The astounding and thrilling events in Egypt during the last couple of days, and Tunisia previously, should serve as a reminder to information security professionals about a couple of points.  The glaringly obvious point about Egypt is not to forget about the “A” in CIA – that is, confidentiality, integrity, and availability.  Amazingly, Egyptian government officials apparently (no confirmation from the government itself) ordered that the country be effectively taken off the Internet, as is graphically (literally) shown in a very interesting blog posting by Renesys.  This should be a stark reminder about not dismissing now unfashionable satellite communications (compared to fiber optic cables) entirely.  While satellite communications has its negatives (e.g., latency, relatively high bandwidth costs), it can and does still provide a critical link (literally) in parts of the world where the communications infrastructure suffers from a lack of build out, political uncertainty, or both.

Both Tunisia and Egypt are also a reminder of the challenges in trying to prevent data leakage – especially at the network-level alone.  To paraphrase the old saying that 'one man's terrorist is another man's freedom fighter,' one man's data extrusion is another man's social media postings in favor of revolution.  Even the government apparatus of two highly authoritarian states were unable to stop the flow of information about protest activities out of their countries.  And, even Egypt's withdrawal from the Internet has failed to stem the flow of information.  While Facebook and Twitter are unavailable via the Internet within the country, information still flows out by satellite communications (e.g., from Al Jazeera), and from such immediate innovations as speak2tweet.  (For example, see “New Service Allows Egyptian Voices to Be Heard” in today's The New York Times.)  It is also ironic that some of the tools commonly used for circumvention (i.e., evading government censorship) around the world, were actually funded, at least in part, by the United States Government.  SafeWeb, Tor, and Martus have all received U.S. Government funding at some time.

So as you watch and listen to these events, keep in the mind the implications that they have for information security practitioners.

If you're a geek who lives in the San Francisco Bay Area (or a geek who will be visiting the Bay Area – for example, for next month's RSA Conference), then you owe it to yourself to visit the Computer History Museum on the peninsula in Mountain View.  Specifically, I recommend that you feed your inner geek and see the museum's new “Revolution” exhibit.

“Revolution: The First 2000 Years of Computing opens to the public on January 13, 2011. This major exhibition, more than six years in the making, will transform the way you think about computers, the software that runs them, and the people who set the ongoing computing revolution in motion.”

I had a chance to tour the exhibit as part of a preview access, and it is a great exhibit.  Not only does the exhibit obviously deal with technology involved in computing, but it traces the history of various aspects of computing providing insight into how and why these technologies developed the way they have.  The exhibit takes up most of the museum's first floor, and is densely packed.  I would recommend that you allow yourself at least 90 minutes to two hours to take in all that the exhibit offers.  Make sure that you pick-up a map of the exhibit so that you know where in the exhibit you are, and don't miss anything.  For seasoned geeks, this is a great walk down memory lane, and for younger geeks this is a great way to understand how all of your cool devices of today came into being.

Kudos to the Computer History Museum for putting together such a great exhibit!  You really should not miss this.

Well, it's that time of year when 'everyone' either does a 'Top 10' list for the year ending, or makes predictions about the coming year.  So, I'll offer two predictions for the coming year.  Neither one of those predictions are 'rocket science' by any means, but both should be on your radar for the implications that both will have on information security and privacy.

First, there will be a major clash in the United States (in particular, but also with ramifications for the same debate in Europe) over network neutrality.  Congressional Republicans and mobile network operators versus the Federal Communications Commission (FCC), various rights groups (e.g., the Electronic Frontier Foundation – EFF, the Electronic Privacy Information Center – EPIC), and some technology companies.  This will be a major 'food fight,' which will definitely have an impact on network, and host device, security – as well as other, broader technology implications.

Second, there will probably be an even bigger 'food fight' over a likely Obama Administration request to Congress for expanded authority under the Communications Assistance for Law Enforcement Act (CALEA) for monitoring of communications over the Internet.  What the Administration and law enforcement view as only a 'modernization' of CALEA authorities (so-called CALEA II), is viewed by many others as nothing less than 'Clipper II' (i.e., a re-run of the 1990s fight over the National Security Agency's proposal for the Clipper chip).

Look for both of these issues to make headlines in the coming year, and both will have implications for information security practitioners – regardless of which side of the debate you are on for either issue.

In the United States, the debate around the WikiLeaks disclosure of classified U.S. Government information has quickly morphed into a much broader fight – and I do mean fight.  What started as as debate over the release of classified information and what those disclosures meant to secrecy versus transparency obscured the rather ridiculous situation of how it was that an Army Specialist (a junior enlisted person) could allegedly get access to so much information – and not just Department of Defense information (obviously Department of State too).  Just what sort of data protection measures had actually been implemented – or not?

