Lessons for Computer Illiterate Governments

BrownCartoon1

Would you trust this character with your personal information?

During recent weeks there have been a number of lessons for computer illiterate governments but unfortunately their state of illiteracy probably means that they will be unable to learn from the lessons, even if they have the desire to improve.

The British Government, under Mandelson and Brown, is a prime example of a body that lumbers on leaving a growing trail of disasters in its wake through an inability to learn any lessons from the wreckage. Sadly it is not the only government to suffer from this serious deficiency.

The situation is compounded in the United Kingdom because the Blair/Brown Regime has followed a policy of removing, or reducing, human rights, attempting to use computer and communications systems to achieve this undemocratic and totalitarian policy. The result is that Britons are now the most spied upon citizens anywhere in the world. The basis of the policy is a belief that citizens are really subjects and criminals who are guilty until they can prove their innocence. Even when they prove their innocence, the Blair/Brown misgovernment sees this as a failure of the system rather than genuine innocence. As a result, some of the recent lessons are not lessons that the British Government would wish to learn from, even if it developed a level of competence to be able to understand.

The first lesson comes from the revelations that Local Authorities are making hundreds of information accesses into Central Government databases under terror legislation to pursue citizens for very minor misdemeanours. This appears to suggest that minor bureaucrats are trawling through Central Government databases for what may be criminal and personal reasons. The situation also reveals that once data is accessed, it begins to circulate in a completely uncontrolled manner even if it is found to be inaccurate, or irrelevant, and is not purged. The result is that a vast amount of private personal information is circulating and stored outside any form of accountability without effective security, placing citizens at significant risk from identity theft and other crimes.

The lesson is that Local and Central Government computer systems have incredibly low levels of assurance and integrity, but almost uncontrolled accessibility.

The second lesson is that huge Government IT projects become unstoppable even though they are proved to be significant failures, a serious waste of public funds, and dangerous to public safety.

This has been demonstrated by the ID card scheme, which has been ‘sold’ many times since 1997 under completely different justifications and is now being presented as a voluntary system. Of course, the objective is to produce the system and then make it compulsory.

The third lesson is that government computer systems in Britain and in other countries are very poorly protected from attack.

This has been demonstrated by the case of accused autistic computer hacker Gary McKinnon.

The McKinnon affair demonstrates many other risks than those directly related to computer systems. The McKinnon case has come to international public attention primarily because the US Federal Government is attempting to use a one-sided extradition treaty to force the British Government to extradite him without receiving any proof of the alleged crimes. Had the cracker been an American, wanted by the British Government, the US courts would have sent British lawyers away until they could present credible proof that there was a case to answer. Even then, US courts would probably still refuse to approve an extradition, being able to prove that the British Government has been guilty of torture – although the torture policy of the British Government is directly related to a US Federal Government policy of torture using third countries to carry out the torture – and recent investigations of Metropolitan Police officers suggests that torture may now also be a standard method of interrogation of suspects within the United Kingdom.

The McKinnon case also provides a further example of the very low level of integrity displayed by Labour politicians, when some 70 Labour MPs signed a commitment to stand with Opposition MPs in a vote on the McKinnon case, only to fold under pressure from Brown’s Whips.

So how do these examples demonstrate a cavalier attitude by governments to the use of computers and sensitive data forced from the public, collected as part of the many activities of governments, or through deliberate intelligence gathering activities by local and central government spies? How is this something that a government should understand, demanding action to protect the citizens?

The McKinnon situation is a demonstration of the very casual approach to information security by governments, in this case specifically the US Federal Government.

Gary McKinnon is a young man who suffers from a proven medical condition that means he is not able to exercise some of the self-control and understanding of right and wrong that society expects individuals to be capable of. That should be a consideration taken into account, in attempting to prosecute him, although it does not have any relevance to what he did technically, or how he was able to do it.

As a cracker, he broke into a number of computer systems run by US Federal Agencies, where classified data was present in the systems. What he did, if it can be proved, was illegal. How he did it was a demonstration of government incompetence.

This moves into the same emotional area as some rape allegations.

In a case of rape, and abuse of data is a form of rape, the victim has been outraged and the defence may attempt to satisfy a judge and jury that the victim either actively encouraged the offence, or did not do enough to prevent it. Even if the defence succeeds, many will consider that this in no way affects the criminality of the offence, although some might consider that particular cases may justify a judge, in considering encouragement, or lack of protection, to be a mitigating circumstance, when sentencing the convicted rapist. This in no way rejects the prosecution, but it does allow a judge some latitude in awarding the most appropriate punishment.

In a similar way, a motorist, who leaves keys in the ignition, and the doors of the vehicle unlocked, does not change the crime of theft if either the vehicle, or its contents, are stolen. If evidence can be assembled, a thief will be brought to trial and can expect to be convicted of the crime of theft. However, the motorist may face an insurance company that reduces, or rejects, a claim made in respect of the crime, on the grounds that the motorist failed to take reasonable precautions to protect the vehicle and contents. The moral and legal aspects of the McKinnon case can therefore be considered as other matters, moral, medical and legal, that in no way affect the issue of government incompetence.

