Sigh. When it becomes time for government departments to monitor employee activity on computers, networks and government issued mobile devices, do they have the same rights as private sector employers? If you click through and read the story, look at comment #108 before you answer my question…

Hi all,

I have referred in the past to Dave’s Bit Bucket, run by Dave Walker of Sun. His blog can be a bit of a slog as he actually has the temerity to post code up regarding his Trusted Extension work, which just glides gracefully over my head. However, when he turns his attention to other subjects, we have to pay attention. So I will perform a much-needed public service here and link to specific posts relevant to Blindside:

Dave’s earlier post on Microsoft Vista (Why Microsoft Windows Vista cannot be deployed in Government, Critical National Infrastructure, or Battlespace …and I may well have missed a few categories for the sake of a concise subject line, especially where Finance, Aerospace, etc are not specifically included under the banner of “Critical National Infrastructure”. Read this, and be startled. Update: Putting a black hat on for a moment, this also means that Microsoft’s licensing verification servers will be the number 1 target for any actual Black Hat who wishes to cause general chaos, rather than target specific organisations; taking the licensing servers down in a manner which resulted in an outage of significant duration would precipitate a worldwide Vista outage. Also, in battlespace, if you’re running Solaris and your enemy is running Vista, it may be within the rules of war to target Microsoft’s licensing infrastructure (with either electronic warfare methods or, depending on the sphere of conflict, ordnance) and watch your enemy’s C4I infrastructure collapse…)

led to Dave linking to this: “DRM bites again: the Microsoft Windows Genuine Advantage servers (which every XP and Vista install phones home to) all failed sometime earlier today. The result? Every single Windows XP and Vista installation — except possibly those with volume license keys — is being marked as counterfeit when it tries to check in. Installations which are flagged as counterfeit switch to a “reduced functionality mode” which results in features like Aero and DirectX being disabled.”

When it comes time for Dave to renew his passport, he immediately sees a problem: “From the large list presented - and notwithstanding the extending clause of “someone of similar standing in the community” - I suspect that the average person wouldn’t have too much trouble finding someone who could be duped or bribed into providing a false assertion of identity for the Passport Office… ”

And, although we don’t want to stimulate plot ideas for 24, Dave looks ahead to future problems with remote working: With the continued rise in home-based and mobile working, the possibility of staff being forced to access and potentially modify data by suitably-armed ne’er-do-wells becomes a genuine - if niche - security issue. (…) Taking this into account, it’s possible that a well-designed system which authenticates users based on a username and password would require up to 4 passwords per user - one for legitimate login in a non-duress situation, and three more, one for each type of duress!

This article, by Wired’s Ryan Singel details the FBI’s wiretapping capabilities with DCSNet, a communications surveillance network built under CALEA that sounds like it might have been advertised with the slogan, “Be the envy of other major governments”. The salient points:

- The FBI has extremely wideranging wiretapping facilities that let it log into a provider’s network; the provider turns on the tap once it receives a court order

- It’s having trouble with Skype, because there’s no central point to tap

- These digital wiretaps are more expensive than the traditional physical kind (by nearly a factor of ten) and processing the data is also considerably more expensive (all of which we taxpayers get to pay for)

- There are significant security holes inside DCSNet itself, many of which were spotted in its predecessor system, Carnivore.

wg

I must confess that when I first heard about SCADA-related security issues, the first thing that came to my mind was some of the hype about the Millenium bug. It just seemed a bit too convenient that the people highlighting the issues were the people selling solutions to combat it. (SCADA refers to Supervisory Control and Data Acquisition, proprietary computer control networks used in a lot of industry, such as utilities and chemical plants, etc., etc.)

But Y2K was not all smoke, of course. In addition to providing a key trigger for the Indian consultancies, it prompted a lot of thinking about IT security, and some of it is relevant to SCADA. And we need to take this to the next level of depth.

If you saw Bruce Willis in Die Hard 4.0, you saw the bad guys hijack a lot of SCADA networks in order to generate pyrotechnics and chances for the hero to get out of DC. My understanding is that this is not at all realistic (What? A Hollywood action movie not realistic?) But we need to have this vetted.

My preliminary understanding of this is that security was not built into them when they were implemented and that organisations have been slow to build them in after the fact. As some of the functionality of SCADA networks migrated onto WANS and the Internet, network owners did not build in normal security protocols to protect from snooping, hacking and the same viruses and worms that bedevil all Internet users.

How correct is this preliminary understanding?

My casual reading of the literature suggests that precautions have been advised since 1999, that groups exist to highlight best practice and stimulate awareness of SCADA security issues, and that the problem is not so dire as to require the services of balding Yank action heroes.

