The current hype in support of additional US and UK government spend on cybersecurity has prompted me to return to my "Warlords versus Merchants" theme. It is not that I do not believe that Governments should not spend more on cybersecurity. It is that I believe they should begin by listening to those who have been under more sophisticated attack for longer. They should begin by listening to the banks and the on-line gaming companies - because that is where the money is. In parallel they should listen to the pharmaceutical companies - because sophisticated attacks to steal their IPR have also been going on since they first started using on-line communications - well before the rise of the Internet.
I take the Chatham House Rule seriously. It is common for speakers to be allowed to release their own comments but I will not say where I have delivered the script that follows, who my audiences have been or their reactions. Suffice it to say that I have been asked for repeat performances for a variety of high-level audiences because the discussion that it stimulates follows helps us make sense of some very muddled debates.
Warlords versus Merchants
Towards a Competitive, Secure, Inclusive and Accountable Information Society
"I have been piggy-in-the middle between politicians and IT professionals for over thirty years trying to help them understand each other. IT professionals understand politics even less than politicians understand IT and are considerably less willing to listen. My role has therefore included throwing rocks into stinky pools to stimulate discussion.
That has to come to end shortly because I may well be a policy gatekeeper again next year. This may therefore be one of my last opportunities to enjoy playing Devil's Advocate.
Warlords versus Merchants
v 5000 years of misunderstanding
v Perceptions of Risk
v Liability and trust
v Process versus response
v What does success look like?
v Towards a symbiotic relationship
I plan to make six main points in my introduction to discussion.
The first is that the differences between Governments and the Private Sector towards responsibility, liability, trust and the security of their subjects and customers go back to the contrast between the City States of Ancient Sumeria and the Divine Dictatorships of the Egyptian Pharaohs.
My second is about the very different assessment and prioritisations of risk made by the state and its subjects
My third is about attitudes to liability and trust. Can you trust those who do not accept liability for their actions, whether they claim privilege of clergy, crown immunity or innocent carrier status under the European e-commerce directive.
That leads in to difference between Government and regulatory attempts to mandate enduring processes while industry and commerce seek effective responses to changing and evolving problems.
I am more interested in finding solutions than admiring problems but first we have to define what "success" looks like, given that we dealing with problems that go back to the dawn of civilisations, the only real difference is that they are on-line and we have to automate our responses to handle speed, volume and variety.
My final point is that the rulers of Babylon found the answers when they adapted the laws of Sumeria for a trading empire at the cross-roads of Africa and Asia, Europe and India. The Jewish Kings and the Romans Emperors lost them. We found them again in 1688 but lost them in the aftermath of the Indian Mutiny. Now we have to relearn them because we have lost both empire and industry, are imperilling our status as a global training hub, have spent our inheritance and mortgaged the future and must once more earn a living.
Into the 5th Millenium of Misunderstanding
Sumeria v. Egypt - Citizen versus Subject
Philip IV v. the Templars - State versus Global Bankers
The Glorious Revolution of 1688 - A Trading Empire
Global Trading Networks v. Steam Age Nation States
The "Misunderstandings" migrate into Cyberspace
So back 5000 years and quick romp through history.
In Ancient Sumeria the laws were given by God and applied to the rulers of the early cities along the Euphrates as much as well to the merchants trading between them and across the deserts, east, west and north. In Egypt the Pharoahs were themselves Gods, controlled the whole of Nile and the Oases within trading reach and had natural barriers to going much further.
The laws of Sumeria have come down to us via Babylon and the global trading networks of the Jews, Muslims and Hindus and are the intellectual basis of correspondence banking. The attitudes of the Pharoahs can also be seen throughout history from Roman Emperors and Divine Right of Kings to the "Powers of the Executive" as reinvented by the Home Office for the Cold War and today for the wars against terrorists and hackers.
The conventions that underpin international trade go back to when the captain of the board travelling down the Euphrates, through the Straits of Hormuz and across to India, or the camel train making it long route North and East to China, was agent for those whose goods he carried.
When Philip 1V of France attacked the Knights Templar, who ran a correspondence banking system that had grown rich from funding the Crusades, he expected to find heaps of gold, not mounds of coded paper. The governments of today has no more real understanding of how global finance works, regarding its practitioners as traitors and usurers when they are not wooing them as cash cows.
Fast forward to 1688, when the merchants of London organised the replacement of a Monarch who believed in the Divine Right of Kings and had camped an Army on Blackheath to enforce his will. My oath of loyalty as a freeman of the City requires me to tell the Lord Mayor of any plot against the Monarch - just in case it has the support of my peers in London and they have not already told me.
For around two hundred years Britain managed to combine the best of both traditions, with a constitutional monarchy. Then came the rise of the Nation State, a creation of the railway age which also ushered in the age of world wars and of genocide.
