Presentation to OECD project group on Global Risk. Expanded version presented to British Computer Society, Deutsche Bank and University of Southern Denmark.

1. Cyber(in)security:
systemic risks and
responses
Dr Ian Brown
Oxford University

3. Non-systemic risks
 Cyber graffiti: defacement of Web sites for
propaganda and bragging
 Cyber fraud: so far largely containable within
financial system (low $bns)
 “Terrorists get better returns from much
simpler methods such as car bombs. Cyber
terror is too low key: not enough dead bodies
result, and attacks are too complex to plan
and execute.” (Dr Juliette Bird, NATO)

4. Cybercriminals and “patriots”
 Market participants -
custom virus writers,
bot herders, mafias
 Nation state attacks
(Estonia, Georgia) –
how far were “patriotic
hackers” coordinated
by state?

5. “Pure” cyber war
“The ‘Korean’ cyber incidents … were annoying and for some
agencies, embarrassing, but there was no violence or
destruction... Cybercrime does not rise to the level of an act of
war, even when there is state complicity, nor does espionage –
[which] are the activities that currently dominate cyber
conflict... Estonia and Georgia … came under limited cyber attack
as part of larger conflicts with Russia, but in neither case were
there casualties, loss of territory, destruction, or serious
disruption of critical services. ” (Lewis, 2009: 2—3).
“At best, these operations can confuse and frustrate operators of
military systems, and then only temporarily. Thus, cyberwar can
only be a support function for other elements of warfare” (Libicki,
2009: xiv—xv)

6. Cyber espionage/sabotage
 TITAN RAIN: Incursions into DoD,
German chancellory, Whitehall,
NASA, Lockheed Martin…
 Google attack aimed at “high-tech
information to jump-start China's
economy and the political
information to ensure the survival of
the regime” –James Lewis
 “[I] listened and lip-synced to Lady
Gaga’s ‘Telephone’ while exfiltrating
possibly the largest data spillage in
American history” -SPC Bradley
Manning
 Stuxnet/Flame/DuQu

7. US offensive operations
 231 offensive ops in 2011 – “to manipulate,
disrupt, deny, degrade, or destroy information
resident in computers or computer networks, or
the computers and networks themselves”
 $652m project GENIE to place tens of thousands
of “covert implants” each year in computers,
routers & firewalls – through equipment
interception, access, and hacking (TAO)
 TURBINE can manage millions of implants for
intelligence gathering and active attack

8. Implants in the supply chain

9. NSA/CIA/FBI/DoD Trusted
Partners
 Bloomberg 14/6/13: “Thousands of technology,
finance and manufacturing companies are
working closely with U.S. national security
agencies, providing sensitive information and in
return receiving benefits that include access to
classified intelligence”
 “Some U.S. telecommunications companies
willingly provide intelligence agencies with access
to facilities and data offshore that would require a
judge’s order if it were done in the U.S.”

10. NSA partners

11. How can the democracies…
 Design and execute strategic responses
that carefully target threats, avoiding
where possible tactical arms races?
 Get the best return on their security
investment?
 Enhance the soft power potential of the
Internet as a platform for democracy?

12. Strategic goals
 Availability & integrity of critical services (CNI)
 Protection of confidential information
 Manageable levels of fraud
 …all in cost-effective form, where costs include
inconvenience, enhancement of fear, negative
economic impacts & reduction of liberties (John
Mueller, The quixotic quest for invulnerability,
2008)

16. Counter-terrorism and mass
surveillance
 ~5000 Americans surveilled under Presidential Surveillance
Programme 2001-2005; led to <10 warrants per year
 “[T]here is not a consensus within the relevant scientific
community nor on the committee regarding whether any
behavioral surveillance … techniques are ready for use at all
in the counterterrorist context”; –US National Research
Council (2008) p.4
 “Fifty-four times this and the other program stopped and
thwarted terrorist attacks both here and in Europe—saving
real lives” -Rep. Mike Rogers
 Bulk phone record access “has not played a significant role
in preventing any terrorist attacks to this point” -Former
Acting CIA Director Mike Morrell to US Senate Judiciary
Committee

17. Reducing systemic risk
 Isolate critical systems from public
Internet and each other, and set much
higher security standards
 Enhance risk management, robustness
and continuity planning in Critical
National Infrastructure systems
 Use Content Distribution Networks and
other load balancing systems to increase
performance and resilience of public-
facing systems

