Friday, March 11, 2016

Infowar and Cybersecurity: Pitfalls, history, language, and lessons still being learned

I recently registered to attend a very special event in the cybersecurity calendar: InfoWarCon. The organizers of this unique gathering ask all participants to write a short blurb about what they bring to the proceedings. You can read what I wrote later on in this post, but first, some background.

The Information Warfare Conference

An institution created by my good friend Winn Schwartau, InfoWarCon has been around from more than 20 years. Even if you haven't heard of Winn, I bet you've heard the phrase: "Electronic Pearl Harbor". Winn was the first person to use that term, as recorded in his testimony to Congress about the offensive use and abuse of information technology in 1991. That was five years before CIA Director John Deutch made national headlines using the term, also in congressional testimony (you may recall President Clinton issuing a presidential pardon to Deutch after he was found to have kept classified material on unsecured home computers).

The first InfoWarCon I attended was the one held at the Stouffer Hotel in Arlington, Virginia, in September of 1995. In those days, Chey and I were both working for the precursor to ICSA Labs and TruSecure, then known as NCSA, a sponsor of InfoWarCon 95. The agenda for that event makes very interesting reading. It addressed a raft of issues that are still red hot today, from personal privacy to open source intel, from the ethics of hacking to military "uses" of information technology in conflicts.

Winn was passionate that there should be open and informed debate about such things because he could see that the "information society" would need to come to grips with their implications. Bear in mind that a lot of the darker aspects of information technology were still being eased out of the shadows in the 1990s. I remember naively phoning GHCQ in 1990, back when I was writing my first computer security book, and asking for information about TEMPEST. The response? "Never heard of it; and what did you say your name was?" When I first met Winn he was presenting a session on a couple of other acronyms, EMP bombs and HERF guns. That was at Virus Bulletin 1994, one of the longest running international IT security conferences (my session was a lot less interesting, something about Windows NT as I recall).

The InfoWarCon speaker lineup in 1995 included a British Major General, several senior French, Swedish, and US military folks, Dr. Mich Kabay - chief architect of one of America's first graduate level information assurance programs, and Scott Charney, now Corporate Vice President for Microsoft's Trustworthy Computing. Many of those connections remain active. For example, the Swedish Defence University is involved in this year's InfoWarCon, via its Center for Asymmetric Threat Studies (CATS). Recent InfoWarCons have eschewed the earlier large-scale public conference format in favor of a more intimate event - private venue, limited attendance, no media - more conducive to frank exchanges of perspectives and opinions.

For Chey and I, the trip to InfoWarCon16 is personal as well as professional - after all, we have known the Schwartaus for more than two decades, somehow managing to meet up in multiple locations over the years, from DC to Florida, Las Vegas to Vancouver, not to mention Moscow. So when I got to the registration page for InfoWarCon16, which asks all prospective attendees and invitees to submit a short “What I Bring to InfowarCon” blurb, my first thought was "I don't need no stinking blurb!" But that soon passed as I relished an excuse to convey something of my background in a new, and hopefully interesting, way. Here is what I wrote...

A Student of Information Technology Pitfalls

Mining coal in the Midlands, 1944 © IWM
I was born in 1952, in the English county of Warwickshire, in a small terraced house heated by fireplaces that burned coal. That coal was mined from one of 20 pits under our county, some of which were more than a century old by then. Between 1850 and 1990, pitfalls in mines in the Midlands killed hundreds of men as they toiled to fuel the industrial revolution. Across Britain during that time period coal pits claimed over a hundred and fifty thousand miners, but theirs were not the only lives taken by fossil-fueled industrial technology. Consider this: a few months after I was born, 12,000 Londoners died from a single air pollution incident, of which burning coal was a primary cause (the Great Smog of 52).

And so it was that, many years before computers came into my life, I was well aware technology brings pitfalls as well as benefits. Like many of the swords displayed in Warwick castle, originally built by William the Conqueror in the eleventh century, technology is double-edged. This is certainly true of information technology. It can be good for growth, good for defense, but also tempting for offense.

Since I started researching my first computer security book in the late 1980s I have thought long and hard about such things, sometimes in ways that others have not. I have listened closely to the language invented to articulate the uses and abuses of this technology. For example, in 2014, I presented a paper at CyCon titled “Malware is called malicious for a reason: the risks of weaponizing code” in which I introduced the term ‘righteous malware’ (IEEE CFP1426N-PRT).

 In 2015, I analyzed the problem of measuring the scale and impact of cybercrime in the peer-reviewed Virus Bulletin paper: “Sizing cybercrime: incidents and accidents, hints and allegations”. The serious shortcomings of both public and private sector efforts to address this issue were articulated and documented in detail. I am currently doing post-graduate research at the University of Leicester seeking to identify key traits of effective cybersecurity professionals. But more importantly, for the past 25 years I have engaged myself as much as possible - resources and life events permitting - in the ongoing conversation about how best to reap the benefits of information technology without suffering from what have been called its downsides, its pitfalls.

Speaking of which, it is relevant to note, in the context of InfoWarCon, that the word pitfall did not originate in coal mines, but on the battlefield. The Oxford English Dictionary identifies 1325 as the first year it was used in written English. The meaning? “Unfavourable terrain in which an army may be surrounded and captured.” To me, that doesn't sound a whole lot different from some parts of cyberspace.