FreshThinking
FreshThinking[edit]
FreshThinking is a phrase used by IoT Security Task Force(TaskForce). Hackers are winning the war in Cybersecurity with breaches occurring daily and supposedly secure organizations like banks (JP Morgan), tech companies (Apple) and even the US military and Cybersecurity consultants (Deloitte) have been breached.A interactive visualization of breaches by type or organization, year and amount of loss is hosted at Biggest data breaches
Much like the fable of The Emperor's New Clothes] the standards being proposed while lauded and much acclaimed are ineffective and may be dangerous.
Techno Legal[edit]
The Task Force is proposing a new techno legal approach to IoT Security. It borrows ideas from how surveillance and security is done in the physical world and proposing similar concepts in cyberspace. The core idea is to adapt to the fact that with increasing usage of Cyberspace it is no longer a jungle but a series of cyber cities and cyber townships. The standard of care required to protect a person or a house in a city is much less then in a jungle because there is a enabling legal and institutional support like the Police and Neighbourhood Watch and bystanders and neighbors also pitch in to report suspicious activity and chase criminals.
CyberCity[edit]
In physical spaces insecurity or vulnerability does not necessarily lead to attacks or safety concerns. For example a lady walking out of a theater may have a stranger snatch her purse and run away. A business man walking out of an office may be robbed. These can happen. However due to the governance of urban spaces these are less probable then in cyberspace. The probability of the criminal being caught and subjected to penalty are fairly high and discourage such attacks. If such attacks become frequent civil authorities will deploy more police and other technique like pervasive CCTV and frisking to telegraph a heightened security posture and frighten criminals away. These concepts seem to be missing in cyberspace. We have not transitioned to cyber city from cyber jungle.
Key ideas[edit]
- Reduce Complexity
Cybersecurity protection is complex. An analogy is effort required to secure a house. Normally putting a lock on the doors is sufficient( password protect the WiFi/Broadband router). Securing the kitchen window or chimney is stronger but not necessary( Bluetooth or Amazon Alexa vocie operated Home automation). Creating a moat and a high fence with barbed wires may be required for high value property only ( Intrusion Detection System IDS) and a gold vault like Fort Knox requires a different level of security. Cybersecurity also requires great discipline from users as identity theft is a common attack. Technical tools to reduce complexity are required. However complexity is a function of legal and technical factors just like program complexity is a function of data structure and language used. Some types of tasks would be very difficult with COBOL ( machine Learning?) and the technical foundations of the Internet make it very difficult to secure as IP and MAC spoofing obscures the origin of entry.The legal framework which does not adequately provide right of self defense and following criminals in cyberspace is also a contributing factor.
The complexity of a program can be greatly reduced by right data structure and proper programming language(Algorithm) .Similarly complexity of cyber-security can be greatly reduced by a different legal framework and SAFENET Template:Link and explain design of networks
- Reduce cost and effort
Cyber-security requires lot of effort and is expensive and skills required are increasing. There is a lack of enough expertise at a scale that can be effective. So business models which encourage cooperation and pooling should be enabled
- Legal sanction for self help groups(SHG)
In a gated community or a Office tower block access may be restricted and incoming visitors and outgoing people may be checked by security . This allows residents to share the cost of common security and other facilities. Cloud providers like Amazon AWS or Microsoft Azure provide multi tenanted space and can provide more secure space.These are semi private spaces in Cyberspace. Semi Public places also have their own surveillance and secure operations . Banks,Malls,Concerts hall may frisk visitors and refuse entries to masked people. These and other self help groups should be recognized entities in Cyberlaw. It should not be a "each-person-for-self" world
- SHG should have delegated Police authority
SHG should be able to deter criminal behavior by imposing costs on criminals. A industrial township can have its own security and surveillance with legal rights to chase and capture suspected criminals.While these ParaPolice may have oversight from the urban local body (ULB) police they have some delegated rights to enter property (Car or safe house) and size people and stuff. Current cyberlaw makes entry of a attackers server or inspection of suspected attackers network or equipment illegal if not done by the Police.
- SECURENET A secure net may use a different foundation then the TCP/IP and UDP approach.
- A CLASS E subnet
- Packets routed thru identified and secured routers . A military grade sub net
- Mandatory strong identification and authentication of hosts and devices . Hardware based root of trust.
- CyberCCTV. All packets are logged for forensics and real time correlation of emerging threats used to throttle and block. Preventive rather then post fact forensic approach. Network level correlation may make it easier to spot incipient attacks. Logging is not just centralized but at different levels. So anomaly detection for a local neighbourhood is much easier and reduces false positive that currently overwhelm IDS.
- Collaboration across all actors in SECURENET. The potential is visible from the WireX Botnet incident.
- Piracy law in Cyberspace
- International law allows captains of ships and airplanes police rights to deter criminal behavior. Since cyber criminals operate across territorial borders we need to evolve the legal framework and enable victims to catch criminal and bring them to justice under territorial country criminal courts
ToDo[edit]
-Links to TaskForce presentations and position papers
- https://www.slideshare.net/cisoplatform7/keynote-session-internet-of-things-iot-security-taskforce
- http://www.iotforindia.org/blog-post/iotsecurity-the-standards-are-injurious-not-just-wrong/
-Crtiques and open issues
- Google X Cybersecurity needs a moonshot
- Attribution becomes more difficult with state sponsored hackers
- US government fails basic cyber security test
- FBI Hacking across Borders?
- The bad guys are really good at what they do. And they are winning
- Use markets not mandates
- [http://google.com/newsstand/s/CBIwkaz9kTc How Machine Learning Can Help Identify Cyber Vulnerabilities
HBR.org Daily]