Also see the Humanity nature and activity category on the Blindside Wiki
Terrific conversation about the technology threats of 10 years hence with Marcus Ranum on the Bruce Schneier blog.
Americans like to think of American football as a proxy for war, with strategy, tactics, heroics and planned, scheduled feats of athletic derring do. The British have a slightly different opinion of American football… but let’s not go there.
Technology and information flows have played a large part in American football, from signalling to recording action to radio communication. And a lot of time and money has been spent on protective gear for the footballers.
Welcome to the world of HITs (Helmet Impact Telemetry).
Check out this video and tell me if resource tracking and monitoring in unconventional spaces (like battlefields, fire scenes and hostage situations) has not just received a real asset boost from the Yank football scene. A helmet that monitors impacts and relays information wirelessly to a central source for analysis. Yeah, that sounds useful.
It looks as if Galileo, the EU satellite project, will go forward. This means that there will be competition to the American GPS services, and an alternative to location and timing signals. It’s an expensive back-up, but it’s important to have a back-up.
MI5 has issued a warning to a host of companies and organisations that they are being hacked–quite possibly by the Chinese. As we reported this summer when it was Whitehall and the MoD getting hacked, it’s important to remember that the Red Army, blamed for so much of this, has a lot of private enterprise initiatives out there, and this may not be seeking military advantage (although they wouldn’t throw that away if it came to hand) but seeking straightforward competitive advantage over UK companies doing (or hoping to do) business in China.
Here’s how it’s painted on the CPNI website. “The UK is a high priority espionage target and a number of countries are actively seeking UK information and material to advance their own military, technological, political and economic interests.”
And look at it this way–UK information protection schemes obviously need the exercise. Better be tested and found wanting in a time of peace. In a weird way, maybe we should thank the Chinese for this–if we act on the lessons learned…
This is going to get interesting, and the Economist says that this topic will be covered in their upcoming technology quarterly (which is really one of the best things about the Economist). We’ve been following UAVs here since summertime, and I really think it is a) emerging as a technology that has information assurance implications for UK government and b) it’s really cool.
Ranging from powered model airplanes for children to the Predator, UAVs are currently lightly regulated and not at all policed, which should worry law enforcement as well as IA practitioners. With progress in miniaturization in full swing, an unmanned aerial vehicle can carry a camera (the UK is already using them to carry CCTV)… or something quite a bit deadlier. It is clear that legislation and regulation hasn’t caught up to the implications of this.
Meanwhile, at the Popular Mechanics website, there’s a story about the Houston Police Department’s trials of a UAV. The story walks through a lot of the issues revolving around this stuff.
Remember the main IA issue is going to be integrating information flows to, from and about potentially large numbers of these critters into information about more conventional air traffic. As I’ve mentioned before, between UAVs, ultralights and normal increases in air traffic (as point-to-point becomes more popular than hub and spoke and small jets become more ‘affordable’), those charged with keeping air traffic safe are going to have a lot on their hands.
Related stories (copied off the PM site–thanks!)
Civilian UAVs: No Pilot, No Problem
Britain’s Police Drone: Could It Stop Next Terror Plot?
Miami’s New Test Aircraft Gets Look from Army, Navy
Air Scouts: FA-18s Take On UAV Reconnaissance Duties in Iraq
Unmanned NASA Aircraft Enlisted in SoCal Firefight
Sunday Update: “Police and border control authorities are to use an unmanned aircraft to patrol the south coast to catch illegal immigrants trying to enter Britain by boat.” …”It is understood the police have expressed interest in using the £5m drone to monitor crowds during demonstrations and events such as football matches.”
“Andrew Mellors, head of civil autonomous systems at BAE, told the conference: “From 2012 fully autonomous unmanned air systems could be routinely used by border agencies, the police and government bodies.”
Key Section Here: “On-board sensors also give the drone the ability to deal with unexpected incidents, for example by automatically changing course to avoid coming close to other planes in the crowded airspace.
BAE Systems is in talks with the authorities to ensure that the drone does not interfere with civil or military flying. It said that the Herti, in addition to its sensors, had transponders to allow other aircraft and ground controllers to see it on their radar.”
If BAE has the brains God gave a gnat it will put the sensors and transponders in a black box, sell it to everyone who wants to use a UAV, and politely inform government that they have the power to mandate inclusion in all unmanned aircraft….
How easy would it be to find this information for UK and continental Europe?