Am I living in a dream world? Digital Bond, a security consultancy, would probably have you think so. This article in the August 22 issue of Forbes, the American business magazine, also expresses a level of concern that goes far beyond my preliminary assessment, talking about a successful penetration of a nuclear power plant’s SCADA network. IT Security expert Bruce Schneier wrote that he didn’t think SCADA was as much of a problem now as it would be in future, but in the same blog post he linked to a March 2007 story that detailed a serious hole found in the U.S. national infrastructure. I read this shortly after I blithely wrote on the Blindside wiki that I thought the maximum impact from SCADA issues was in the present, while solutions were being developed but adopted unevenly.

So which is it? Am I living in a dream world and ignoring a serious threat? Is SCADA security being over-egged by security vendors? Is the problem going to get worse?

We could use a little help on this one, folks.

Here’s what we wrote on the wiki.

…at State of Play, Doug Thomas told the story of the mother who emailed him for advice about her son. It seems that the previous weekend she’d gotten somewhat alarmed when he spent six hours straight playing World of Warcraft. She asked him to quit the game, and when he didn’t, she came over and turned off his computer. “But we were on the *final boss*!” Her question to Thomas: What happened? Thomas replied that what she had done was turn off the computer at the moment when his team had reached the final challenge of the day, leaving the 39 people relying on him stranded. Oh.

My friend Barbara used to talk about the ways that games could be made more family-friendly. For example, she and her son used to argue when mealtime or bedtime came along and he simply wasn’t at a stopping place. She felt that games would be a lot less contentious in a lot of families if designers paid more attention to things like making it possible to save the game at *any* point instead of only at certain, widely dispersed points, or making pause available throughout, and so on. I thought these were all good points, and the fact that so many games were not designed this way probably has or had something to do with the average demographic of the designers.

I don’t know what the solution might have been for WoW. The mother’s response to Thomas’s answer was something like, “Isn’t six hours a long time to play a game?” Well, it is. And especially so if you’re 13 or whatever and, as teenagers often do, fail to communicate to your parent in advance exactly what it is you’re signing up for this Saturday.

There has long been a lot of belief in some parts of the computer industry that virtual worlds are the future (or an important part of it). These kinds of issues will continue to resurface. At State of Play, the design panel talked about how architecture affects human behaviour, comparing real-life examples of public spaces with the virtual ones – in one case, they showed the same world with a big, central fountain around which people congregated and then without it, with people just randomly dispersing. Designers clearly think about this when they build their worlds. But there seems to me much less thought for the way the virtual world intersects with the demands of real life. There is no offline mode for Second Life, for example, so there is no way to sit offline on a plane and read the information you’ve collected in the world even though you can save notecards and other documents. The world itself is too big to download, but I don’t really understand why there is no offline mode for your own inventory and small home space. That, of course, gives the game gods complete control over your experience at all times – there’s always a wait when you log into the world while it downloads all the software updates since your last visit.

From Computer Weekly,

“Kent Police are pursuing a number of leads following a burglary at Sevenoaks-based Forensic Telecommunications Services (FTS) in which a server containing data on suspicious telephone calls over the past two years was stolen.

A police spokeswoman said, “The computer equipment contained evidence relating to telephone use linked to around 250 cases from police forces and law enforcement agencies across the UK, covering the last two years.

She declined to say whether the data was encrypted.

…A spokesman for FTS declined to provide any details beyond a prepared statement.

However, a Mail on Sunday report said the cases were related to counter-terrorism investigations.”

Yesterday’s post on Identity Management got quite a few good responses–thanks. Here’s a lengthy excerpt of the draft version of what we will submit to the CSIA regarding convergence. The entire section is here on our wiki. Please take the time to read and comment–any howlers in here?

Convergence represents both the greatest opportunity for service delivery and the greatest potential threat to information assurance in our broad basket of subject areas.
Our information gathering exercise identified five different areas of convergence. Broadly, they include:
• General: Convergence (converged environments/networks) defines a multi-media environment and/or network where signals regardless of type (i.e. voice, quality audio, video, data, etc.) and encoding methodology may be seamlessly exchanged between independent endpoints with similar characteristics.
• Media: A theory in communications where every mass medium eventually merges to the point where they become one medium due to the advent of new communication technologies
• IP: The migration of multiple legacy networks of data, voice, images and video into a singe integrated IP based network which facilitates higher efficiency in operational management and utilization of a network.
• Technological: The modern presence of a vast array of different types of technology to perform very similar tasks. Also included in this topic is the basis of computer networks, wherein many different operating systems are able to communicate via different protocols.
• Fixed Mobile: Fixed and mobile telephony convergence aims to provide both services with a single phone, which could switch between networks ad hoc.
Each of these different areas are moving quickly and several impact upon each other.

