Cyberwar, Cyberterror, Cybercrime & Cyberactivism (2nd Edition): An in-depth guide to the role of standards in the cybersecurity environment

Resources

INTRODUCTION

Purpose and scope

For persons with knowledge of cybersecurity or security engineering, but not standards and best practices, this book introduces them to the discipline of international standards and best practices and points to references for further knowledge. It supplies the background needed to meaningfully recognize the topic a reference might cover and highlights the references which might be of interest.

For those with a standards background, the book provides some essential insight into the current world of CyberWar, CyberTerror, CyberCrime and CyberActivism.

This book cannot, of course, enumerate the knowledge needed in all possible fields in which secure information systems are essential.

Motivation – Why now and why an update?

‘Knowledge is power. Information is power. The secreting or hoarding of knowledge or information may be an act of tyranny camouflaged as humility.’ Robin Morgan

The period of human history in which we are living, is often called the information era: an era in which the whole world has begun to communicate using information technology (IT); an era during which information has become at least as valuable as other, more tangible, resources. It is a highly competitive world, where information is at the cutting edge. To have that edge in this competitive environment, the acquisition and protection of information is critical. In every government or business enterprise, professional activity, or personal engagement, information is THE factor that guarantees optimum effectiveness, efficiency and maximum productivity. In this age of information, effective decision making is predicated on possessing accurate and relevant information.

Modern styles of life have caused major changes to the world of economy. It is not only the size of a company, or the money it possesses – it is information which makes companies powerful.

Information is power: information is money: information is critical. Without proper information, any organization is vulnerable to failure – whether it is a production company, service enterprise, commercial vendor, or government agency.

In the decade of the rapid growth of information sharing enabled by the Internet, together with the enormous growth in the amount of information in everyday life, the problem of information and information system security has emerged as an even greater global concern. Inherent in the value of information in our life, is the need to provide an environment where it can be processed, stored and transmitted correctly and securely.

Today, the growing concerns about cyberterrorism, cyberwarfare, cybercrime, cyberactivism, cyberespionage, and the erosion of personal privacy have governments and agencies around the world discussing the need for international action and legislation and seeking the right standards to implement in order to improve cybersecurity.

The need for a workforce more skilled in the engineering of a secure information systems environment is also evident. The discovery – and potential exploitation – of vulnerabilities³ in information systems by unauthorized, unethical, or criminal individuals – as well as by the uneducated user – can have a serious impact upon an owner in terms of increased costs (recovery and remediation), and a negative impact on the organization’s reputation.⁴ The technology of information systems has traditionally received top billing in discussions about cyber space. And for quite a while, there has been a concerted effort across all types of organizations to identify and recruit professionals who have the technical training and experience to implement infrastructure in the new cyber dominant world. However, there is an increasing consensus that identifying and developing a professional workforce cybersecurity is equally – if not more – important in meeting evolving cyber challenges. The motivation and commitment needed to create a knowledgeable cybersecurity workforce goes well beyond simply recruiting and training. It requires a much broader understanding of the scope of the cybersecurity issues and a comprehensive approach. A cybersecurity-savvy workforce must be armed with the cyber risk guidance and awareness to recognize and understand when confronted with a potential threat, what to do or where to go for assistance – within seconds. They must also be abreast of, and have the ability to accomplish their duties in accordance with current laws, regulations, and policies and know how to use the available tools and standards to protect information and information systems.

Increasingly, incidents involving the theft, destruction, or compromise of critical confidential data, is subjecting individuals to identity theft, causing organizations to suffer significant losses from fraud, or exposing governments to either critique or cyber attack through the exfiltration and publication of highly sensitive, protected data.

In order to enhance personal privacy protection and to emphasize corporate responsibility for the protection of that information, by November 2012, forty-six states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands enacted legislation requiring notification of security breaches involving personal information. A current listing of the U.S. states with breach laws can be found at: www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx. By mid-2013, the European Union Commission’s Directorate General for Communications Network, Content and Technology (DG CONNECT) proposed to ‘explore the extension of security breach notification provisions, as part of the modernization of the EU personal data protection regulatory framework’ in its Digital Agenda for Europe (action 34).⁵

Legislation is forcing companies to provide public notice of their failure to protect information. Such publicity has caused damage to the reputations of even established firms, resulting in loss of business,⁶ and has also prompted a number of other nations to enact similar data freeze and notification laws.

