Hi all,

I have been working on our wiki of late, specifically trying to assess the impact of IT security issues in different areas relative to each other. The purpose is to try and prioritize the need for action and commitment of resources, so it’s rather important.

I have a healthy ego and sublime confidence in my own abilities, but as my wife beat me at trivia last night and got a better score on Nintendo’s brain trainer, it might not be altogether a bad thing if I received a second or even a third opinion on some of this. That second or third opinion is, after all, why we are doing this.

Here are three examples. There are about 40 more on the wiki. How did I do?

Electronic Banking

We assign this an Impact Level of 1, our lowest level, as a large field of banks and commercial suppliers of information systems to banks will produce competitive pressure and ample incentive to address direct and indirect information issues, and the existence of a robust offline alternative to online banking lessens the potential impact of catastrophic failure of data systems. The existence of multiple regulatory bodies provides additional protection. We assign this a Maturity Level of 1, as the offerings of online banks are still rudimentary (essentially replicating what can be found at a branch) and the technology driving both threat and response is quickly evolving.

Human Rights (intersection with technology)

Both technology and IT security can be used to protect or threaten human rights–often the same tools or procedures can be used for either end. A typical example would be the human rights effects surrounding e-Voting, where increase in access to a service for many is in apparent conflict with the potential for abuse. Human rights issues related to technology are normally identified very quickly and follow a pattern that all too often ends in clearly identified political positions in full-scale conflict with each other. Hence this assessment focuses on the politics of human rights and technology.

We estimate the Impact Level at 3, due to the apparently unresolvable conflict between those who feel that identity is personal property inviolate and those who feel it is state-owned and controlled. Both those positions are at the far end of a spectrum of attitudes towards identity and its role in the state and its importance to all other human rights.

Champions of the position that the state should be prevented from, or severely limited in, collecting, storing and deciding how to use identity information are arguing loudly and often eloquently about the threat to human rights posed by large-scale IT projects proposed and being implemented by UK government. Some of these champions are writing here at Blindside. However, their political power is small at present, and their opinions are not shared by a majority of the public. Nonetheless, this issue is highly likely to be decided after implementation in the court system, and these champions are creating a body of work that could possibly lead a court to impose limitations on data collection and usage post implementation.

Receiving less attention at the moment from human rights campaigners are other technologies that are or potentially could impinge on human rights. Should political activism begin in these areas, the current generation of judges may well sympathize with rights-based arguments regarding CCTV, location-based services, univeral access issues, etc. Political activists may well be joined by specific groups regarding specific technologies, such as groups concerned with disabilities demanding that technology be used to provide access to information and/or the real world.

The groups exist in abundance, but they are not particularly strong, nor are they well-networked or actively co-operating at present. Hence, we assign this a Maturity Level of 2.

Spam

[edit] Impact and Maturity Level
We assign this an Impact Level of 1, our lowest level, as mechanims for successfully combating spam exist at the individual, organisational, ISP and backbone level, and industry trade groups and regulatory bodies have intitutionalised the fight against spam. The principal information assurance concern is when the volume of spam becomes so great as to constitute an unintentional denial of service campaign. We assign this a Maturity Level of 3, our highest level, as the large number of spammers and their opponents indicate that this issue is mature.

Spamming is economically viable because advertisers have no operating costs beyond the management of their mailing lists, and it is difficult to hold senders accountable for their mass mailings. Because the barrier to entry is so low, spammers are numerous, and the volume of unsolicited mail has become very high. The costs, such as lost productivity and fraud, are borne by the public and by Internet service providers, which have been forced to add extra capacity to cope with the deluge. Spamming is widely reviled, and has been the subject of legislation in many jurisdictions.

I am looking at a monitor that shows me looking at it. Well, not quite. My face is completely blurred, just like TV images where they intentionally do this to tape. But here, I am unrecognisable in real time. I am wearing a green stick-on tag that has defeated the video camera taking pictures of me.

I am at the Royal Summer Art Exhibition in Kensington Gardens, surrounded by mobiles, strange furniture and objets d’ almost art. The green circular tag I am wearing has two Internet addresses–IDentityProtectionSystem.net and miquel.mora.design. They both go to a website for Miquel Mora, a graphic designer who studied at Barcelona before coming to London to get a masters at the Royal Academy of Art.

