bottom, that's the time to expect an increase in fraud. In 2009, there will be more criminals, greater envy and increasing potential for insider cooperation. And at a time of increased financial scrutiny, companies will be more likely to detect frauds. Unfortunately, there's a growing shortfall of skilled resources available to investigate suspected white-collar crimes. And anti-forensics technology will be a major problem for any security investigator. 

Information warfare gets real - Global recession and increased commercial competition, coupled with a growth in national cyber defence capabilities will combine to create an itchy trigger finger, waiting to unleash latent information warfare capabilities. Governments will need to raise their diplomatic game to establish new protocols to limit the increasing power and economic damage from professional hacking, espionage and sabotage.    

Human factors top the agenda - For years, we've known that people are the major security issue, yet we've done surprisingly little about it. The result is that our security efforts in this area fall embarrassingly short of customer and citizen expectations. This year, we'll finally bite the bullet and belatedly put some effort and money into serious security awareness and behaviour change campaigns. Any organisations that fail to embrace the need for better security education for staff handling sensitive customer information will risk the outrage of the masses and the media.

Security gets outsourced - With shrinking levels of business demand and staff, many organisations will be forced to move to a variable cost basis for services, through outsourcing and Software-as-a-Service products. The market for security services is more mature than it used to be. You can outsource virtually anything today, though it would be dereliction of responsibility to farm out major decisions on security policy or risk management. And with increasing levels of outsourcing, managing the security of outsourced operations will become a growing challenge in itself. 

Brand management embraces security - When corporate reputation and confidence in brands begins to seriously impact sales, companies will look to media relations and brand management function to leverage revenue and profits. A simple root cause analysis will identify information security as a major differentiator. Security managers should introduce themselves to their in-house spin doctors before they look elsewhere for inspiration. 

Last night I attended the launch party for Karen Lawrence Öqvist's excellent book "Virtual Shadows: Your Privacy in the Information Society". This book is a recommended read: a well-written, up-to-date and balanced overview of the key trends and issues associated with privacy in the new information society.

Most interesting is Karen's perspective of a "transparent society", in which our behaviour is open to all, and no-one has a monopoly on other people's secrets. Whether we like it or not, this seems to be the best hope for a socially-networked community that is progressively sleepwalking into a lifestyle characterised by non-stop, pervasive surveillance.   

It's good to hear that the Government's Technology Strategy Board (TSB) is inviting bids for £6 million of new research investment to develop solutions to address vulnerabilities in complex information systems. It's needed. Very little attention has been given to this area.

This type of research needs pump priming.  Over the last two decades, research carried out by IT users has disappeared and developments by technology vendors have become increasingly short term. Too much university research remains detached from business (just take a quick glance at an Elsevier publication). TSB funded projects help to fill this gap by bringing technology vendors and users together with academic researchers. Such initiatives would not happen by themselves.

The new money is earmarked for projects that will investigate how to reduce the security vulnerabilities of the complex information systems that underpin our digital world. It's a new area of research, and one of growing importance. The funding is supported by the Centre for the Protection of National Infrastructure and the Engineering and Physical Sciences Research Council. In the words of Andrew Tyrer of the Technology Strategy Board "Information is the lifeblood of our day to day existence. Our competition will seek to address what we consider to be one of the greatest challenges to the way we live and work".

What's also different about this competition is that it's designed to be much more accessible to SMEs and individuals. That's certainly a move in the right direction. Innovation is more likely to be found outside of the traditional research community. The competition opens on 16th March 2009, with an initial briefing day on the 27 February. As a research enthusiast, I shall certainly be there, looking for opportunities to get involved.

This is the time of the year when many security professionals in the UK decide whether or not to attend the Infosecurity exhibition and conference in London, and if so which sessions to look out for. This year sees a move to a bigger venue (Earls Court) and includes an excellent free keynote programme that looks to be relevant, varied and interesting.

The first day has a strong political focus. That's important because, like it or not, politics will play a bigger role in the future governance of the Internet. And some of our politicans are getting very knowledgeable about the subject area. Watch out for surprisingly well-informed contributions from the Rt Hon. David Blunkett MP, Lord Errol and the Rt Hon Alun Michael, MP. This is the day to attend if you're focused on governance and want to catch up with the latest thinking about the emerging political, financial and legal landscape.