Key Findings

Each of the above contributes to a broadly similar set of issues relating to information assurance
1. Physical security of information: The increasing capabilities and smaller size of devices with access to networks and sensitive information (miniaturization is discussed elsewhere) makes theft, hacking or corruption easier and hence more likely.
2. Non-physical security issues: Attacks against one network using IP may degrade performance of other networks sharing the same infrastructure, due to:
3. Network dependence: The Internet was famously designed as a back-up communications system for use in case of catastrophic failure of traditional communications via telephone and radio. As more information flows migrate to the Internet, capacity issues are already evident. In future, if satellite broadcasting is abandoned for IPTV or wireless access to telecommunications services makes copper connection to homes redundant, an over-reliance on the infrastructure of the Internet introduces vulnerability to attack. What will be the back-up for the Internet?
4. As services converge, some of them will be life-critical to citizens: IP 999 services, telemetrics for those with chronic diseases, etc. As more devices converge around a single physical platform and single network, the number and importance of services will increase, as will their vulnerability to network failure. (This relates to identity management, as access denial can have health consequences.)
5. Although in one sense convergence provides new and exciting opportunities, dealing with convergence issues may impose unforeseen costs on government services. To give just one example, as technical capabilities make it possible to offer more services to the disabled and elderly, political pressure to provide these services may be strong. Adapting service delivery to account for convergence may be expensive. Certainly, dealing with threat to information assurance programmes will not be trivial.
6. As convergence will evolve over time, and may include divergence (see below), dealing with related issues will in all probability take time and effort.

Divergence

A related concept involving emerging technology is Divergence. Following the combination of diverse tools into single devices and migration to the most appropriate delivery platform, a new set of innovation involving single purpose tools for more efficient delivery is sure to follow. Some of these will present particular opportunities for public service delivery, notably for disabled citizens, but also for field workers of government agencies.

Implications for UK Government

Our recommendations regarding convergence might seem schizophrenic, on the one hand urging a bunker mentality towards information security, and on the other hand recommending greater openness and flexibility in insuring government’s ability to deliver services capable of meeting users’ needs. However, convergence issues will present a significant challenge to government, and will likely require cross-departmental co-operation to manage. The key will be to keep services open and flexible, but information secure and redundant.
• Mothball programme. Preparations should begin now for the preservation of non-electronic service delivery mechanisms that might be abandoned by public and private sector organisations, including:
o Broadcasting capabilities
o Physical connections to home and business (or transition to utility companies)
o Switching networks for telephony
• Agreement amongst all network users on prioritized cut-out list in case of emergency, with automatic cascading cut-offs with pre-agreed triggers and a named individual or organisation responsible for initiating a cut-off sequence and notification of affected parties when cut-off occurs.
• Security protocols should be strengthened in advance of the introduction of converged devices with new capabilities:
o Suppression of wireless communications capabilities in locations with access to sensitive data or systems
o Disabling access to internal networks from unauthorized devices
o Disabling auxiliary ports on computing devices with access to sensitive information, including floppy disc drives, CD-ROM, DVD and USB ports.
o Removing Bluetooth and other low-power radio access capabilities from devices with access to sensitive information
o Packet-sniffing on utility connections

Citizen Centric

From the citizen’s point of view, as more services are delivered online and more citizens elect to use electronic transactions, they (we) will have different expectations due to convergence:
• Will I be able to access and transact with government using non-computing devices?
• Will all government services converge on online delivery? What if we don’t want that?
• Can I get 24/7 availability of all government services as reliably as provided by the best companies?
• Can convergence help us to deal with access issues for the disabled?

We will be giving a draft of our report forecasting the impact of emerging technologies to the CSIA next week, if we don’t collectively develop writer’s cramp. It is based on what you have told us on this blog and what’s been put up on our wiki. Since you did so much to build it, you get the chance to inspect it before it’s delivered.

We will post it in stages on the wiki and excerpt it here. In total, it is to be 20 pages in length. In a previous post, we told you which subjects would be covered in the report. We also took the decision to highlight 3 issues for more in-depth exploration, those issues being Identity Management, Convergence and Nanotechnology.

Here is the overview for the Identity Management section, followed by our thoughts on the implications for UK government. The entire section will be on the wiki’s Identity Management page. If you don’t think this is what we should be telling the Cabinet Office, tell us here or on the wiki, or email me at tom dot fuller at kable dot co dot uk.