Individuals, such as Edward Snowden⁷, are exposing the soft underbelly of our information systems – the ability to protect the information from exposure or exfiltration. The simple fact of knowing that the information exfiltration is occurring doesn’t really provide much help. As we stand here today, there are no widely used and consistently successful technological fixes capable of preventing all types of network infiltration. Kenneth Geers, a senior global threat analyst with FireEye⁸ stated ‘There’s a lack of good mitigation options in the United States in terms of stopping the attacks. Cyber defense is a new and immature discipline that has a long way to go.’

Cybersecurity incidents are not only the result of attacks or malicious activities from both inside and outside organizations and government agencies. Many cybersecurity incidents can also be traced back to vulnerabilities that were caused by inadequacies in software requirements, or defects in software design, coding, or deployment configuration, or in events associated with the supply chain. The results of a combination of intentional attacks with defective system or software engineering are information system and software security problems that can be frequent, widespread, and often serious.

This book is a necessary preliminary step towards addressing the challenges of cyberwarfare, cyberterrorism, and cybercrime, and cyberactivism, as well as the unintended consequences created by information systems users. These steps include addressing the skill shortages within government and industry and curriculum needs within universities, colleges, and trade schools. Further, organizations can use this book as a tool to identify areas of strength and weakness and aspects of cybersecurity on which they should productively focus, and learn what informative standards, guidelines, and practices are available and applicable to their organization.

The ultimate goal for this book is to introduce readers to the value of standards and best practices to address significant cybersecurity problems, such as those presented by cyberwar, cyberterror, cybercrime and cyberespionage.

While the content of this document provides broad coverage, readers interested in gaining an even deeper knowledge in cyberwarfare, cyberterrorism, cybercrime, and international standards are encouraged to also read the references provided throughout this document.

References

Ponemon Institute (November 2011), Reputation Impact of a Data Breach: US Study of Executives and Managers.

Online Privacy: EU Rules Ensure the Privacy of Your Online Communications (2013), URL: http://ec.europa.eu/digital-agenda/en/online-privacy.

Eichenwald, Kurt (2013). How Edward Snowden Escalated Cyber War. Newsweek, http://mag.newsweek.com/2013/11/1/edward-snowden-escalated-cyber-war.html.

³ ‘Vulnerability: Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.’ [NISTIR 7298 and CNSSI 4009].

⁴ A study of the ‘Reputation Impact of a Data Breach’ by the Ponemon Institute in November 2011 evaluated 843 organizations of varying sizes. The study indicated that the value of brand and reputation could decline as much as 17 percent to over 31 percent. Additionally, study participants stated that in some cases it could take longer than a year to recover and restore reputation and brand image. Additional information on this study can be obtained at: www.experian.com/assets/data-breach/white-papers/reputationstudy.pdf.

⁵ See https://ec.europa.eu/digital-agenda/en/pillar-iii-trust-security/action-34-exploreextension-security-breach-notification-provisions for more about this discussion.

⁶ A breach of the TJ Stores in 2007 cost the company an estimated $250 Million and may result in additional litigation (www.slideshare.net/svelasco1/tjx-breach-impact-casestudy).

⁷ Snowden is a former NSA contractor who – in the name of protection of privacy – revealed classified details of top-secret United States, Israeli, and British government mass surveillance programs to the press. As of this writing, he resides in Russia under temporary political asylum. Snowden is considered a fugitive from justice by the U.S. government, which has charged him with espionage and theft of government information.

⁸ FireEye is one of many companies that specialize in providing solutions aimed at protecting clients against advanced cyber attacks.

CHAPTER 1: TECHNOLOGY IS A DOUBLE-EDGED SWORD

Technology giveth and technology taketh away, and not always in equal measure. A new technology sometimes creates more than it destroys. Sometimes, it destroys more than it creates. But it is never one-sided. (Postman, 1990)

Despite Postman’s dire prediction, society has profited immensely from the development, implementation, and operation of new information technologies. Our lives have been enriched by the increased prosperity, expanded opportunity, and greater variety that advances in information technology provide. But technology can be a double-edged sword. Reconciling technology, privacy, and security to achieve a workable balance can be a daunting task. Organizations across the globe are relying on technological innovations to spur new growth. Cloud computing, social media, and mobile devices, among other technologies, have shown vast advances during the past few years as these trends are embraced.

