MAPPING day 2: fixing things when they go wrong, the need for perspective management and more besides
Ever wondered what happens to your data when it ends up in one of these? |
The speaker then reviewed the effect on his jurisdiction of the recent Heartbleed virus. Experience of this attack demonstrated that ISPs have an important role to play in assisting their users to preserve security. Indeed, any halfway competent ISP will know who is using its service, who is sending out bulk emails and spreading spam etc. Any software put out for consumer use should already be configured for security purposes, he added: it should not be necessary for consumers to have to do the job themselves -- though there is a discussion as to whether security settings should be a default setting or merely an option. If unsafe software were, for example, infected meat, national governments would be swift to prevent its importation, so why should software be treated differently? The comparison is not as strange as it seems: much medical equipment, for example MRI scanners, is software-driven. If it is insecure or cannot be operated properly, it can be dangerous. At any rate, it's axiomatic that all software that is supplied to Europe for use in Europe must be subject to European legal standards, notwithstanding that it may be compliant with its own home-grown legal standards.
Not all intruders are so conspicuous ... |
Finding evidence of new attacks is difficult, the speaker concluded, because you may be looking for something that hasn't yet happened and it can be tricky to discern relevant threat-related data from the noise that a network might in any event be generating.
In discussion, participants mentioned the exponential growth of reported computer fraud, which has taken place at a time when calls for greater information-sharing are still being made. The main issue here is not just computer security but perception management -- politician awareness is low and there are no votes in cyber-crime, of which consumers are insufficiently aware. Meanwhile, the potential profitability of data exfiltration and the low risk of detection make it an attractive proposition. Against this, insurance against cyber attacks is being increasingly tied to satisfying acceptable security standards, and business are running ahead of governments in protecting their data since their money depends upon it. Raising awareness among SMEs and start-ups is the wrong place to start: what they want is to be able to buy safe off-the-peg software that they can trust, rather than having to invest in developing their own protection.
A further speaker, representing the police, urged the audience to trust the police -- which, in his jurisdiction, was guided in all operative matters by the provisions of the European Convention on Human Rights and data protection legislation. Some police action involves surveillance, but this requires (i) authorisation and (ii) justification before the court when evidence obtained by means of it is placed before a court. Enforcement is difficult, he said, since courts struggle to understand the technical issues involved: the courts are struggling to deal with even matters such as online pornography. In addition, most internet-related crime spans jurisdictions and is therefore expensive and impractical to chase.
Another speaker, who had worked for an international military alliance, spoke of cyber-security in various contexts, conceding that a big weakness of even the best policies and security systems was the fact that people are people and, even in a top security environment, will display human characteristics such as curiosity (eg plugging in a USB stick, contrary to security instructions, since they wonder what's on it).
At this point, this blogger absented himself so that he could revise his presentation, for delivery immediately after lunch.