Identity Management Overview

The topic is discussed in depth here:

Not truly an emerging technology, identity management is an emerging discipline growing out of IT security and password/certification authentication and communications. Of the relatively tiny number of academic publications and patent filings found at Scirus (a cross-disciplinary database of scientific publications), 89% of journal publications and 93% of patent filings with the phrase “identity management” in the title, abstract or text were published after 2002. It must be emphasized that little work has been done in this field; only 321 academic publications are found on Scirus and 597 patent applications in total. This compares with 17,833 academic publications and 8,309 patent applications for “biometrics.”

Identity management issues transition to information assurance issues, sometimes seamlessly. ID management has a tighter focus, concerning itself with the management of the identity life cycle. However, it should be noted that

if identity management fails, information assurance is impossible

Citizen-Centric

• Do I trust the system that holds the information used to authenticate my identity? Will they lose it, sell it or abuse it?
• Can I manage the multiple logins and passwords mandated by the numerous systems I interact with?
• Do I have to continuously re-enter the same information time after time, frustrating me and increasing the chances of an error on my part or on the system’s?

Implications for UK government

• Biometric information used in identity management should be encrypted prior to transmission. Encrypted biometrics enables a more robust data management programme
• The most successful systems rely on user input and verification of data.
o Amazon and eBay have systems that are more robust than banks, as they get information directly from the user alone, and prompt for updates with each transaction. Banks get information from customers too, but it is at the beginning of the relationship and they do not prompt for information change, and side inputs from other sources (credit rating agencies, etc.) are prone to much higher error rates.
o Information assurance programmes willing to accept private sector verification of identity might well consider using retailers that make home deliveries, looking for recency of successful interaction rather than length of relationship.
 The number of online shoppers was estimated at 14.5 million in 2005, including 2.7 million over age 55.
• Information assurance programmes that do not carefully vet every element of identity management procedures in sub-hierarchies should not rely on those organisations’ attestations of verified identity.
o An ongoing audit programme including attempts to defeat individual systems should be a vital part of any information assurance programme
o More importantly, the audit programme should try to construct false identities using information from a variety of systems to establish bona fides, with a goal of getting drivers’ licenses and passports. Information from these efforts should be shared only with system owners in efforts to improve system performance, to improve co-operation with affected organisations
• Of pressing current interest is the use of mobile wireless networks for Internet access. Laptop computers that use an unsecured network should not have confidential information on them, nor should they be permitted access to confidential information. Identity management protocols should identify the status of a user’s network connection and politely deny access until a secure connection can be established. Individual laptop computers that permit storage of or access to confidential information should be configured to prevent access to unsecured networks.
o As the physical security of laptop computers is not addressed elsewhere in this report, we take this opportunity to note that:
 laptops should have a proximity alarm installed to remind the user not to leave a laptop behind,
 a form-based permission mechanism should be used to minimise the loading and retention of confidential information on laptops. This could include automatic destruction of sensitive data after a date set by the user
 GPS tracking should be used to retrieve lost or stolen laptops
 Preparations should begin now for similar security protocols for mobile phones and PDAs to future-proof identity management systems prior to introduction of devices with capabilities much greater than present versions

Have at it!

This is why we need you. This has jumped up in conversation with the CPNI (the Centre for Protection of the National Infrastructure), and we are confident that many hands will make light work of this:

Premise: Almost all critical industrial infrastructures and processes are managed remotely from central control rooms, using computers and communications networks. The flow of gas and oil through pipes; the processing and distribution of water; the management of the electricity grid; the operation of chemical plants; and the signalling network for railways. These all use various forms of process control or “supervisory control and data acquisition” - SCADA technology. Until recently the term SCADA was unknown outside its niche area in industry. Today it is one of the key issues for infrastructure protection.

Question: Of the 63 subject areas we explore on our wiki and here, which are directly relevant to SCADA (it might be easier to list the ones that are not). How would emerging ICT help SCADA work better? Which emerging technologies are likely to pose a threat to SCADA systems, and how will that threat manifest itself?

If you would like to learn more about this, go here. Here is our chance to provide practical assistance to someone who wants it.

An information assurance scheme (Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and nonrepudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.) that doesn’t start with an inventory isn’t going to get very far.

What does the initial inventory consist of? It would be fairly easy to list the systems that need to be protected, but don’t you also have to count the following?

1. All physical locations where access to the systems is permitted
2. All physical points of entry to the systems (not just desktops and laptops, but also their associatedUSB ports, CD ROM/DVD drives, wireless networks and devices with wireless access). One should also now include Blackberries, PDAs and mobile phones, indeed all Bluetooth enabled devices operating near networks. All printers, scanners, copiers and fax machines.
3. All email accounts that can attach files from the system, including web-based email systems.
4. Number, identity and some history of all human resources with access to any of the above.

Okay, what have I missed so far?