Early impressions of the new UK Cyber Security Strategy

On Friday 25th November, the UK Government released their Cyber Security Strategy for "Protecting and promoting the UK in a digital world". This document follows closely on the heels of the FCO organised 'London Conference on Cyberspace' at the beginning of the month. Such high profile events  are showing the importance of cybersecurity and management of threats on the UK Government mainstream political agenda. The declaration of cyber-security as a Tier 1 threat, and the much-cited investment of £650 million into the four-year National Cyber Security Programme (NCSP) further prove the commitment. This document sets out a UK strategy to be achieved by 2015 and provides the outline for future regulatory approaches to these developing risks.

It states in rather utopian language (taking lessons from the UN clearly...) -

"Our vision is for the UK in 2015 to derive huge economic and social value from a vibrant, resilient and secure cyberspace, where our actions, guided by our core values of liberty, fairness, transparency and the rule of law, enhance prosperity, national security and a strong society"

Despite this laudable sentiment, there has been criticism that the Strategy provides insufficient coherency for realisation of many of its aims. The Chartered Institute of IT notes that a framework for greater integration between public bodies, industry and individual citizens is required. Overlooking the lack of explicit detail at this stage, the Strategy does indicate key areas of investment and development for the next three years. I provide discussion of a few aspects that I found interesting. 

In relation to the NCSP fund mentioned above, the Strategy provides indication of the financial breakdown. The two highest sums are 59% (£383.5m) going to a "Single Intelligence Account" to build cross cutting capabilities including Information Assurance (for classified purposes at GCHQ) and 14% (£91m) going to the Ministry of Defence (for mainstreaming cyber in defence). The Home Office is next in line with 10% (£65m) then another 10% (£65m) to Government ICT. The Cabinet Office gets 5% (£32.5m) and BIS 2% (£13m).

The Strategy clearly acknowledges the importance of strong intelligence and the expertise of GCHQ. The Government wants the UK to pave the way as a leading environment for secure e-commerce and online activity. Development of the 'public/private hub of expertise on cybersecurity' is going to provide practical assistance in this regard. The development of defence technologies by increasing partnerships between GCHQ, private firms and academia is an area where the government foresees growth. Beyond this, a proactive approach to cyber-defence is also creating offensive technologies, which William Hague noted in October. This highlights the UK's role within the increasingly publicised global cyber arms race.

GCHQ estimates "80% or more of currently successful attacks exploit weakness that can be avoided by following simple best practice". The strategy frequently reiterates the need to detect threats and to empower individuals and firms. NATO at the Lisbon Summit also acknowledged the need to prevent, detect and defend against and recover from cyber attacks. Considering that such a high percentage of risk is attributable to avoidable weaknesses, it is important to question how detection systems (through intelligence and surveillance) can operate in a manner that addresses these weaknesses but still respects rights of individuals, particularly privacy. The strategy makes several acknowledgements of the importance in maintaining privacy. In s3.5 privacy is mentioned in relation to individual and collective security and secondly alongside the need to protect intellectual property (s3.6). With regard to intellectual property, an interesting development is its newly defined determination as part of critical infrastructure (when its loss causes significant economic damage to the UK).  Integration of IP protection into cybersecurity policy seems a curious path and suggests future legislative developments with formal consideration of IP with national security interests as opposed to merely economic ones. Importantly for this, the parameters of what is defined as relevant IP will be key. Protecting IP pertaining to military designs and certain industrial property has clear correlation with national interests if considered in relation to cyber-espionage. In other contexts defining the relevant forms of IP to protect may be less obvious.

It is noted that because most of cyberspace infrastructure is owned by private companies, there is great need for "private organisations to work in partnerships with each other, government and law enforcement agencies, sharing information and resources, to transform the response to a common challenge and actively deter the threats we face in cyberspace". These partnerships are recognition of the need for new governance methods, and as long as respective interests are balanced they seem a positive development. However, Lessig in the bible of cyberspace regulation, Code v2.0, noted the risks of seamless integration of law and technological architecture to create a system of perfect regulation in cyberspace. He acknowledges the necessity of a trigger to force this interaction, in this case security issues. It is important to remember that as new security centric governance structures are developing, balanced and proportionate regulation is essential. Proportionality is mentioned in the Strategy, but as many post 9/11 legislative developments have shown, when faced with balancing security and privacy, the government often struggles to achieve the correct balance. The real challenge for this Strategy is foreshadowing effective governance structures that addresses security challenges whilst maintaining respect for individual rights.

