Sunday, August 12, 2018

What does threat cumulativity mean for the future of digital technology and cybersecurity

In recent years, most of my presentations about cybersecurity have included a slide titled "Security is cumulative". I made the slide when a group of business people asked if I would speak to them about cybersecurity. As usual, I said I would be delighted to do so, but it would help me to know what aspects of the subject they wanted me to address. The conversation continued like this:
  • Them: “You’ve been at this for a long time, right?” 
  • Me: “Yes, I guess I’ve been researching security for about 30 years.“ 
  • Them: “Well, why not talk about the top five or six things that you’ve learned.” 
Why not, indeed. The idea appealed to me and so I created a new slide deck to capture my thoughts and my first thought was this: security is cumulative. Beneath it I wrote words to this effect: To protect information systems and the data they process you have to anticipate and defend against new threats while also defeating old threats.

Ever since I wrote that, I have seen confirmation after confirmation that it is correct. Of course, there’s probably some confirmation bias at work, but consider these recent news stories
That is five examples in 10 days – July 26 to August 4, 2018 – five headlines that reflect the reality that “security is cumulative”. While many information security professionals have, over the years, stressed the need to learn from history, I think this aspect of cybersecurity, this need to defend against an accumulating list of threats, deserves a name, so I am suggesting this one: threat cumulativity.

Here is my proposed definition of threat cumulativity: the tendency of new technologies to spawn new threats that do not displace old threats but add to them.

Of course, there will be objections to this term, starting with "cumulativity is not a word" and "everybody knows this already." Well, cumulativity is a word, as I will explain in a moment. As for "everybody knows this already" let me be blunt: that is one of the most persistent errors in security thinking, kept alive by security experts who are out of touch with the relationship between technology and people.

To be clear, if you are a security expert, you probably do know that threats are cumulative. But there are a whole bunch of people whose work impacts security who have not internalized the implications of this phenomenon. I think that having a term to describe the phenomenon will help to spread awareness of its implications.

Another objection to "threat cumulativity is likely to be: "you mean risks, not threats, so you should be talking about risk cumulativity." This is a non-trivial point and so I am going to address it in a separate article. But I think there are good strategic reasons for using 'threat' here rather than 'risk'.

As for cumulativity, it is a term used in linguistic semantics to describe an expression (X) for which the following holds: "If X is true of both of a and b, then it is also true of the combination of a and b. Example: If two separate entities can be said to be "water", then combining them into one entity will yield more "water"." (Wikipedia)

Now, I am not an expert in linguistic semantics, but I do happen to have a decent degree in English Language and Literature. To my way of thinking, appropriating cumulativity for the security lexicon is a valid use of the word, one that can help people understand - and defend against - the phenomenon it purports to describe.

I will be writing more about threat cumulativity and furnishing examples of how it appears - to my eyes at least - to spell trouble for new technologies, some of which are the object of much hope for future prosperity.

Note: the illustration at the top of the article is from the works of Vauban, a pioneer in physical security, namely fortifications.

Sunday, May 06, 2018

Conversation starter for cybersecurity and workforce networking events

Elevator icon, created and released to public domain by Stephen Cobb
Suppose you work in cybersecurity and/or workforce development and you find yourself talking to other people in those fields, maybe during a networking break between conference sessions, or at one of those randomly seated lunches. Everyone has been introduced, said where they're from and for whom they work, but now there's a lull in the conversation. Try starting the conversation with this question:

A man and a woman get into an elevator; which one is doing risk assessment?

I have been asking strangers this question for a while now and the responses are very interesting. I don't want to tell you what they are at this point - that is a separate blog post. (I'm trying to devise a more formal study of responses from a range of audiences.)

But if you know me, or know of my research into gender and risk perception, you might be able to imagine where I'd like to see the conversation go after this icebreaker (places like a deeper understanding of how our sense of risk varies based on who we are and how our experiences in life have led us to differing levels of concern about potential threats to our wellbeing).

You might also want to ask this question outside of cybersecurity circles. Maybe in class? And you could change it up a little. For example, I have used "which one is more likely to be doing risk assessment?"

You could also ask this question on Twitter or Facebook (feel free to use the image above - frankly I think it's a daft sign, but I made it based on a real one that I saw recently in a very new office building in San Francisco).

Thursday, February 01, 2018

Cybersecurity and data privacy research: a modest eight piece portfolio

Research that I have done in cybersecurity and data privacy over the last few years has borne fruit in a number of different places so I wanted to provide a centralized reference point for eight of the main outputs. This should make it easier for folks to find them. I have annotated the items for context and relevance. (Note: I have formatted all the PDFs for Letter size paper but some of them use UK English spelling, others are US English.)

1. Code as a weapon

Document: Malware is Called Malicious for a Reason: The Risks of Weaponizing Code (PDF)

History: Published in the 6th International Conference on Cyber Conflict (CyCon) Proceedings, P. Brangetto, M. Maybaum, J. Stinissen (Eds.) IEEE, 2014.

Context:  I worked with my friend and colleague Andrew Lee, who was then CEO of ESET North America, to articulate several arguments against using code as a weapon. In the world of companies and consumers, program code that you run on someone else's system without permission is typically referred to as malicious software or malware. A single "infection" can cost a single enterprise hundreds of millions of dollars worth of damage (as in the WannaCry and NotPetya attacks of 2017, which used code developed by the NSA). We argued that the development of "righteous malware" by the military and intel communities, a process sometimes referred to as weaponizing code, has proceeded with insufficient input from the people who defend against, and clean up after, real world malware attacks. The consensus of this community is that military deployment of malicious code is at best a very risky proposition.