The second day is dominated by the Hall of Fame, which welcomes Paul Dorey, Dan Kiminsky, Whit Diffie, Phil Zimmermann and myself. Each of us will be talking on a different subject of their choice, and then joining an expert panel chaired by Professor Fred Piper. The subjects are wide-ranging, promising an interesting day of visionary thought. One common thread seems to be the need for change, suggesting an impending discontinuity in the solution space. This is the day to attend if you're focused on security strategy and are looking for a fresh perspective and insight into new solutions.

The final day has a broader agenda that builds on a few themes of the previous days and includes sessions on externalisation (i.e. de-perimeterisation) and corporate espionage. This is the day to attend of you're looking for more practical advice on security threats, architecture and management. 

I shall be fairly busy myself, as I've, perhaps unwisely, agreed to take part in no less that five sessions, including a Hall of Fame keynote and expert panel, a security expert panel and a couple of security café sessions. In between I shall be looking out for old friends and interesting stands, the most notable being the irresistible attraction of the legendary and exclusive (invitation only) Portcullis Arms.

Bruce Schneier's blog highlights reports of an alleged recent break in by hackers to a Virginia State Web site used by pharmacists to track prescription drug abuse. The hackers were reported to have deleted records on more than 8 million patients and replaced the site's homepage with a ransom note demanding $10 million for the return of the records. Interestingly, the back-ups were reported to have also gone missing.

We can expect to see more of this type of incident. I've been pointing out for some years that security is about to enter a new phase. In fact it's the third and arguably the most significant phase of information security. I call it the "age of integrity". If you take a step back and consider those three pillars of information security - confidentiality, integrity and availability - you might notice that at any one time they don't have equal visibility. Consequently they don't receive the same degree of attention. In fact, there's a historical pattern to this, and it affects both the problem space and the solution space.  

Availability is the first thing people notice. Fallback and back-up were the focus of most commercial security functions back in the 1970s and 1980s. Only national security and retail banking organisations cared about confidentiality. Business continuity was the big thing when e-Business took off in the late 1990s. By the turn of the century, denial-of-service attacks were the most worrying threat to online services. But availability is easy to address; expensive perhaps, but easy just the same. You can quickly bring services back after an outage. You may have lost some business, but there's little permanent damage.

Confidentiality is the second strand that security managers address. Ten years ago, you couldn't sell laptop encryption. Now everyone's buying it. In fact people have been stealing and losing laptops for years, but we've only just become paranoid about it, even though a loss of confidentiality is much, much scarier than a service outage. Even a single data breach can cause massive reputation damage, generating citizen outrage on an unprecedented scale.

Now consider a loss of integrity. It's the last thing that security managers think about, but by far the scariest. Whether the cause is deliberate or accidental, it undermines business confidence. In the most extreme cases it can permanently reduce the value of the data and business services. But even small amounts of damage can be hard to recover from, especially if you don't know the extent of the damage. And we're all vulnerable to this risk.

In fact data integrity is where confidentiality was five years ago. It will take a few more years to emerge as by far the biggest threat to future business. But it will arrive with a vengeance. Just as confidentiality was not taken seriously prior to the TK Maxx and HMRC data breaches, so data integrity will not be addressed until a big incident highlights the danger. It's a ticking time-bomb waiting to explode.

Each week we get closer to a business and social cyberspace dominated by spin, FUD and disinformation. It's an inevitable consequence of the power of large-scale information and social networks.

Recent incidents confirm this trend. The latest one, reported in The Register, is a viral infection that redirects Google search results. The goal of the malware appears to be an attempt to siphon money away from Google's highly profitable advertising franchises. It's a sign of the times. Just imagine what we'll be seeing a decade from now.

The BBC News website has an interview with Sir Tim Berners Lee on the future of the Internet. When asked what the future of the Web would look like, he replies that if all the things that he can imagine happening would come to pass, we will have failed, because we need the creativity of people thinking about new sorts of data and how they might use it.