Today the nation states of the West are once again trying to blame their profligacy on bankers and to impose local and regional regulation on the global world of cyberspace.
But power has migrated South and East from the Sovereign Wealth funds of the oil and gas exporters to the economic powerhouses of China, India and Brazil. .
The rules that determine how business can operate are no longer made in Westminster and Whitehall, if they ever were. They emerge from conference rooms in Seattle, Stanford, San Francisco and Singapore, in the City of London and Canary Wharf, or in the two Cambridges, Fenland Cambridge and new England Cambridge. They are then negotiated with officials in Beijing, Brussels and Sacramento, because where California leads the rest of the United States, including Washington, follows. Finally they are ratified by national legislature, whose politicians spend time arguing over status and small print because they are usually powerless to change anything than matters.
Claims that actions are essential for reasons of national security can be seen as last ditch attempt by the semi-hereditary bureaucracies that govern most nation states to retain power but their actions often increase, rather than decrease the risks to the rest of us.
Perceptions of Risk
· Insiders: CEO, compliance, help desk, cleaners
· Digititis (finger trouble), upgrades and maintenance
· Mother Nature: storm, flood, flu .
· Accident: fire, explosion, excavation
· Theft: cables, equipment, identities, data
So what are the real risks.
The most certain is that of being put out of business by overseas competitors who are not hampered by the same regulatory and fiscal overheads.
Next comes putting a marketing man in charge of a bank.
When look at insider risk we should begin with the over-ambitious chief executive, whether it be Enron or Royal Bank of Scotland. Then come those who can cross the Chinese walls within the organisation, particularly the compliance officers and the help desk staff. Put them in contact with some of the night-time cleaners and you can gut almost any organisation.
More systems crash, more seriously and for longer during supposedly routine maintenance to install security upgrades than are brought down by denial of service attacks.
We have a much gentler climate than most of the world, hence the havoc cause by a little snow or heavier than average rain. The recent West Country floods came within inches of collapsing large parts of the UK infrastructure for months, perhaps years.
I was recently told that around 20% out major network failures are caused by unplanned excavation, as when a zealous JCB operator working on the M11 cut 14 of the 15 national fibre networks linking London and Cambridge, leaving only the routes via Birmingham and Amsterdam. The direct links between Europe and India were severed one night, supposedly by a single ships anchor, even though they we equally supposedly hundred of yards apart.
Finally we have theft, from the second most common cause of network failure, some-one nicked the cables carrying the traffic or the power supply or the switches, to sell on the global back market. We have a lot of publicity for the theft of data and identities by outside hackers but most goes out with the help of insiders.
What this says is that most of the £5 billion of so a year spent on securing information systems against outsiders is wasted. We should be spending it on removing vulnerabilities instead.
Liability and Trust
v The dimensions of trust
v I'd trust him with my life but not my wife
v Trust is earned not claimed
v Family, Tribe, Community, Religion
v Contract, Notaries, Scriveners
v Crown immunity = untrustworthy
My chairman, Lord Erroll is a professional information security consultant. I have on occasion introduced him as the only person genetically cleared to draw arms in the presence of a Head of State. As 28th Hereditary High Constable of Scotland he is supposedly responsible for the Queen's bodyguard north of the border, as well as for looking after the country in her absence
He has suggested that our employment and equalities legislation are incompatible with good security practice. If security matters, and we should remember that usually it does not, we should be allowed to hire who we trust (regardless of their criminal record) and sack them when we cease to trust them, whether or not we have solid evidence.
I will not go through all the points on this slide but would remind you of the role of the Scrivenors. They who have a global monopoly on authenticating which version of which translation of which contract, signed by whom applies to this dispute. They began their transition to the on-line world over a century ago with cable authentications. The huff and puff about trust in digital signatures and communications is from those who think the issues are new and that they and their peers are worthy of trust without taking unlimited liability, like a London Scrivenor or even a million pounds of liability like a High Street Notary.
That leads into the question of why anyone should trust some-one who takes no responsibility for their actions. Sovereign immunity is the cry of the warlords through the ages. It is why no-one trusts a government issued credential for more than a trivial transaction. It is why they are used only because of legal flummery, such as the "know your customer" rules that prevent you from changing banks when pissed off by poor service.
Process versus Response
v Kafka versus Sergeant Bilko
v Best practice is the enemy of adequate practice
v Security by Design as opposed to Afterthought
v The myth of optimisation
v Sergeant Bilko v. Kafka
One of the slides I am not using today covers the jungle of UK and European legislation that compels or forbids data retention and sharing according to how many angels there are on the head of a regulatory pin or on which official you do not trust has which piece of authorisation that may or may not be genuine. We put the dilemma more politely at the top of the second page of the prospectus for the new EURIM policy studies which I have given you. It is, however the reason that study has struck a chord with those for whom regulatory overheads are not just costing billions, they are opening up many more vulnerabilities than they close.