So is CCTV beaten by a Spanish graphic designer at an art show?

So how tough is it to beat CCTV? Googling common phrases (defeating CCTV, blurring faces, etc.) doesn’t bring up much. I think if it were easy, it would be all over the web. I think if it were really difficult, it would also be all over the web. What am I wearing?

I’ve posted before on the implications of computer memory–I think this one surprises even me.

Advances in memory are important and large organisations need them badly. The average Fortune 1000 company’s storage capacity grew from 198 to 680 terabytes between early 2005 and late 2006, according to this article in the Economist.

So, how long will it be before a disc the size of a CD can hold 300 gigabytes of information? And how long before data transfrer methods reach 160 megabites per second?

Oh. They’re already on the market. Welcome to holographic memory, and innovation pushed by commercial demand for better DVDs.

They’re already working on the next generation, which will pack 1.6 terabytes into the same space. At this level, something old becomes something new.

I was recently working on a book idea (does human knowledge double every 5 years?) and as part of this I calculated the compound annual growth rate of academic journal publications and patent activity in a number of fields to see if the formal output of human knowledge did in fact double every five years. I did the research using a weblog–if you want to see what I was doing, it’s here.

My question to you is, would a similar measurement of what we are looking at here and on the wiki be useful in assessing the timeline for impact? I fear it would (fear because it takes a lot of time). If you agree, tell me in the comments and I will do it. If you think that past performance has no relevance to future behaviour, I need to hear that, too.

Here is the league table for the sectors I measured during my research (I apologise for the formatting):

As shown, only 10 of the 25 grow faster than 14.87% per year, which is what is needed to double every 5 years.

Field : CAGR% : Doubling Period (Yrs)

1. Nanotechnology patents : 44.91% : 1.87
2. Nanotechnology journals : 42.03% : 1.98
3. Global warming patents : 38.62% : 2.12
4. Prions patents : 33.76% : 2.38
5. Programming patents : 33.53% : 2.4
6. Stem Cells patents : 26.47% : 2.95
7. Prions journals : 25.57% : 3.04
8. Global warming journals : 24.71% : 3.14
9. Epidemiology patents : 17.37% : 4.33
10. Stem Cells journals : 16.63% : 4.51
5 Year Doubling Rate : 14.87% : 5
11. Programming journals : 12.55% : 5.86
12. Alzheimers Disease patents : 11.26% : 6.5
13. Oncology patents : 10.02% : 7.26
14. Alzheimers Disease journals : 9.65% : 7.52
15. Oncology journals : 9.23% : 7.85
16. DeSolla Price estimate of world literature growth : 7.0% : 10.24
17. Epidemiology journals : 6.22% : 11.49
18. Mars journals : 5.78% : 12.34
19. Shale oil journals : 5.53% : 12.88
20. US patent grants : 5.21% : 13.65
21. University enrollment worldwide : 4.85% : 14.64
22. Publications in astrophysics since 1970 4.0% 17.67
23. US patent applications 3.88% 18.21
24. U.S. Book publishing 3.65% 19.33
25. Shale oil patents 2.58% 27.21

Remembering that I tried to focus on areas where I expected to see robust growth, the fact that only 40% of the sectors I surveyed showed adequate growth to double human knowledge in 5 years is not good news.

My day is slightly brighter because I found out there are five manufacturers of robots specifically for milking cows, and six manufacturers dedicated to building robots for cleaning sewers.

However, a cloud passed in front of the sun when I read the Economist article of two weeks ago (yes, I’m having trouble staying au courant) about the use of robots in the military.

This is what I’ve put up on our wiki–would appreciate informed comment, as always.

However, the greatest IT risk, discussed below, is that robots are a) portable and can be stolen and b) will tend to have more and more sensitive information loaded into them.

