Today is the start of Get Safe On-line Week and I was intrigued to read that the top Cyber Story in the Technical press is that Indonesia has overtaken China as the main source of cyberattacks. I assume this reflects attacks being routed via Bali in order to exploit the circuits put in to support the forthcoming Internet Governance Forum that will make or break the future of the Internet as an open and evolving network of networks.
Over the years I have seen reports of various exercises which attempted to go behind the nominal routing information to idenitify the sources and targets of attacks. One of the most credible said that over 80% of the Chinese malware was targetted internally, often to rig on-line games. Another indicated that a major source was Texas, which had overtaken Florida and was, at least for a period in early 2012, the largest source of attacks in the world (accounting for more than the rest of North America).
A few months ago the Texas Governor approved legislation blocking police access to stored communication data without a warrent thus making it more attractive as a base for malware operations, including those of major US defence contractors not yet exposed by Edward Snowden and others. Last week the Governor of California blocked similar legislation for the third time . California is home of the US film industry whose attempts to track and trace supposedly anonymous and untraceable traffic are finally beginning to bear fruit with $100 million dollar “out of court” settlements against pirates and those who aid and abet them.
However, we tend to forget the UK contribution.
Some years ago police investigating a leak of data from a mobile phone company call centre are said to have stumbled across an operation in Hampshire with “desks” controlling operations in a variety of locations around the world. None of them was targetted against the UK – so no action was taken, other than on the UK offence being investigated. Shortly afterwards I was told that most of the supposedly Ukrainian and Turkish operations were controlled from a couple of Internet cafes in Marylebone – because London was where the money was laundered. There are periodic allegations that supposedly Far Eastern operations are headquartered in Manchester, birthplace of the UK civilian IT industry (Alan Turing and colleagues had moved there from Bletchley Park and the National Physical Laboratory).
Hypocrisy regarding the debate over e-crime and cyber-security is not confined to the positions taken by the Guardian and the civil liberties lobbyists of the West. Global co-operation in the fight to rebuild confidence in the on-line world, as a safe place to buy, sell, learn and play, involves setting our own house in order, not just patronising the developing world. Hence also the importance of taking “awareness” rather more seriously as something for ourselves, not just others.
The Daily Mail carries a story today warning about using weak passwords, but I suspect that using your pets name is safer than sticking Post IT notes on the screen or carrying pieces of paper or a notebooks with codes that you cannot remember. But is it more important to give IT professionals the “awareness” to produce “secure by design” systems which poll the trusted computing module in your PC, laptop or mobile to also check that it is a device you normally use and the location (if it is a mobile) is credible?
On Friday, the last day of Get Safe On-line week, I am due to chair a Digital Policy Alliance meeting to agree draft “awareness” material for main boards and those setting marketing and security policies and budgets with that very objective. It will be accompanied by supporting material for those in charge of procurement and delivery. The next step will be to send it out for peer review. Subject to the agreement of the participants in the group I plan to devote a blog entry to the one page “Director’s summary” and invitation to participate in the follow up.
Whinging is not enough. It is time to act.