The implications of the revelations of ex-NSA employee Edward Snowden have been much discussed and many people who were not previously concerned with cyber-security are now wondering what they should be doing. This is a good thing – but the danger has not changed, only the perception of it. Most of the ideas outlined here were well known, at least in broad terms, before this, but those who argued for them were considered paranoid.
If you’ve been asked to put a presentation together; maybe your Board is suddenly wanting to know what can be done. Then this, I hope, will be just the article for you. It is intended to be a quick, high-level guide to exactly that. The solution is not all, or even mainly, technical, the solution is actually a matter of sound service governance, as I’ll describe. So, what to do?
First; don’t panic! There is not very much that can be done in the short term – rushing about trying to fix firewalls is likely to make things worse, a worthwhile solution must be thought out properly.
Secondly; do you need to do anything at all? Maybe not. It is only worth spending money to address a risk if the risk is credible and, if it happens, will have a large impact. If the worst happened and your most important competitor and all your customers and suppliers, were to see all your corporate information, in detail, would your business suffer? For a good many businesses, the answer is ‘no, not really, not much’. If that is the genuine answer, then there is no need to waste money on expensive security measures. Many companies, on the other hand, would go out of business quite quickly in this situation – for them, it is essential, for good governance, to be certain that a proper cyber-security policy is in place, and then put into action.
What is the threat? Exactly the scenario outlined above. If somebody can access your information through a secret trapdoor in your firewalls, your applications, or your operating systems, then, in principle, anybody can.
Governance and Cyber-Security
The biggest risk to security isn’t technical at all. Anybody in your organisation can, if disgruntled, take what they’re allowed to have access to and share it with your competitor, the regulators or a foreign government. This is always the biggest risk.
How do you mitigate this one? Staff Satisfaction. If you have good governance, so that, as an organisation, you have fair policies, you are a good corporate citizen, so you help your community and you look after your staff by treating them fairly, giving them opportunities for advancement and training them, then you will have satisfied staff who will be loyal to you and won’t wish to let you down by revealing your corporate secrets to competitors.
So the first firewall you need to build is a wall of trust between your organisation and your staff – the same applies to suppliers and customers, you need to make sure that they also are part of your circle of trust so they don’t reveal things that could damage the organisation.
It helps too, because good governance ensures that the organisation is behaving ethically, so there are no skeletons in the cupboard waiting to be revealed by whistle-blowers.
Beyond that, you can make sure that your infrastructure is safe from cyber-criminals, spies (both genuine spies and industrial spies), hackers and so forth. This is not as easy as it seems, so it is worth considering technical solutions to cyber-security in a bit more detail.
The most obvious danger highlighted by the Snowdon’s revelations was how vulnerable organisations are to closed source solutions. In the past the simple-minded solution many people saw to security was to put everything behind a firewall. This has three problems:
- The firewall can be breached through any trap doors in its firmware and this breach will be undetectable
- Even if the firewall isn’t breached, closed-source operating systems can communicate back to the ‘mother ship’ through the firewall through their trap doors
- Even if your closed operating systems and closed firewalls are not letting anybody in, your closed applications can be.
On that last point, if you’re running Microsoft Office products on your computer, have a look at the activity monitor. Even if you’ve not used word, say, for many hours, you’ll see it has clocked up lots of activity. What is it doing? It’s connecting back to Microsoft to check that your license is OK – that’s it, you’re paying for it to do this several times a day, on your CPU. If Microsoft wanted it to send other information back, would you have any way of knowing?
Can you trust any closed-source firewalls, Operating Systems or Applications? Snowdon has shown that you can’t. It makes sense for anybody wanting to spy to put their bugs (in the sense of listening devices) as close to you as they can – and putting secret trapdoors into these devices simply makes sense (to a spy).
Why is open source any different?
It is still possible to put trapdoors into open source software. The difference is that you can get somebody to check the software and cut out anything in it that you don’t need, or looks suspicious – and you can get open source software to log what it is doing honestly. Closed source software can put what it wants to into a log, if it leaves out certain things it doesn’t want you to see it is doing, you can’t even know that they are missing.
