Matt Tett is the Managing Director of Enex TestLab, an independent testing laboratory with over 22 years history and a heritage stemming from RMIT University. Matt holds the following security certifications in good standing CISSP, CISM, CSEPS and CISA. He is a long standing committee member of the Australian Information Security Association (AISA), Melbourne branch, and is also a member of the Information Systems Audit and Control Association (ISACA). Enex TestLab can be found at http://www.testlab.com.au blog at http://enextestlab.blogspot.com and can be found on twitter as @enextestlab.
In my last CSO blog I posted about the Australian Federal Governments recent proposal that requires Internet Service Providers to retain their customers’ activity logs for a period of two years.
In recent days there has been an outcry over Syria switching off the country’s Internet, and parallels have been drawn with the Egyptian switch-off when they went through their own troubles. It has also been likened to the Obama administration’s request for a US “kill-switch” on the internet. I picture it being situated between the bat-phone and the nuke the “commies” button on the President’s desk in the oval office.
At the end of the day the real source of concern is who is watching the watchers; and what do the watchers want to look at.
What really stands clear is that governments globally are realising that the digital economy is overtaking them. It is clearly here to stay and has well and truly moved from the domain of the academic and geek, to the mainstream world - our mothers, grandmothers and children rely on it. Critical national infrastructure and governments are so entrenched in using it they simply cannot be excised. Trade and security borders, which for many years stood as a physical protection—separated by water or other geopolitical boundaries, are now dissolving rapidly. Crimes can be perpetrated electronically from anywhere on the globe against anyone.
Some of the most ready analogies I offer below here come from history, others science fiction, however my point is that governments and citizens face difficulties with the evolution of the global economy. We are all human, so it is a pity that cultures, politics and religions don't change as fast as light through a fibre optic cable.
Imagine if picture teleportation existed right now. I could flick on my iPort and beam myself from one side of the globe to the other, then beam myself back. Obviously I could do all this without a passport or visa. There simply cannot be an immigration/customs officer everywhere, all of the time waiting for me to materialise. I would use the ability for innocuous reasons – picking up an in’n’out burger from San Francisco pops to mind or perhaps a romantic dinner in Paris. However, I could also be malicious, popping in to execute someone, or grab a bunch of gold from a safe, or some plutonium from an enrichment facility. Those would be physical crimes – in fact if I beamed into the US without going through border control (even if I was just getting a burger) it would not be looked upon favourably.
What then, is the difference with electronic crime? And how do governments grapple with regulating crime perpetrated in a digital world?
The point has recently been made that agencies should have the ability to monitor at will and switch off at leisure. This is a knee jerk reaction to being overwhelmed. An acquaintance with vast inside experience of government policy recently pointed out to me how risk averse they are. And this is something that is demonstrated to me daily – 85% of Enex TestLab’s testing business is with state, federal and international Government departments or agencies.
Due to this inherent need to identify and manage risk, no matter how minute, the amount of time this business takes is vast. Those in the public sector do not consider transferal or deferral of risk an option – it all needs to be addressed.
Look at how some governments handle Twitter. Generally anything published on Twitter goes through several committees—vetting which tweets need to be responded to. The material goes up and down the hierarchy chain several times before being released. People expect a response, but government tweets can take weeks to pop out the other side, by which stage they are often all but irrelevant (therefore risk avoided?). Frustrating for most of us.
So let’s move on to the wild west. Another analogy, which I recently attempted in public, was the concept of the printing press and railways. When the first printing presses were produced, politics and religion were up in arms as they realised this was the start of the education of the masses. Their access to, and potential freedom of, information had previously been unheard of. Regulations and restrictions were in place, however, over time the tide changed and the emerging technology worked its influence on the world to assist in making it the way it is today. This is exactly where we are at with the acceptance of the internet as the next incumbent information/education distribution platform. Now anyone with an opinion, right or wrong, can self-publish it.
I wonder about when the next religious prophet-figure has their ‘coming’ and walks the earth. Will they really be heard for all the noise?
Railway lines, on the other hand, were akin to private networks, various economies around the world developed their own private and public systems and standards to meet their own requirements—be it comfort, capacity, performance or a particular design to suit geography or climate.
In Australia, some states had different gauges (width between the two rails) meaning that interstate rail movements required a changing of freight and passengers at the border. This is the type of restriction governments who are seeking to regulate the internet are still seeking – unfortunately, engineers learnt from history’s mistakes and these days try to make basic infrastructure as interoperable as possible. (Hence one of the primary reasons the internet is relatively borderless. And even if it isn’t, where there is a will there is a way.)
Where to from here? Passports and visas on IP address ranges? Time will tell. Evolution of technologies will inevitably continue, from printing presses and railway lines to internet and teleportation (maybe) where we were 200 years ago is not where we will be in another 200 years that is clear.
No one can write words or implement policy to stop innovation, regardless of whether it is for the progress or destruction of our race. Flexibility is called for and the ability to react and adapt rapidly.