With the electronic attacks against WikiLeaks, and the retaliatory electronic attacks back against corporate infrastructures of companies that denied services to WikiLeaks (e.g., Amazon Web Services, PayPal, MasterCard, Visa) by groups such as Anonymous, the debate has now shifted to freedom on the Internet versus attribution.  Rather suddenly, the WikiLeaks debate, on a technology perspective, has become a 'warm-up' fight over the reported Obama Administration's intention to submit proposals to Congress next year for revisions to CALEA (Communications Assistance for Law Enforcement Act).

The fight comes about because the Administration, so far, has not clearly articulated why changes to CALEA are necessary (from its perspective) – for example, that circuit-switched voice communications are going the way of the dinosaurs.  As more and more traffic is VoIP, the ability of law enforcement to quickly listen in on such communications is diminished.  However, what appears to the Administration to be 'CALEA II' appears to civil libertarians and privacy rights advocates to be nothing less than 'CLIPPER II' (as in the enormously contentious debate over the Clipper chip in the 1990s).  The changes to CALEA that the Administration is reportedly considering will impact not only voice communications, but all communications on the Internet.  Therefore, the original Clipper debate may in fact look tame compared to the coming debate.  And, that coming debate has effectively started with WikiLeaks as a proxy.

And, I'm back...  Free now from the vortex of graduate school (having just completed a Master's Degree in Information Assurance).

_______________________________________________________________________________________________

In late September I noted that the Stuxnet worm, which was receiving a lot of media attention at that time for targeting Siemens SCADA systems, may actually be an Israeli cyberattack directed against Iran's Bushehr nuclear reactor with the intention of disrupting Iran's nuclear program.  I based that statement in part on the informed speculation of Ralph Langner, who is a well respected expert on industrial systems security, and had just published an analysis of the worm.   Additionally, having been in information security for a number of years and having worked with the intelligence community previously, it did not seem to take a proverbial rocket scientist to believe that scenario to be plausible.

In October, I talked with a couple of people with Federal Government information security efforts and privy to classified information.  Without providing any classified information, they downplayed Stuxnet, saying that the worm was not that sophisticated, and saying it was highly doubtful that the worm was targeting Iran's nuclear efforts.

In November, came word publicly from no less than Sean McGurk, head of the Department of Homeland Security's Cybersecurity Center, that Stuxnet is a “game changer,” as he testified before the Senate Homeland Security Committee.  Then Iranian President Mahmoud Ahmadinejad said that Iran's uranium-enrichment program has been the target of sabotage –  but he refused to say whether the Stuxnet computer virus had been responsible for the problems.

As more information about Stuxnet becomes available, it seems increasingly likely that the worm is indeed not only particularly sophisticated, but is also an actual example of a cyberattack.  As I noted previously, there is a great deal of hype around “cyberwar” in this country.  Stuxnet, however, appears to be the real thing.

By the way, if you have not read Symantec's excellent analysis of Stuxnet, then you owe to yourself to do so.  Kudos to Eric Chien and the team at Symantec for this analysis.

Several weeks ago, I wrote about U.S. Deputy Secretary of Defense William Lynn's article in the September / October issue of Foreign Affairs, “Defending a New Domain”.  One of the important points that Lynn makes in his article is that “Although the threat to intellectual property is less dramatic than the threat to critical national infrastructure, it may be the most significant cyberthreat that the United States will face over the long term.”

With all of the hype about “cyberwar” that has been bandied about since February of this year (kicked-off with an op-ed piece in The Washington Post, “Mike McConnell on how to win the cyber-war we're losing”), I appreciated seeing some rational remarks about such being made by no less than the Deputy Secretary of Defense.  There has been way too much FUD (fear, uncertainly, and doubt) being thrown around about “cyberwar”.

On the other hand, the MPAA (Motion Picture Association of America) and the RIAA (Recording Industry Association of America) have certainly done their best to stoke fears of wholesale losses of intellectual property through piracy and counterfeiting of physical goods.  However, the GAO (Government Accountability Office) acknowledged in an April 2010 report that “Efforts to estimate losses involve assumptions such as the rate at which consumers would substitute counterfeit for legitimate products, which can have enormous impacts on the resulting estimates.” [1]  While the losses that MPAA and RIAA members have suffered have not been insignificant, they are almost certainly lower than the FUD bandied about on this issue by those who like people believe such.  (For a slightly different U.S. Government perspective on this issue, see the 2010 Special 301 Report, dated April 30, 2010, from the Office of the United States Trade Representative.)

Frankly, both the “cyberwar” mongering and the entertainment providers need to lower their rhetoric and remember that significant amounts of other intellectual property (e.g., patents and trade secrets) are probably at greater risk, and are worth far more to the country's economy than either of these two groups limited interests (government contracts, and increased penalties for individuals involved in illegal copying and/or sharing).  So, it didn't come as a surprise that neither the “cyberwar” mongering or the entertainment providers had any formal comment on the Deputy Secretary of Defense's comments.

Let's lower the rhetoric and keep some perspective here please about the threat “ranking” of cyberwar versus intellectual property protection, and remember that intellectual property protection consists of more than piracy and counterfeiting of physical goods.