If you look on the market, you will find that there are no open source firewalls, at least not hardware boxes. There is an open source operating system, though, Linux (let’s hope that in future there will be more, and better ones), open source word processing and spreadsheet software and other open source applications.
To reduce the risk, where possible, remove proprietary closed-source devices and replace them with open source ones. It would be expensive overkill to throw out everything proprietary at once. Rather, produce a service portfolio and concentrate on the services that are most important to the organisation and replace them with open source solutions first.
If you have a firewall made in China, and a firewall made in the US, you could try putting one firewall inside the other – that way you’re banking on the Chinese firewall blocking the US secret trapdoor and vice versa. Even if this worked, though, you still have the problem with operating system and application trapdoors.
A better solution is to shut down your firewalls. That seems a bit extreme, but, if you have physical boxes as firewalls, you can’t do anything about the firmware they are running, so don’t. Make a Linux box your firewall with a software firewall. It might be a bit slower, but it will be safer.
What can be done in the long term?
If you have closed source solutions, see if your supplier can give you, or sell you, the source code. Then you can check that for trap doors and remove anything you think suspicious or unnecessary.
Invest in open source development. There is no reason why an ‘open source’ router or firewall can’t be developed, where the hardware and firmware are all revealed and can be tested to see they have no trapdoors. This takes money, so organisations interested in long-term solutions need to invest in such efforts.
If you are going to have firewalls, make sure that they are governed properly. Do you actually know what the rules are on your firewalls at the moment? Probably not. Usually the rules are written in ‘techie-speak’ and only a few experts know what they are. This is bad governance. Invest in rule-based firewalls where the rules can be set by the policy you have for each service in a way that is understandable to non-technical people.
If you do invest in open source development, the most promising area for fast, easily configured and effective cyber-security is using the same machines that are currently being used for bit-coin mining. They are getting cheaper all the time and are very, very fast. They are seen to be difficult to programme though, and, again, only experts know what they are doing.
There is a solution, though, which is to invest in open source development in Ada for these boxes (FPGA, or field-programmable gate arrays – to give the jargon). Ada is a language invented by the US DoD to be reliable. It is very fast, it is proven to be faster to write and faster to execute than assembler. It is possible to produce secure routers and firewalls with no trapdoors that can be configured at the service level (so the rules are understandable in business terms) using Ada – but a number of companies need to put up the investment capital to achieve this.
What can I do about it now?
Here is a short checklist of actions that should lead towards a more secure organisation. Not every organisation will need to do all of them, and not all will need to start with them at once, but this is the basis:
- Audit your staff satisfaction
- Audit your customer satisfaction
- Audit your business and technical infrastructure
- Identify the greatest risks from weaknesses in the above
- Produce a plan to address these
Medium & Long Term:
- Fund a programme to govern services.
- Establish a service portfolio to enable the board to understand which business services deliver most value, what they cost, what risks they are exposed to and how to mitigate those risks.
- Use this portfolio to prioritise the requirements for the organisation into a corporate requirements register.
- Design a set of solutions to address these requirements
- Build business cases for these solutions
- Execute the plans from the most appropriate business cases
Security has never been a truly technical matter. The best security in the world can be circumvented in a few seconds by a whistle-blower. The correct response is not to panic, but to put in place a set of well thought-out policies and then, through well-designed procedures and processes, make sure that these policies are complied with. It takes time and money, but it is the only route to reaching a tolerable level of security. If you use a modern governance framework, such as that proposed by the King III commission, it will ensure that you act to be a good corporate citizen – which will reduce the risk of whistle-blowers by achieving satisfied staff, customers and suppliers.
It is worthwhile establishing service governance as the organisation’s main governance tool because it enables and improves all business processes, delivering value to stakeholders by ensuring, along with many other things, a proper balance between risk and investment in cyber-security. Decisions to invest in an aspect of security should be based on the appropriate requirements of each particular service and its stakeholders.
Much needs to be done to develop the secure infrastructure that can be used to implement the cyber-security policy. In an ideal world, companies exposed to the risk would invest collaboratively in producing components for secure infrastructure.
Why not suggest to your board, as part of good corporate citizenship (an important part of governance) investing in a secure open source project?