But it’s important to understand that every new innovation also brings new cybersecurity risks. Billions of mobile devices are connecting to government and corporate networks, and with each touch point there is also the potential for introducing vulnerabilities. Additionally, with more data being produced and touched by more and more individuals the potential for information theft or leakage grows exponentially.

To combat an increase in cybersecurity vulnerabilities as a result of this ever-increasing connectivity, organizations should shift their approach to focus on protecting the valuable information, rather than limiting their efforts on hardening information system endpoints.

The increasingly quickening pace of technology over the past decades has created a double-edged sword for society. There are those on both sides that find the advantages and disadvantages of its spread into every aspect of life. Technology’s varied uses run from car navigation to the taking over of jobs once done by people. The sword has both good and bad edges, but it is a presence that everyone has had to accept in some way. (Modern Technology Council, 2013)

From the printing press to the information age

The information age is a product of information technology. This is not, however, its distinguishing feature. Despite what many may believe, technology in some form has always been a part of humanity, even in the most primitive of societies. The factor that distinguishes the period of information revolution following the invention of the printing press, and the same factor that distinguishes our technological world today, is that the entire human condition has experienced radical change and has entered into a period of recognizable growth dynamics based on information expansion associated with technological innovations.

As with the printing press, the introduction of the new Internet-based information technology is much more than just a technological discovery to which society must adjust. The explosive growth of the Internet – a worldwide telecommunications network – and a global information society have brought about a transformation of our social systems. As a result, not only the information technology, but also human beings, social relationships, economic standards, norms, and ethical values have evolved.

There are visible parallels between events surrounding the invention of the printing press and the proliferation of the written word and the societal changes that are appearing as a consequence of new information technology. These two inventions, although occurring in completely different time periods, have each had an enormous impact on the world in the areas of education, history, communication and many others. These changes have been so compelling that one might contend that these will be as dramatic as the events of the scientific revolution, the spread of knowledge, and the Reformation, which all had their roots in the propagation of information as a result of the creation of the printing press.

Unintended consequences will certainly impact the future of society as a result of the new information technology. With every technological advance, creative destruction also occurs. The cataclysmic societal and cultural changes that occurred subsequent to the invention of the printing press were completely unpredictable. In fact, it took more than a century for these to be recognized.

The printing press

The invention of the printing press fully transformed the way in which information was created, reproduced, sold, and consumed. It brought into being new economic institutions and relationships and altered old ones beyond recognition. As a result, the printing press represents the only comparable event in the history of communications to the recent information technology revolution.

Gutenberg’s first printing press was invented by converting an old wine press into a printing machine. His first prints were made in the German city of Mainz in 1450, and by 1490 the printing press had permeated 110 cities in six different countries and more than eight million books had been printed; each providing access to information that had never before been available to the average citizen. By the end of the century the technology had spread throughout Europe, setting in motion the first information explosion – a precursor to today’s information revolution.

Figure 1 Gutenberg’s printing press

Source: University of Klagenfurt, Virtual Exhibitions in Informatics

It is clear that the printing press radically altered the manner in which information was collected, stored, retrieved, criticized, discovered, and promoted – leading eventually and inevitably to the Reformation, the Renaissance, and the scientific revolution.

The printed works enabled by the printing press forced the Reformation, for without crucial access to the printed editions of religious texts and the emerging variations on the relevant dogma issues, Martin Luther may not have had sufficient incentive to develop his revolutionary new theological concepts. Also, without enhanced access to the creation of printed texts, Luther would not have been able to spread his new ideas beyond a few elite.

The Renaissance also owes its spread across Europe to the printing press. While there had been preceding efforts to evolve humanistic concepts prior to the so-called ‘Italian Renaissance’, it was not until the printing press and the subsequent ability to put those ideas into the hands of the average citizen that they were able to proliferate and thrive.

Nowhere was the effect of the printing press as evident as in the scientific revolution. Science relies on the concept of the accumulation of knowledge. The collection and universal availability of scientific data relied on the printing press, whereupon new contributions of knowledge could become part of a permanent accumulation.

It must be noted that the printing press did not invent the book; rather, it changed how books contributed to the preservation and distribution of knowledge. Until the printing press, books were meticulously hand-copied and, consequently, distribution was limited to an extremely small number of the learned and clerics. The printing press allowed the production of thousands of copies of a single manuscript. In essence, books that once were limited to the libraries of the elite could now be found in the homes of the populace.