The Pentagon is spending millions of dollars on research into autonomous fighting machines which might according to Georgia Tech “find, intercept and destroy a moving enemy tank on the battlefield”. The June 9 issue of the Economist reports that the Pentagon, in an attempt to give these robots more autonomy (including the ability to decide when to use lethal force)is working with the Georgia Institute of Technology to develop a software based rules of engagement set of rules. Dr. Ronald Arkin of the Georgia Institute of Technology is currently surveying policymakers, members of the public, researchers and military personnel regarding this.

1 year Information security issues are still around the corner in the civilian world, but are now being addressed by the military, using UAVs and robotic gun mounts and installing software rules of engagement and visual recognition systems to drive the rules of engagement.

5 years Every other militarty technology advance has ended up in the hands of the police. Again, a robotic water cannon in and of itself is probably not somethng to worry about. But if loaded with a database of pictures of criminals, activists, troublemakers, it may constitute a threat to civil liberties. From the Blindside point of view, what would be almost as bad as a robotic vehicle with such a database being stolen.

5-25 years

As advances continue in robotics, micro electo mechanical systems, nanotechnology and software, robots will dramatically increase their capabilities, in business, the home and perhaps most especially in the public sector, in hospitals and chronic care facilities, etc. As their capabilities increase, they will need more information to do their tasks. Because of the portable nature of robots, that information will almost always be at risk, unless it is piped into their systems in real time. Whether this information is stored or transmitted, there will be risk.

This article found on Yahoo mentions Hewlett-Packard’s purchase of SPI Dynamics, but there’s been a lot more.

The article states, “Last year IBM spent $1.3 billion to pick up Internet Security Systems Inc., while data-storage giant EMC Corp. shelled out $2.1 billion for RSA Security Inc. Not just computing companies are interested: last year telecommunications carrier BT Group PLC bought network monitor Counterpane Internet Security Inc.”

What are the public policy implications of this? BT has many UK government clients, as does IBM. Are there conflicts of interest in this? Will certain security systems work better with their parent companies’ technical solutions than with their competitors? Has the public sector had a chance to secure covenants regarding this? Do existing contracts with UK government have the appropriate clauses to protect them (and us) from normal commercial competitive practices?

Hi all. See title of this post. People will look at me sternly if I don’t find the answer to this question.

More importantly, public policy will not be as robust in fashioning an information architecture fit for purpose and fit for the UK.

So take a minute and tell me. Is it convergence? (Is public sector information secure in a wireless world?)

Is it nanotechnology? (If the universe is contained in a grain of sand, microdots then can carry all. Or is that true?)

Is it mistaken procedure and human error?

Inform me–and public policy. Is there one threat that stands above all others?

A new feature for you–this may become regular if a) you tell me you love it and b) it doesn’t cause my day to go into instant meltdown.

From Kable, news that the DTI has $4 million available for research projects aimed at reducing human error, which the DTI claims is the largest risk to IT security. It cited the results of a survey it conducted, involving over 1,800 people, on the use of passwords. It found that:

just over one third recorded their password or security information by either writing it down or storing it somewhere on their computer;
nearly two thirds never changed their password; and
one in five people used the same password for non-banking websites as well as their online bank.

Brer Fox, allow me to point out the luxurious accoutrements of the henhouse we’d like you to guard: Also via Kable, news that the Ministry of Defence has awarded Logica CMG a contract to help the MOD improve… their… IT… procurement skills. I guess the headline justifies the project… if not the winner.

In the subtle erosion department, news that a pilot scheme with Consumer Direct is going to give the police access to consumer complaints in an attempt to ‘fight doorstop crime.’ I wonder what their recorded message will say. ‘Your call may be monitored by the police for quality reasons.’

Oh–well that’s okay, then. The Home Office has said other EU countries will not have full access to the National DNA Database (NDNAD).

Can we get an early look? The CSIA (proud sponsors of this weblog and associated wiki) is preparing a strategy document at making information assurance issues a part of the normal business agenda for boards of directors.

If you’re too old fogeyish to transact over the internet, you’re too old to drive? The DVLA wants to drive (sorry) people to use electronic vehicle licensing on their website. They have 30% usage now, short term plans to get to 60% and long term plans for 80%. They claim they’re one of the biggest e-tailers in the country; ‘bigger than Tesco.’ But I think their Club points system might be a bit different.