That comment applies even more to information security. If we rely on no more that our current set of ideas, we'll all be doomed to an insecure cyber world of crime, paranoia and missed opportunities. More of the same is not good enough. Security needs periodic, breakthrough technologies. One or two of these tend to emerge every decade. In the past we've benefited from public key cryptography, anti-virus scanners, firewalls and intrusion detection. But most of these break down over time. So where's the next silver bullet?

Reed Exhibitions have published a series of podcasts recorded by Hall of Fame speakers at this year's Infosecurity Europe. The subject was "the next big issue in security".

Mine was on data integrity, or rather the lack of it. It's a widespread exposure which I expect will soon become visible to all, though it's still below the radar of most organisations. If you thought confidentiality was a tough problem to address, just wait until you try responding to attacks on data integrity.

We've seen a fair bit of media coverage over the last week about the launch of Google's new Chrome operating system, and how this will herald a new era of cloud computing. One thing that's interesting is the fact that the jury is still out on the security implications of cloud computing. On the one hand we've already had a few doomsayers predicting a terrorist disaster. And on the other hand we have observers such as Bruce Schneier reassuring us that we little to fear from the odd outage of e-commerce sites. Where does the truth lie?

The reality is that there is no one technology solution that will sweep across the business sector. Cloud computing can be implementing in-house as well as in external clouds. And secure, private implementations will undoubtedly appear to appeal to security-minded enterprises. It will certainly not be a rapid take up. Legacy applications are difficult to eradicate. But let's be honest. A lot of cloud computing applications will be implemented by business units well before security managers have assessed the risks and identified the range of solutions that are necessary to mitigate the risks.

Security always lags behind the situation on the ground. In the case of cloud computing, however, the business risks of vendor lock-in or bankruptcy are probably more significant than the security risks, at least in the shorter term. But do not underestimate the longer term implications. Because however you implement it, cloud computing will result in a substantial loss of direct control over the management of systems and infrastructure, and, more than likely, create a fresh set of single-point failures. As Bill Gates himself once observed, we tend to overstate what will happen in the next few years and underestimate what will in the next ten.

Infosecurity have added a few more experts to their list of guest bloggers, including Howard Schmidt and myself. I've just posted a short article on the current status of information security entitled Information security at the crossroads. It's worth checking out.

If your boss or your colleagues still don't get the importance of social networks, then it's worth directing them to Erik Qualman's compelling social media revolution YouTube video. Security has to evolve to understand and exploit this tremendously powerful communications channel.

By the way, I picked up this link from Ian Cook's excellent Team Cymru Security news service, an excellent service as long as you don't mind receiving several dozen informative emails a day. 

This article from the Scotsman newspaper illustrates an inevitable and worrying trend: the targeting of smaller enterprises by professional criminals.

Most small and medium enterprises lack the security capability and secure posture that we expect to find in larger organisations. Yet many handle sensitive customer information. This situation is not surprising. But neither it is acceptable.

Small and medium enterprises are the soft underbelly of large companies and government bodies. We need to do a lot more to bring this sector up to speed. 

A few weeks ago I reported that I could sense a new, much more determined mood across the UK business community to embrace electronic channels to overcome the postal strike. You can really see the aspiration in the eyes of sales executives to turn a major disaster into a business opportunity. So what has the response been so far?

My contacts in Mimecast, a leading vendor of cloud-based email security services, tell me that they noted a 20% increase in the volume of email on the first day of the Royal Mail postal strike. In fact they've seen this level of increase before during previous strikes. So is this just a routine knee jerk reaction? Or is it something different?

In fact I believe we've hit a tipping point. Things are different this time around. One of the main characteristics of tipping points, as articulated by Malcolm Gladwell in his groundbreaking book on the subject, is the 'power of context', the particular conditions and circumstances of the time and place.

In this case we have several factors coming together. Firstly, there is a greater recognition that electronic channels are now the norm, rather than the exception, for many forms of business. Secondly, there are now plenty of easy-to-implement security products to help companies make the transition from snail mail to secure email. And thirdly there is less fear of deploying complex technologies such as encryption to solve business problems.

But above all, there is a new confidence that a paperless business environment is now a viable, as well as a desirable objective. Years ago, we used to joke that the paperless office would come after the paperless toilet. Perhaps we were mistaken...