The printing press also changed how information could be retrieved. Prior to the printing press, the ability to retrieve information was largely dependent on the capability of an individual to recall the location of the information. Indexed books were essentially unknown. After the printing press, however, indexing became part of a more orderly, systematic approach to printed text.

One of the greatest, most immediate and most identifiable consequences of the invention of the printing press was the revolution in education and learning. Previously limited to scholars and clerics, learning through books gradually expanded to become part of the daily life of children and adolescents; thus exposing young citizens to a very different developmental process than that experienced by the youth of medieval society. As more people at all levels of society learned to read, the gap between the elite and the common man slowly narrowed. Social status changed dramatically.

If the printing press first fostered the positive concepts of modern individuality, it was also a major factor in the destruction of the medieval constructs of society and community. The printing press represented an example of technology that fostered change, creating both good and bad. The path taken by society after the printing press has led unalterably to what many term a revolution resulting in the advent of the ‘new information age’.

Reference

The University of Calgary, The Applied History Research Group (1998), ‘The End of Europe’s Middle Ages.’ URL: www.ucalgary.ca/applied_history/tutor/endmiddle/langlit.html#press.

From the information age¹ to the shift age²

Unlike the printing press, no single person invented the new information technologies. Instead, they were the result of advances in computer technology, reductions in the cost of manufacturing personal computers and mobile devices and the resulting increase in their popularity, and the evolution of networking technology.

As emerging information technologies become increasingly prevalent, it also becomes clear that society as a whole finds itself in the midst of an information revolution equally as profound and certainly as far-reaching as the one initiated by Gutenberg and the invention of the printing press. As then, it is not the technology itself that defines this information revolution, but rather the unprecedented capability to enable a degree of one-to-many and many-to-many communication never before seen.

Over 100 years ago, the emergence of the telegraph presented an evolution in mass communication and information sharing begun by Gutenberg and his printing press. While it provided a new means of communication and caused noticeable changes in the speed of communication, it nonetheless remained limited by regulation and technological capability; thus ensuring that it did not expand beyond a select group of users. Consequently, its effects were limited. Short generations later, the telephone appeared, also altering the course of communication. But, like the telegraph, the telephone also was limited in its expansion capability and, consequently, its effects were also restricted. Neither change in communications represented a revolution in the society in which they were introduced.

From the beginning of records and through the industrial age, land, human labor, and physical possessions were the key ingredients of wealth. In this traditional paradigm, the creation of wealth required the transformation of tangible raw materials into some form of product. Over time, the nature of the product has evolved until today we see information and intellectual property serving as the raw material for the development of wealth. There is hardly an organization today that does not rely on information to survive.

Recent decades, however, have witnessed a radical change equal in force to the printing press in the means by which information is collected, stored, retrieved, criticized, discovered, and promoted. The pervasive spread of technology and the means of instant communication and information sharing have created a second information revolution. One of the distinguishing features of today’s information revolution – just as in the day of Gutenberg – is the affordability of the new technologies, as well as access by the masses, rather than by an elite few.

Perceptions of the world and its population are being changed through the availability of information in the form of electronic media. Today’s generations already experience information only in electronic documents rather than the written word. In fact, the many-to-many communication medium of networked technology facilitates the process of maintaining, updating, and distributing knowledge, resulting in immediately available and constantly updated information. Just as in the period following the invention of the printing press and the wider distribution of books and learning to the homes of the populace, the increased availability and affordability of technology that can collect, store, process, and transmit information positions today’s citizens for similar phenomenal change.

Not only has the capability to distribute and update information been enhanced, but also the ability to retrieve that information has taken another momentous leap.

This profusion of new technologies for collecting, processing, transmitting, and displaying information – often collectively called the ‘information revolution’ – is altering the familiar political, economic, socio-cultural, and military dimensions in ways that we do not fully comprehend, and at a rate that people find difficult to accommodate. The information explosion is affecting not only the way we interact socially, but also the global distribution of power.

Information technology also has the ability to shape the way in which individuals interact with information and knowledge. The new information capabilities enable rapid access to information on any topic of immediate concern. Individuals have access in real time to what is occurring across the globe, resulting in a more informed and aware populace. One of the groups