The scale and vast cost of cyber crime has been made clear in the last few weeks. Daniel Dresner suggests that stronger industrial standards may be the best response.
Organised cyber crime represents a serious challenge for those charged with protecting our digital assets. The ‘law of requisite variety’ determines that while the ‘bad people’ try to steal our identities and assets, the ‘good people’ respond by formulating agendas and appointing committees. One can almost have sympathy with the security services that want access to everyone and everything (as do the criminals), yet have to play by the rules that define the social decency which underpin our society and protect us.
The adoption of standards could be the solution. But “the good thing about standards is that there are so many to choose from”, in the words of Andrew Tanenbaum. Since the first Information Security Breaches Survey in 1994 created the impetus for a national (now international) standard for information security, we’ve been codifying common sense. We have based this on catalogues of controls that can be inserted into systems to keep intruders out.
The British Standards Institution stocks 35 variants and parts of the original, evolved, 1995 standard. Yet there is nothing here to scare the criminal hacker seeking to steal the identities of the innocent for financial gain without a care for the anguish of the victims. Instead, it is rather like the award of a driving licence that does nothing to protect other road users from the driver under the influence of alcohol, drugs, or lack of attention.
There is no doubt in my mind that the current National Cyber Security Strategy – now under review – has done much to bring standards into a more acceptable light with some support for ISO/IEC 27001 (the internationally nurtured successor to the 1995 original), the creation of IASME, and the all-important development of the Cyber Essentials. The start of the Trustworthy Software Framework’s path to standardisation is another area for UK pride. But these are all little more than honest checklists.
Now – with the policy being reviewed – is the time to bring standards back into the real-time business-fold with a benchmark of security, rather than just attainment of a standard which may not be genuinely effective. Standards themselves have been declared an economic powerhouse contributing £8.2bn to the UK economy. But standards – particularly the organisation-based management standards – are misunderstood to be audit tools rather than the ‘Haynes Manuals’ to build multidisciplinary experience into business and industrial systems.
We can no longer rely on the luxury of expecting to operate in pristine environments. Small butterflies of change in the software – not always malicious – can bring the mightiest supply chain to a halt without so much as the clichéd grinding. We need to encompass the demand on systems to operate under threat, the developing challenge of attribution and possibly retaliation too. (I use the term ‘systems’ in its comprehensive view of both technological and human elements.) My colleague Neira Jones and I have published a paper on the first step towards this benchmark. There is still much work to do, but I fear that if the concept is not embraced now then the academic and commercial world views (and those of process control and critical infrastructure) may be hindered in their desired convergence.
The controls-based approach will always have its place, but having the locks, blocks, and obfuscators in place are a sign of hope rather than evidence of successful security. We don’t have enough of an understanding of which controls are the most effective and how we can keep track of the legacy controls that protect a system whose creators have long since moved on.
A secure system, one that you can trust, is the product of an architecture which is sensitive to feedback. This is the true cyber of cybernetics. No security standard – with our current level of understanding – can provide a guarantee of security. They have their place in the life cycle of systems which must embrace trustworthy design and rigorous testing. The current library of standards performs a task like a garden fence. A garden fence will not stop the persistent, determined intruders. However it will deter the crowds so that you can focus on protecting the most important flora from those who’ve breached your borders.
The next breed of standards must provide an indicator of security status. They must provide us with the dials so that we know which levers to pull – or set the machines to pull the levers for us. It is time to make a strategic move in the cyber war.