“An estimated 8.3 million Americans over the age of 18 were victims of identity theft in 2005, according to an analysis of a phone survey released Tuesday by the FTC. That represented a decline of about 16 percent from an estimated 9.9 million victims in 2003, when the agency last conducted its survey.”
“Identity theft cost U.S. businesses $55.7 billion in 2006, according to Javelin Strategy & Research. The FTC estimates that in 2006 the cost to consumers was $1.2 billion.
But experts say complaints filed with the FTC offer only a glimpse of the actual damage. “Most people don’t even think about calling the government because they are not going to help them get their money back,” Litan said.
The FTC estimates that 1.8 million Americans discovered some type of fraud committed using their personal information, 3.2 million had their credit card accounts misused and 3.3 million experienced misuse of other financial accounts.
Javelin’s estimates back the FTC’s findings. It said 8.4 million people were victims of identity theft in 2007, down from 8.9 million in 2006 and 9.3 million in 2005.”
Information Assurance almost by definition starts from the top of an organisation and works down. (Well, at least by my definition, which involves a board-level commitment to risk management, smooth flow of information to appropriate resources, and protection of information from those not explicitly authorised to view it).
But can this work in the public sector? Obviously, it currently does not, but is it feasible? I guess what I would like feedback on is if there is an Information Assurance briefing for those who move into senior levels of public service, get elected, change organisations, etc. Is there a Book? (a movie…?) Is there an IA Seminar 101 for those who move into positions of responsibility?
Then moving down, is there appropriate training for mid-level management? Should cover most of the same issues, but in greater depth as they will have to execute the broad strategies developed up above, right? And then, of course, the front lines. What dedicated training do they receive in information security, good data hygiene, etc.?
If it’s all there and up and running, I’d like to know.
Afterthought: On a Toyota assembly line, any production worker can stop the line if s/he suspects something is going wrong. I would wager that similar devolved authority to front line workers in government would stop a lot of these problems, especially if accompanied by appropriate training beforehand.
“A security breach affecting an unknown number of Canadian citizens came to light last week in the Canadian province of Newfoundland and Labrador when a consultant for the Provincial Public Health Laboratory took a laptop containing patient health information home. The consultant was contacted by a person who identified himself as a representative of a computer security company and who claimed that he was able to access to data on the laptop through the consultant’s home Internet connection.”
…”The exposed information includes names, Medical Care Plan numbers, age, sex, physician and test results for infectious diseases, including HIV and hepatitis.”
In a related news story…. “Trust is fundamental to the effective management of security and privacy in the public realm. Surprised? “Results from a ground-breaking pan-European study show that when it comes to security and identity in electronic public services, trust is a critical issue for European eGovernment. Given recent negative press stories about the security risks associated with personal data on social networking sites such as Facebook, and recent events in the UK where the personal details of some 25 million citizens appear to have been lost, this paper comes as a timely reminder about the need to manage trust and security effectively.” …”The cc:eGov study has identified exceptional good practice in Europe, for example in Estonia where an integrated ID card provides access to public and private services. However, the Estonian Government is rigorous and thorough in its protection of citizens’ data, to the extent where sustained cyber attacks on their systems earlier this year did not result in a breach of security. The trust of citizens was therefore reinforced.”
Well, hope I got the Latin right. This is a bit unnerving (not this part–no application is perfect): “Antivirus software must open and inspect data in hundreds, if not thousands, of file formats. One bug in the software that does this can lead to a serious security breach. Zoller and his colleague Sergio Alvarez have been looking into this issue for the past two years and they’ve found more than 80 parser bugs in antivirus software, most of which have not yet been patched.”
“The flaws they’ve found affect every major antivirus vendor, and many of them could allow attackers to run unauthorized code on a victim’s system, Zoller said.”
It’s this part that is scary–the type of denial that has been the prelude to IT disasters for 20 years:
“Zoller says he has been criticized by his peers in the security industry for “questioning the very glue that holds IT security all together,” but he believes that by bringing this issue to the forefront, the industry will be forced to address a very real security problem. Between 2002 and 2005, nearly half of the vulnerabilities that were discovered in antivirus software were remotely exploitable, meaning that attackers could launch their attacks from anywhere on the Internet. Nowadays, that percentage is close to 80 percent, he said.”
Russ Cooper, a senior scientist with Verizon Business, had some criticism for the work of n.runs. “The research almost appears to be goading criminals into ‘getting better’ at attacking vulnerabilities… hardly helpful,” he said via instant message. “There’s no doubt that the list of vulnerabilities they have already published in security products looks daunting. However, historically, we have not seen this type of vulnerability exploited.”