An interesting facet of the strategy is building international consensus through the 'soft law' mechanisms of 'norms of behaviour' in cyberspace. The Internet is already fragmented by regional territorial implementation of distinct norms where online practices in one country are well-established, but vehemently rejected in other (by government and citizens). These vary from cultural, religious and political filtering to shutting down communications infrastructure for controlling freedom of speech and association to increasing roles of online intermediaries to tackle issues like IP piracy. Attempting to establish norms in relation to a sensitive topic like national cyber-security seems even less likely to bear productive results. Ultimately it seems more likely internationally the result shall be diplomatic agreements and political commitments, that can be derogated from without formal sanction.

In terms of hard international laws, the UK as Chair of the Council of Europe for six months has made a renewed commitment to persuade other countries to develop compatible laws with the Cybercrime (Budapest) Convention. There is also a commitment at a domestic level to raising awareness of cyber specific sanctions for cyber offences within the UK judiciary. Considered in conjunction with the review of the Computer Misuse Act 1990, this may result in a range of new offences in the revised legislation, fit for purpose in this age. Another area of focus is cross border law enforcement with cooperation and prevention of safe havens. Although this approach seems more plausible in Europe (where information sharing system like Schengen I - with II on its way - already exist) for other non-European countries this seems a more unobtainable. Domestically, the establishment of a cyber crime unit in the new National Crime Agency (NCA) will draw on expertise of Serious Organised Crime Agency (SOCA) and the Met Police Central e-Crime Unit (PCeU). 

The Government indicates increased self-regulation of risks by the public. The Get Safe Online campaign, security kitemarks and increasing responsibilities of ISP's to guide individuals are some of the education focussed measures mentioned. Although there is a clear role here for consumer awareness, the efficacy of these measures will remain to be seen, particularly with kitemarks. On first appearance they sound like a bit of a red herring and susceptible to fraudulent applications. 

Whilst this Strategy provides interesting reading of developments to expect over the next three years, there are certain risks and pitfalls. The extrapolation of specific frameworks from this Strategy will be essential for creating proportionate and balanced regulatory structures. Without doing so, the damage to UK online business, national security and individual rights will be significant.

Creativity or Security? The increasing role of smartphone Malware

Whilst in the midst of completing a longer blog post looking at DDoS: law and technologies (still to be completed) I was taking a break and listening to the Guardian online podcast, Tech Weekly. Interestingly, the final discussion on this week’s program was considering smartphone security, and involved an interview with mobile security firm, Lookout. The report highlighted a couple of interesting points that I felt worthy of constituting a small blog post here.

The extent of vulnerabilities in this domain, are significant and a report on ARS Technica last Friday documented statistics from Juniper Networks showing Android malware increased 500% since May 2011. This is on top of an increase of 400% from Summer 2010 to May 2011. When one consider the recent Ofcom Communications Market Report from August 2011 showing that 27% of UK adults and 47% of teenagers own smartphones (with 59% obtaining them in the last year) the implications of malware growth for UK citizens are increasingly significant. Within these statistics a large component of smartphone ownership are Android devices, and on a global level Android remain the dominant OS for smartphones with a 52.5% dominance in 2011 Q3. The Tech Weekly report highlighted, perhaps obviously, that downloading of 'apps' from the app market places are the primary source of malware in smartphone handsets. The importance of this are when one considers the distinct ideologies of retained manufacturer control over app marketplaces that create fragmented domains of threats. The arbitrarily imposed and commercially guided parameters that entities like Apple, RIM, Windows and Google define can result in significant implications for mobile security. Furthermore, these governance procedures develop an environment where the user trades their relative freedom (to interact with content outside these arbitrary parameters) for a secure enclosed environment. 