From Risks Digest, news that in the U.S. the 21st lawsuit has been filed over the exposure of 45 million credit/debit cards to fraud by TJX Companies. From my brief experience with email marketing, you could value each of those card information packets at up to £100 each for legitimate purposes. Hmm.

Will they read it while they block it? AT&T wants to monitor network traffic in an attempt to block pirated content.

From Light Blue Torchpaper, two interesting posts–the first a look at phishing which actually recommends a solution and the second another account of reading sampled traffic–this is more disturbing, as I’m sure that AT&T will get theirs wrong.

If you want more posts like this, tell me in the comments! This took 38 minutes, and didn’t cover one third of the sites I wanted to look at.

The chaotic present and hopeful future of information systems exists in a microcosm about 30 minutes by tube from my flat, and I daily watch a stately procession of airliners descending to Heathrow Airport, a beautiful, if not quite silent, parade. It is at Heathrow airport that the current need for better performance on every topic covered in this blog is demonstrated. It is a non-sterile testing environment and the ultimate pilot project to test the ability of information systems and information assurance to integrate modern technology to meet the needs of a mass public. You may have noticed that I ticked every category we use in assigning this blog post its proper place in our own information hierarchy. It’s not a coincidence.

Let’s walk through the daily issues faced at Heathrow from an information standpoint:

1. About half of all tickets to fly are booked via the Internet, and that information must be completely available to several very different systems immediately and be perfectly accurate.
2. Parking systems must provide availability, administrative and financial information.
3. Public transportation systems must send and receive useful information about current operations and schedule changes, and receive and use similar information from several different airport systems.
4. The logistics of welcoming, feeding, watering and moving 67.7 million people per year (and taking care of 70,000 employees) are an interesting challenge, as is maintaining 48,000 square metres of retail space. Private security, first aid, tourist information, all of these have information issues attached.
5. Oh yes–core business–mustn’t forget–90 airlines, 186 destinations, 469,000 ‘air transport movements’ (er, would that translate to flights in English?) annually. Information requirements include weather at each destination, status of all airports and traffic, passenger information (but more on that below…)
6. On-time status of flights relating to connecting flights.
7. Correlating information from HMRC (well, more the C part than the R) with the Home Office (now with both parts of the newly divorced members of what was once one) and probably discreet communications with agencies using numbers as well as initials.
8. Communicating with the Civil Aviation Authority, National Air Transport System, HM Immigration–of course I’m sure they all use the same electronic forms that grab data smoothly from Heathrow systems… right?
9. Communicating with the media–and having the capability of communicating with international media
10. Having co-ordinated disaster preparedness programmes that are up to date as well as up to snuff.

Probably missed half a dozen supremely vital information systems there… but it’s Sunday morning, so it’s okay. (Did somebody say baggage?)

Lots of things to go wrong there. Amazingly, not much does. (Did somebody say baggage–again?) That’s why when things do go wrong it’s news.

Notice they don’t have an uber-contractor trying to integrate all systems and dictate technology standards and usage. Strange, that. And I’ll bet they often use trainer-net(where some employee puts on trainers and walks information to diverse destinations). But that’s how functional communities develop–and despite grumbling and glitches, Heathrow functions as an information community: People get to destinations, planes don’t fall out of the sky. Successful information communities do seem to develop from the ground up, not the top down.

I guess the point I’m trying to make is that information systems and information assurance issues develop in an ecosystem not a vacuum. Complexity in information management is probably a geometric rather than arithmetic function relating to the number of actors involved. And yet don’t we often see government requirements for information systems that are internally oriented and indeed self-referential? The box must be this big with holes here and here, and those holes must be guarded in this way. I think more than anything else, government’s inability to get value for money from IT investment is based on this issue.

Please feel free to contribute complaints about Heathrow in the comments–I’ve suffered there myself. My praise is directed at a higher level, at finding a community that functions. Your nominations?

You may notice below that I remarked on the linkage between data loss and laptops missing out of cars. But hey! At least this latest example comes to us from across the sea…

Much more serious (and without a vehicle in sight) the latest in a long string of data security fiascos at the Los Alamos Lab shows that yes, you can send nuclear secrets using an open email account but, no, it isn’t… prudent.