And if I read this right, I do not want to do business with this company at all–he seems to be saying that there’s no need to fix it until it gets hacked: “Though Cooper agrees that antivirus file parsing vulnerabilities do pose a risk, he said there are several reasons they have not yet been the focus of widespread criminal attacks. For one, criminals are already being effective enough with their current tactics, such as sending malicious e-mail attachments. A second reason is that security software tends to get more scrutiny, meaning that any vulnerability that was being exploited would be quickly patched, and that any criminal involved in an exploit would be more likely to be caught.”
Coda
Security vendors have long known about vulnerabilities in their software, said Marc Maiffret, chief technology officer with eEye digital security. “Security software is just as vulnerable as any other software,” he said via instant message. “We all hire the same developers that went to the same colleges as Microsoft and learned the same bad habits.”
Maybe we all need something to take our minds off the debacle at HMRC, so here’s a bit more about wireless networking devices in hospitals.
Last week we published a post about medical clinical assistants, mobile devices for use by hospital professionals. We profiled one that is coming to market soon. We received two comments which I’m dragging out of the comments box and putting in a post of their own, as I think they deserve a bit more exposure:
Responses to “Information Security and Healthcare”
David French Says:
November 7th, 2007 at 8:22 pm e
… I suspect that the subject of healthcare privacy needs a shake up from top to bottom. A few questions …
* Is it clear what the customer (that’s us, not the health managers) wants?
* What ‘need’ do these ‘wants’ reflect?
* Do the legislation and ethical requirements reflect this underlying need?
* Is there suitable compliance and enforcement of the legislation and ethical requirements?
* Should we get anaesthetists and paediatric cancer specialists before worrying about privacy and security?
When we have a good answer to those, we may be able to evaluate the technical questions about encrypting data at point of entry; securing information over wifi; ensuring that laptops and tablet devices are not attractive to thieves of information, identity or property (because they certainly will be available to all of those). …
Louise Ferguson Says:
November 19th, 2007 at 7:45 pm e
A tablet device is too large and heavy for any kind of pocket (and hospital staff don’t have anything other than pockets), so tends to get treated much as a paper file would: left around on top of drug or record trolleys, unattended in corridors, on patient beds, or just plugged into a base unit for recharging in an often unattended clerk’s area of the ward. At one hospital I was told they had for years had a serious problem with theft of equipment, drugs and so on, reportedly by local junkies, and I understand the same problem exists elsewhere. Ward drug trolleys had to be chained to immovable objects, so tablet devices might suffer similar problems.
If devices are shared, there is no device owner so nobody really takes responsibility for the device (security, recharging and so on). And until costs really come down, I don’t see such devices becoming personal (each ward would require dozens). (Of course many doctors already use their own PDAs, which do fit comfortably in the pocket and are very much personal devices. They don’t get talked about as they are often not hospital equipment or part of a procurement strategy.)
I think hacking and malware come a little way down the list of problems, which tend to be pretty mundane. For example, it’s actually difficult getting a reliable wi-fi connection throughout a hospital ward (partly owing to the built environment in healthcare I guess). If a single set of paper notes is missing, things can be rejigged while they are located, but if you can’t access any patient records at all for several hours across an entire ward (and I’ve seen that happen), the problem is a little more serious.
Picking up a tablet PC from the clerk’s desk and popping into the toilets with it would, in my view, not be a problem in the average hospital ward. Data is stored remotely, but password-sharing is widespread and indeed passwords may be available in the clerk’s area. Many people do not always logout anyway, so as long as the machine has not already auto logged out already, you’re in.
It has to be said that data privacy never seems to have been much of a concern in the paper era: files lie around everywhere for anyone to pick up and read, white boards display sometimes quite personal info to any ward visitor, and telephone conversations about patients take place in the hearing of any passer by. But the difference is in the volume of data to be had for so little effort.
I don’t see any online systems doing away with the traditional informal records that every patient has - handwritten notes tucked into the nurse’s pocket, prepared at shift handover. Or on the SHO’s PDA. Wireless tablet devices promise data input and data availability at the bedside, but I don’t see tablets being used for any serious volume of input. Which may mean people are going to continue writing things down in paper files…
Here’s the story on the day after…
I have said this before on this blog. There are countries where a national identification card is completely non-controversial. There are possible benefits to society from a well run and properly managed system.
But in my heart of hearts I do not believe that this country’s government (and I do not distinguish between political party here) is capable of building and operating an ID management system at this point in time without disastrous consequences to information assurance.