To take an example, the closed,  'walled garden' of the Apple App Store is renowned for imposing strict and extensive limitations on app developers. Before even appearing on the App Store market, they have had to comply with a comprehensive range of norms established by Apple. UAE academic Daithi MacSithigh, (who is speaking in Edinburgh on the 23rd of November) has produced some fantastic presentations documenting the unusual and at times humorous clauses in the Apple Developer agreement.  The well-rehearsed arguments within Internet governance circles of Jonathan Zittrain's thesis 'The Future of the Internet' have introduced the concept of 'generativity'. This is “a system's capacity to produce unanticipated change through unfiltered contributions from broad and varied audiences ". With more than a hint of romanticism regarding the role of 'generativity', he notes the role of and shift towards closed, 'sterile' technological platforms, like Apple iOS. In contrast to the generative technologies of the 'PC/Internet' combination, the norms are no longer unfettered creativity for the end user, but instead extensive manufacturer retained control. He acknowledges within his own thesis that 'generativity' itself has led to the growth of 'sterile' technologies. This is because the virtues of creativity and freedom that generative technologies provide are used by many to instead develop malicious software for nefarious purposes. In turn, to combat this companies like Apple ensure the interests of their consumers are catered for by maintaining a closed domain for apps, reducing exposure to vulnerabilities within a highly regulated environment.

In contrast, the Android market place is a relatively 'open' domain.  A useful indicator of this fact is to conduct a comparison of the length of developer user agreements. Android provide a short and easily accessible document (unlike the seemingly unobtainable tome that is the Apple Developer agreement).  The lack of scrutiny over developers guidelines and the uploading of content, in the Android domain create a much more generative platform. However, there seems to be at least an ostensible link to the growth in malware indicated in Friday's ARS Technica report.  The significant extent of Android malware, also discussed in the McAfee 2011 Q2 report, is contrasted against the low level of iOS/iPhone based vulnerabilities. To what extent this is attributable to the 'open' generative system is unclear, but the issue here is the impact on market guided regulation through consumer decisions. Shall the protection of the 'Apple model' increasingly determine the fate of more 'open' platforms like Android? Instead, could antivirus companies protect Android consumer interests and thus retain the relative creativity of a more generative platforms and app stores? Or could industry standards grow that incorporate minimal markers of security by design? Where if these standards are not adhered to then the app is clearly malware and not admitted into the marketplace?

An interesting aspect raised on the podcast relates to the changing business model of companies providing antivirus (AV) services. Instead of relying on software on the terminal equipment, companies are indicating the benefits of cloud computing. An article on CircleID explains the shift and benefits of cloud based architectures for AV services, for both PC's and smartphones. They create the scalability to match the pace of increasing volumes of malware, increased efficiency in analysing malware in one location as opposed to on multiple terminals and it creates an ability to spot aspects of malware earlier, allowing an ex ante as opposed to ex post approach due to the broader range of visibility. In the mobile Internet domain, Lookout scan software in the app marketplace and spot trends in apps that indicate potential malware. This often results in removing the offending material before the consumer even has a chance to download it. It is often argued that education of risks to consumers is the answer to many online problems. Although awareness is undoubtedly useful, this approach of predicting risks in the marketplace (through technical markers) and removing malware before consumers download the offending product seems a positive one.

What these developments suggest is that the business models of different smartphone platforms and app stores can increase vulnerabilities of consumers to malware, and consequently the negativity of their consumer experience. Instead of moving solely to systems where imbalanced levels of control are vested in the manufacturer, new business models from the antivirus market seem to provide a means of protecting consumers whilst still allowing more 'open' app distribution domains to survive. In this regard, smartphone malware could appear as a dominant driver that will push consumers to vote with their feet and force new business models for smartphone manufacturers.The issues shall be will this be the less creative but more secure cosy sheltered domain of Apple or the wild 'open' and 'generative' app marketplaces. It seems to me that the most positive outcome is retention of the creative platforms, but increased integration with AV companies sniffing out threats and warding off wayward outlaws, whilst allowing the user relative freedom to continue on their own self determined path.

Note 1 - This Wired article highlights the issues with cybercrime statistics and to take them as indicating a problem  but perhaps with a pinch of salt, the huge figures cited of 900% increase in smartphone malware since Summer 2010 may be such an example... http://www.wired.co.uk/magazine/archive/2011/12/ideas-bank/cybercrime-stats