I'm currently working on a couple of interrelated matters concerning ISO/IEC JTC 1/SC 27 business. One is the possibility of renaming and perhaps re-scoping the committee's work. The other is a study period exploring cybersecurity.
They are related because cyber is a hot potato - a bandwagon no less. Some on the committee are raring to disable the brakes and jump aboard.
When asked to describe what cybersecurity is, one expert replied "Budget!". That's more than just a cynical retort. Cyber risk, cyber security, cyber threats, cyber attacks, cyber incidents and cyberinsurance are all over the headlines. Several countries have invested in cyber strategies and units. There is money in cyber, so that's a good thing, right?
As I've said before, the focus on cyber is problematic for several reasons, not least distinctly different interpretations of the very term, a gaping chasm separating two distinct domains of understanding:
- In informal use (including most journalists and commentators in the blogophere), cyber means almost anything to do with IT, the Internet in particular. The primary concerns here are everyday hackers and malware (or rather "viruses").
- In (some?) government and defense circles, cyber alludes to cyberwar, meaning state-sponsored extreme threats exploiting all means possible to compromise an enemy's critical infrastructures, IT systems, comms, economy and society. Compared to the other interpretation, this off-the-scale nastiness requires a fundamentally different approach. Firewalls and antivirus just won't cut it, not by a long chalk. If anything, those everyday hackers and malware are a source of chaff, handy to conceal much more insidious compromises such as APT (Advanced Persistent Threats) and malicious processor hardware/firmware. Authorities stockpiling rather than disclosing vulnerabilities, and building red teams like there's no tomorrow, hints at what's going on right now.
As if that's not enough, every man and his dog is either coming up with his own unique definition or ducking the issue by remaining (deliberately?) vague and imprecise. There's little consensus, hence lots of confusion and talking at cross purposes.
It is entirely possible that SC 27 might find itself lumbered with the cyber moniker because it's sexy, in which case those different interpretations will have to be addressed at some point. Unfortunately a precedent has been set by ISO/IEC 27032 which unhelpfully refers to "the Cyberspace" - in practice a curious mashup of the Internet and virtual worlds. Quite bizarre.
Worse still, even the cyberwar version of cyber implies it is all about technology: since IT systems, networks and data are the concern, it is implied that technical controls are going to save the day.
My concern is that by going down the cyber alley, the committee, and hence the ISO27k standards, may neglect the rest of information risk and security beyond the technology. Consider these examples:
- The Bradley/Chelsea Manning and Edward Snowden incidents were information incidents but not cyber attacks (at least not as most people would define and use the term) and yet clearly they caused immense damage.
- Many common-or-garden frauds and scams either don’t involve IT at all, or the IT aspect is incidental. They are targeting people, not (just) computers. If someone tricks a corporate financier or a little old lady to authorize or make an inappropriate payment, does it matter whether they are coerced into submitting the transaction online or popping down to the bank branch with a cheque? Would cybersecurity stop naïve investors being taken in by fake lotto wins, or pump-n-dump, penny-stock or pyramid schemes? Somewhere here I have a ‘419’ advance fee fraud letter sent to me in the post in the 80’s, before the Internet and email were invented.
- Piracy and counterfeiting is an enormously costly issue globally: again, cyber plays an incidental role in intellectual property theft. Those container loads of fake Nike trainers arriving at the ports are not cyber attacks. Is it a cyber crime when a new employee brings with them a head-full of trade secrets from their previous employers, plus a box of business cards for all their business contacts?
- Is it a cyber crime when someone uses a fake library card to fool a utility into posting them a bill that they use to set up a credit account and … later … join a government department or apply for a passport? Identity theft existed long before computers were invented. It’s a rare CV that doesn’t at least bend the truth, and I’m sure many claimed courses, qualifications and work experiences are entirely fictitious.
- The secret services will always use conventional tradecraft such as pickpocketing/theft, infiltration and coercion, as well as cyber means. By the way, is ‘cybertage’ (sabotage targeting IT by any means including physical attacks using, say, bombs or electromagnetic pulses, not just hacks and malware) part of your remit, particularly for highly exposed critical infrastructure such as comms, power and water systems?
- The recent brouhaha over fake news and Russian involvement in the US presidential elections is, I’m sure, just the tip of the iceberg. Propaganda and control of the media have always been key tools to influence and manipulate the population. Political parties still use leaflets and posters and house-to-house appearance plus TV and radio advertisements to supplement their online campaigns. These are not so much cyber as societal concerns involving information, very topical here with a general election looming.
- Substantial or total shutdown or failure of GPS and the Internet are credible scenarios in the event of global conflict (cyber war or terrorism or whatever), with horrendous consequences. There are so many vulnerabilities in our IT systems that compromise on a massive scale is not just possible but highly likely, almost certain I’d say, rendering them untrustworthy. What happens if/when, despite all our efforts, the cyber controls plus the IT systems and networks fail – what then? What if, say, ISIS or Anonymous or a superpower holds the entire cyber economy to ransom, instead of just individual organizations? Continuity management has implications at personal, organizational, national and global levels.