[1] “Intellectual Property: Observations on Efforts to Quantify the Economic Effects of Counterfeit and Pirated Goods,” GAO-10-423, page #2.

Earlier this month, at the annual Air & Space Conference, sponsored by the U.S. Air Force Association, conservative commentator Charles Krauthammer predicted that “Israel will probably attack Iran to keep it from developing a nuclear bomb”. [1]  He went on to speculate that, “The most direct route to Iran would be over Iraq, and the U.S; controls Iraqi airspace, meaning that an Israeli attack would require U.S. knowledge and acquiescence. But...the Saudis will consent to the over flight, albeit unofficially, and then pretend they didn’t know it was happening”.

The problem with such an air attack scenario is that the entire world would know that it was Israel that conducted such an attack – and it's very likely to be unsuccessful.  But it turns out that Krauthammer could be wrong for another reason.  Because of the two factors above, maybe the Israelis are not planning on conducting an old-fashioned kinetic attack, but are instead already conducting cyberwarfare?

Word this week is that the Stuxent worm, which has received a lot of media attention for targeting Siemens SCADA systems, may actually be an Israeli cyberattack directed against Iran's Bushehr nuclear reactor with the intention of disrupting Iran's nuclear program.  That is the informed speculation at least of Ralph Langner, who is a well respected expert on industrial systems security, and has just published an analysis of the worm. [2]

“It is hard to ignore the fact that the highest number of infections seems to be in Iran. Can we think of any reasonable target that would match the scenario? Yes, we can. Look at the Iranian nuclear program. Strange – they are presently having some technical difficulties down there in Bushehr. There also seem to be indications that the people in Bushehr don't seem to be overly concerned about cyber security. When I saw this screenshot last year (http://www.upi.com/News_Photos/Features/The-Nuclear-Issue-in-Iran/1581/2/) I thought, these guys seem to be begging to be attacked. If the picture is authentic, which I have no means of verifying, it suggests that approximately one and a half year before scheduled going operational of a nuke plant they're playing around with software that is not properly licensed and configured. I have never seen anything like that even in the smallest cookie plant. The pure fact that the relevant authorities did not seem to make efforts to get this off the web suggests to me that they don't understand (and therefore don't worry about) the deeper message that this tells."

[1] “Israel Likely to Strike Iran,” by Bryant Jordan, DoD Buzz, September 13, 2010.

[2] “Stuxnet virus may be aimed at Iran nuclear reactor,” by Robert McMillan, ComputerWorld UK, September 21, 2010.

I was asked recently by a British publication, what can be done better in the cloud and can it really be safer than hosting on premise?  My response is that one obvious service is anti-malware protection.   There are several reasons for this.   First, let's recognize that the traditional method of providing anti-malware protection has been to do it on the endpoint itself.   However, this approach  has been growing increasingly ineffective.   An August 2010 study from Cyveillance  found that “...even the most popular AV [anti-virus] signature-based solutions detect on average less than 19% of malware threats.  That detection rate increases only to 61.7% after 30 days.” [1]     Those are terrible detection rates and are due largely to two factors.   First, endpoint devices can only run a single anti-malware engine at a time because of the need to control the TCP/IP protocol stack.   Second is the problem of quickly updating anti-malware signatures on the endpoint device itself.   Both of these problems are explicitly addressed by moving  protection from the endpoint  to the cloud.

With cloud-based anti-malware, multiple engines can and are run in parallel, to provide far more effective protection.  With multiple engines, an earlier University of Michigan study found that  detection rates could be boosted to 98%. [2]  Additionally, it is far easier and  faster to update anti-malware signatures to a unified group of servers in the cloud, rather than trying to update numerous endpoint devices.   Besides, with anti-malware signatures on cloud servers, the size of that signature set effectively becomes a moot issue.   Such is not the case when signatures must be stored and utilized on  endpoint devices that are mobile phones with limited storage and processing capabilities.   For example, “In 2009, Symantec created 2,895,802 new malicious code signatures...a 71% increase over 2008” [3]   And with a total signature set of approximately six million signatures, that simply is not feasible for today's mobile phones to handle effectively.   A third reason why operating anti-malware in the cloud is better is the fact that there is far greater visibility of threats and infections.   This provides better situational awareness about anti-malware and therefore better protection unto itself.

For these reasons, cloud-based anti-malware protection is superior to traditional endpoint-based anti-malware capabilities.   However, can such capabilities be provided more securely than traditional enterprise, premise-based solutions?   Absolutely;  it is far easier to update a group of cloud-based servers and to secure them, than it is to try and effectively secure those same capabilities on numerous endpoint devices.

[1] “Malware Detection Rates for Leading AV Solutions: A Cyveillance Analysis,” August 2010.

[2] “CloudAV: N-Version Antivirus in the Network Cloud,” July 2008.

[3] "Symantec Global Internet Security Threat Report: Trends for 2009, Volume XV," published April 2010 [latest available], page #47.