Similarly attempts to impose supposedly best practice force staff to work round security processes in order to meet legitimate business and customer needs or even to care for the sick or vulnerable. Lower down on page 2 you will find a link to the EURIM work on Security by Design or by default. It must be quicker and easier to do it the secure way than to work round.
A quick word of the myth of optimisation: in a time of change that which is optimal today is by definition sub-optimal tomorrow. That which is designed to serve the average resident of the United Kingdom has been designed for a 35-year-old hermaphrodite with one breast and one testicle, living just north of Watford Gap with a mix of earnings and benefits totalling about £22,000. I.e. it is probably unfit for most of us.
I am therefore firmly on the side of Sergeant Bilko and his progenitors through the ages.
What does success look like
v Market Share
v Security is not enough
Where the world wants to live and do business
I want to leave plenty of time for discussion so I will cut to the last point on this slide.
Success is making the UK the best place to live, work and do business. Security is a part of that but who wants to live in the 2012 equivalent of 1984, stuck in a traffic jam while the limousines of the Olympic family cruise past and Britain is a muggers paradise because the police are on-line or on anti-terrorist or crowd control duty.
Towards symbiotic relationships
v The Machiavellian Democracy
v Merchants and Warlords working together
v Trained volunteers alongside professional cadres
v Regulatory rationalisation
v Democratic Accountability
v Local, National, Regional, Global
How many of you have read Machiavelli's The Prince?
How many of you have even heard of his Discourses on Livy?
The Discourses were his attempt to describe the ideal state, in which the Warlord, the Prince, works in harmony with his citizens - and a volunteer army, rather than full time mercenaries, protects them both.
From 2003 onwards I led a study team looking at the challenges of organising partnership policing in a world where the private sector was spending billions of electronic security, government and law enforcement was spending millions.
Last year the UK Government announced £650 million extra over four years to top up an estimated £600 million a year of departmental spend, including by Defence and the Security Services. That is less than the annual information security spend of a single UK-based global bank.
Just over eleven years ago when the Love Bug struck, the FBI boasted that they 400 trained agents working on it inside 48 hours. In fact they had 40 FBI staff making coffee and processing paperwork for 400 staff from IBM, EDS and others, most of whose managers had "reserve" military, agency or law enforcement ranks and status (from Lieutenant Generals and Rear Admirals down) and been slotted into existing command structures.
In the last of the six reports of the EURIM - ippr study into Partnership Policing for the Information Society, published in 2005 we recommended that the UK adopt such a strategy as the only affordable way of rising to the challenge. After we won the Olympics for next year I started writing about it providing the perfect catalyst for such a change - building on existing UK models, from the relevant Royal Signals Territorial unit to limited warrant Special Constables.
The clock is ticking. On page three of the prospectus you will find what we and others are already doing to help, the most important current activity being that on skills. But the most interesting and difficult area is that of accountability.
You are in charge of the duty watch of a CERT, computer emergency response team, in the middle of the night and an attempt is being made to take the local national reserve bank off air. Your and your colleagues around the world take immediate action and see off the attack inside 15 minutes but in doing so cause several hours chaos over the Internet. Do you report what you have done and get fired because of the laws you have broken and the civil liabilities you have incurred without consulting your employers, or do you leave the world to think the World Wide Wait had yet another hiccup?
This meeting is under the Chatham House rule. Over the years several such attacks on core parts of the financial services industry have been seen off. One of my personal dilemmas is whether any attempt to resolve the issues of democratic accountability would do more harm than good - bearing in mind that the bad guys can afford to spend more on clever lawyers than the good guys.
My remit this morning was to stimulate discussion so I will stop there."
Tomorrow I begin a series of meetings on how to make a reality of merchant-led policy in a world where "industry-led policy" is commonly seen as a euphemism for "the wet dreams of the security suppliers to government". I aim to begin by trying to persuade suppliers that they will make more profit by listening to the merchants - because the latter have bigger budgets - provided there is a genuine business case.
I can already hear the complaints from those crying "what about the consumer interest?" etc. I reply that provided market forces are allowed to work, merchants make money by selling consumers what they are willing to pay for. We therefore need to focus on removing the obstacles to allowing market forces to work.
And to those academics who say we need more research into security and identity technologies and/or "experts" in civil liberties, data protection etc. to help protect consumers from making ill-informed choices ... I think "death to the tyranny of the intellectuals" (I cannot remember the original Catalan for the slogan).
I am, however, also looking at how to get industry to sponsor Masters Students to look at the more interesting problems in this area - as a way of breaking free from disciplinary strait-jackets and getting fresh thinking across cultural and organisational boundaries.
And if you accuse me of being muddled and inconsistent in my approach to academics and intellectuals (or of being an academic at heart) ... I plead guilty and say "when was inconsistency considered a sin or consistency a virtue?"