Why are our systems so vulnerable: the cybersecurity bandwagon

My inbox has recently been full of invitations to cybersecurity events, albeit those targeted at public sector users use the words “information assurance” and those targeted at the private sector use the words “information security”. “Data protection” is passe, except among lawyers and compliance officers. Meanwhile international action against the e-crime industry has finally begun, leading to sharp drops in spam and malware for a fortnight or so while the “dark markets” reconfigure and re-establish control of leaderless botnets and mule teams after their herders have been taken out. We are even seeing the begining of action to clean up the Internet addressing system to reduce opportunities for fraud and impersonation. But most of those bidding for the newly available government cybersecurity budgets appear stuck in a time-warp.     

Most conferences still conclude with recommendations that are remarkably akin to those in the 2002 paper, “e–Crime: a new opportunity for partnership“. Most of the 69 recommendations in the six main papers produced over five years ago in the EURIM-ippr study into “Partnership Policing in the Information Society” have not yet been properly actioned. We have Get Safe On-line, the Fraud Authority, CEOPPCEU , OCSIA , CSOC and a whole alphabet soup of other initiatives competing for attention and funds – but nowhere near enough co-operation across law enforcement boundaries, let alone between law enforcement and industry, users as well as suppliers. 

The Conservative e-Crime policy as announced by David Davis when he was Shadow Home Secretary also called for the response of government and law enforcement to be brought together in partnership, as recommended in the EURIM-ippr study, with industry – who would be expected to contribute most of the effort and expertise. We can now see Ministers trying to implement that policy.

Will their efforts be helped or hindered by defence contractors bidding for the £650 million diverted from high tech hardware and battlefield training technology to cybersecurity. We have just seen one of the UK’s main security training operations closed and the staff dispersed with the cancellation of an MoD contract on which it had spend over £30 million in bidding costs. Is that a problem or an opportunity? At the same time MoD has cancelled the FACTIS framework contract “to save money”. Ditto.

Perhaps more worrying is the view among defence contractors that the 80% of spend should be on organisation-wide information assurance, with most of the rest on top-end security and a fraction on developing resilience for when things go wrong. 

The message from the Information Society Alliance (EURIM) work on Security by Design is that we can no longer afford such an inefficient, wasteful and potentially disastrous approach. We should be focussing on risk reduction strategies to remove the vulnerabilities. For example, if SCADA systems are so vulnerable why do they need to be permanently on-line to the Internet (whether public or via VPNs)? Why is the exploitation of low-cost, trusted computing technologies like that of WAVE not commonplace?  

Is the real reason for the focus on information assurance rather than vulnerability reduction and predator removal because these could put at risk the multi-billion pound cybersecurity sticking plaster industry?

P.S. I enjoyed reading Andrea Simmons blog on the launch of Get Safe On-line week. She, like myself, is a great fan of GSOL.  But why do so many mouth words of support while launching yet more awareness initiatives. We should be trying to get GSOL to critical mass, giving it the resource to remedying its weakness. I will say more on this when the wrok of the Information Society Alliance of Cybersecurity Skills is ready for announcement.