18. Redistributing liability
 ENISA and UK House of Lords S&T Committee:
should liability be shifted to some combination
of software vendors, ISPs and financial
institutions?
 Most software licences disclaim all liability
 Intended to incentivise much more secure
system engineering (e.g. least-privilege
processes, enforced by formally verified security
kernel)

19. Conclusions
 Security interventions need to be carefully
targeted to minimise costs and maximise long-
term RoI
 Reducing vulnerabilities and increasing
availability is key long-term security response
 Liability redistribution is mechanism to force key
actors to internalise external costs
 New mechanisms needed for verification of
security properties of systems

20. Better security engineering
 Least-privilege processes, enforced by formally
verified security kernel
 Verification of device security before providing
network connectivity
 Two-factor authentication
 Full Disk Encryption esp. for removable media
 Perimeter controls to block sensitive data
exfiltration
 Air-gap most sensitive systems eg SCADA;
separate public-facing websites from internal
systems

21. Cross-government action
 Fund security R&D with INFOSEC agency
participation
 Use procurement, licensing and standardisation
power to require significantly higher security
standards in systems and services
 Use diplomacy to pressure state actors behind
Russian Business Network, DDoS attacks,
classified network incursions etc.

22. Costs of
cybercrime
Ross Anderson, Chris Barton, Rainer
Bohme, Richard Clayton, Michel J.G.̈
van Eeten, Michael Levi, Tyler
Moore, Stefan Savage (2012)
Measuring the Cost of Cybercrime,
Workshop on the Economics of
Information Security:
•“while terrorists try to be annoying as
possible, fraudsters are quite the opposite
and try to minimise the probability that they
will be the targets of effective enforcement
action.” (p.26)
•“we should perhaps spend less in
anticipation of computer crime (on antivirus,
firewalls etc.) but we should certainly spend
an awful lot more on catching and punishing
the perpetrators.” (p.26)
•“cybercrime is now the typical volume
property crime in the UK, and the case for
more vigorous policing is stronger than
ever.” (p.26)

23. Strategic impact
 Do security systems support or subvert the emergence of
democracy in authoritarian states?
 Do systems damage the values the “war on terror” is supposed
to be defending, e.g. by censoring websites or undertaking
warrantless wiretaps?
 “Techniques that look at people's behavior to predict terrorist
intent are so far from reaching the level of accuracy that's
necessary that I see them as nothing but civil liberty infringement
engines.” –Jeff Jonas, Chief Scientist, IBM Entity Analytics

24. Techie mumbo-jumbo
 Distributed Denial of Service (DDoS)
 Botnets (Secure Computing estimated
150k new zombies per day Q2 2008)
 Phishing (spear, rock), pharming
 … generally we already see a strong
response from CERTS, vendors, ISPs

25. EU Charter of Fundamental Rights
 Art. 7: Everyone has the right to respect for his or
her private and family life, home and
communications.
 Art. 8: Everyone has the right to the protection of
personal data concerning him or her.
 Art. 10: Everyone has the right to freedom of
thought, conscience and religion.
 Art. 11: Everyone has the right to … receive and
impart information and ideas
 Art. 12: Everyone has the right to freedom of
peaceful assembly and to freedom of association

26. Trapping the bot herders?
 Extremely difficult to track and successfully
prosecute bot herders
 Do we need Louis Freeh’s packet license-
plates?
 Better alternatives?
 Arrest when extortion demands are paid?
 Increase bandwidth to and globally replicate key
services using Akamai, anycast and related
technologies?
 Crowdsourced security (StopBadware)?

27. Phishing
 Symantec alone
blocking 8m e-mails
daily in 2006
 Similar criminal
ecology to DDoS -
custom virus writers,
botnet herders, site
operators,
spammers, mules
 96.6% of attacks are
on financial services
insitutions
Source: Anti-Phishing Working Group May 2007 report

28. Taking down the phishers?
 Targeted financial
services
institutions can
ask hosts to take
down sites
 Some hosts still
unresponsive
 Phishers moving
to botnet hosts
and more
sophisticated
frauds (escrow,
“sales reps”)
Source: R. Clayton & T. Moore (2007)