(While I was delighted that the paper was accepted for publication, and enjoyed traveling to NATO's Cycon event in Estonia in May of 2014 to present it, one of the reviewer's comments - "not very academic" - stung a little. Consequently, in August of 2014 I enrolled in a Master of Science program at the University of Leicester in England.)

2. Cybercrime and criminology

Document: The main problem with Situational Crime Prevention is that it fails to address the root causes of crime: a critical discussion

History: This 4,000 word essay, which includes an extensive reference list, was the first piece of work that I produced for my MSc in the Department of Criminology at the University of Leicester.

Context:  The essay received a good grade and writing it required me to think hard about some of the fundamental issues in criminology. Presented in the traditional English academic essay format, a proposition is argued for and against. In this case, the idea of practical crime prevention is set against the need to understand and address crime's root causes. My argument was framed in the context of cybercrime, aspects of which - such as attribution, scale, and geography - challenge tradition approaches to crime reduction. Of particular value to my evolving analysis of cybercrime was the early work on Routine Activity Theory performed by Felson and Cohen. Way back in 1979 they warned that: "the opportunity for predatory crime appears to be enmeshed in the opportunity structure for legitimate activities".

3. Measuring cybercrime

Document: Sizing cybercrime: incidents and accidents, hints and allegations

History: Paper selected for publication and presentation at Virus Bulletin, 2015. There is actually a video of the presentation that you can watch here.

Context: Just as defense of an information system means you first need to map and measure it, we need to know the scope and scale of cybercrime before we can effectively fight it. In many countries, the government tracks the number of murders, cars thefts, bank robberies, and other crimes. This data helps inform budgeting and resource allocation while enabling the measurement of efforts to reduce crime. Unfortunately, few countries, if any, have been tracking cybercrime. I argue that this abdication of governmental responsibility severely hampers efforts to fight cybercrime and do the work of cybersecurity. In the US, the federal government now directs inquiries about the level of cybercrime towards surveys performed by commercial organizations that have a vested interest in selling security-related products and services. My review of the literature and the surveys themsleves shows that many lack academic rigor and all are open to claims of bias.

4. Cyber futures and diversity: a TEDx talk

Document: Ones and Zeroes: a tale of two futures (video)

History: Talk given at TEDx San Diego, 2015, in which I drew on three things I learned while studying criminology, plus the inspiring young women of Securing Our eCity's Cyber Boot Camp.

Context: The organizers invited speakers to look to the future. I suggested that the future looks bleak if we don't step up our game in the realm of cybersecurity. I referenced crime deterrence and sentencing, Routine Activity Theory, Cultural Theory of Risk Perception, and White Male Effect. I ended by arguing that security would improve if we increased diversity in decision-making roles in technology companies.

5. The cybersecurity skills gap

Document: Mind this Gap: cybercime and the cybersecurity skills gap

History: Paper selected for publication and presentation at Virus Bulletin, 2015.

Context: As I looked more closely at the growth in cybercrime the more it became apparent that organizations were having great difficulty staffing cybersecurity positions.

6. Data privacy versus data protection in the US

Document:  Data privacy and data protection: US law and legislation

History: This white paper is based on an essay I wrote for my MSc in Security and Risk Management.

Context: As an essay, the document did not receive a great grade (it was deemed "not argumentative enough"). However, the underlying research was sound and, when formatted as a white paper, it has proved to be very useful for anyone trying to understand the American approach to data privacy in general, and more specifically, how this differs from the European notion of data protection, as embodied in the EU's General Data Protection Regulation or GDPR.

7. What it takes to be an effective CISO

Document: Getting to know CISOs: Challenging assumptions about closing the cybersecurity skills gap.

History: This is my MSc dissertation, all 18,000 words and 84 pages of it.

Context: From the abstract: "Pervasive criminal abuse of information and communication technologies has increased the demand for people who can take on the task of securing organizations against the increasing scope and scale of threats. With demand for these cybersecurity professionals growing faster than the supply, a problematic “cybersecurity skills gap” threatens the ability of organizations to adequately protect the information systems upon which they, and society at large, are now heavily reliant. This dissertation focuses on one barrier to closing the cybersecurity skills gap: the current paucity of knowledge about key work roles within the cybersecurity workforce – such as Chief Information Security Officer or CISO – and questionable assumptions about what it takes to perform such roles effectively."

8. Risk perception in cyber: a gendered perspective

Document: Adventures in cybersecurity research: risk, cultural theory, and the white male effect

History: A two-part article, published online, to present the results of the first ever survey of cyber risks relative to gender, ethnicity, and non-cyber hazards.

Context: If you are an information security professional, chances are you will have spent a fair amount of time and effort trying to get people and organizations to do more to protect their computers and data from abuse; and you will know that not everyone takes the risks of digital technology as seriously as you do. I asked myself why some people don't listen to experts, and why some people see less risk than others. Aided by my ESET research colleague, Lysa Myers, a survey was conducted to measure the white male effect and related phenomena. Along the way we found that criminal hacking is now perceived as a serious risk to health and prosperity by a significant section of the population.