Every government in a democracy has a duty to protect its citizens. That means that it has a duty to protect both their civil rights and their welfare, financial and physical. From that, comes a duty to ensure that the government obtains value for money when spending tax payers cash.

Obtaining value for money is not just a matter of ensuring that contracts to buy goods and services are placed fairly, without corruption, and to achieve the most cost effective result. If that procurement involves sensitive or secret information, government has a duty to protect it to the most appropriate standard. That is particularly true in the case of sensitive private personal information that citizens are required to provide to government bodies by legislation.

The McKinnon case is a reminder that there are people, many people, who are prepared to break into computer systems. Low cost computer equipment and the Internet have opened this activity to very many more people during the last two decades. Even school children learn enough about computer systems, and have access to adequate technology, to attempt to break into other people’s computers. There are growing groups of hobby hackers, criminal hackers and government-sponsored crackers. This is well known to any government that has a collective brain cell or two.

Hobby Hackers are usually young people, but the group does cover the spread of age groups and social backgrounds. Frequently, individuals in this category are people who are loners and/or those who spend a great deal of time at home in front of a computer.

At the most basic level, the motivation is curiosity, first in learning about their own computers, and then becoming more ambitious and starting to move from the legal to the criminal. The majority of these people never develop particularly advanced skills and can be frustrated by fairly simple low-cost security technology.

Some will believe that they are doing good, known sometimes as ethical hackers, and breaking into computer systems to show the owners that they need to improve their security. This may be well-meaning, and some victims may actually appreciate the proof of weakness that can be fixed, but it still breaks laws and many victims will be outraged or frightened. It is in much the same category as Police Community Support Officers ( AKA Blunkett’s Bobbies, or policing on the cheap ) who in Britain walk uninvited into private homes to lecture the occupiers on the need to secure their home against rapidly increasing crime.

Some will believe that they have a right to access government computers to expose government wrong-doing and conspiracies. McKinnon appears to fall into this group, partly at least as a consequence of his medical condition. In his case he believed that the US Government was hiding information on visits to Earth by extra terrestrials and information about alien spacecraft. Whatever the hobby hackers in this group may believe, they are still breaking laws when they access systems and must expect to suffer consequences if they are caught.

Some will become cyber vandals and begin to deliberately cause damage when they break into systems that they may have targeted for any one or more of a wide range of reasons. In some cases, such as animal liberation groups, computer cracking is part of a campaign of terror and violence, up to and including murder. They may employ hobby hackers, but they really belong in the second group of computer crackers.

A relatively small number will begin to migrate out of the hobby hacker group and into the criminal group.

Criminal crackers start off with those hobby hackers who have decided to profit from their crimes. Most are opportunist or accidental criminals who discover that the majority of computer systems are very easy to break into and very few owners realize immediately, or ever, that they have been attacked.

Some criminal crackers are criminals who learn how to use computers in commission of their crimes, rather than computer enthusiasts who become criminals because they begin to break into other computer systems. They begin to use computers in much the same way as they would use a lock pick to burgle a home, or a shotgun to rob a bank. Increasingly, they are using computers to steal identities and in the process of blackmail, theft, fraud, or protection rackets. To them, a computer is just another convenient tool to support a life of crime.

A relatively small number of criminal crackers will achieve very high levels of skill and expertise. Often these skilled criminals would be able to earn more from legitimate use of their knowledge but choose a life of crime. They develop very sophisticated attacks and concentrate on government and corporate computers where they are most likely to obtain very large financial gains.

The final group is made up of Government-sponsored cyber criminals. Their numbers are now very rapidly increasing and even relatively small security agencies and political parties are beginning to routinely use their services, or recruit them as employees. They have access to advanced technology, generous funding, possibly some level of protection from their employers, and considerable skills. Their number includes those who are members of terror organizations.

So the potential threats are very real to all computer users and the risk level increases as the user represents increasing wealth or knowledge that can be exploited by a cracker. The risk also increases as the pool of highly skilled crackers increases. The result is that every computer user should seriously consider risk levels on a regular basis and take appropriate action. For governments this is a paramount duty.

The questions then are what is possible, and what is achievable?

The McKinnon case has demonstrated that US defense and intelligence computer networks are very vulnerable to relatively inexperienced individuals who have relatively simple equipment and skills. The desire by the US Federal Government to make an example of McKinnon, and treat him as a greater danger than Bin Laden, appears motivated as much by the acute embarrassment of being hacked by a relatively inexperienced individual, as by a desire to protect the US national interest.

It clearly demonstrates that governments have been rapidly expanding their computer networks and making increasing use of the Internet without spending the money to effectively protect their data from attack. The major factor is undoubtedly a desire to cut cost and a consequence of basing procurement on buying from the lowest bidder, ignoring the reality that the lowest bidder is offering a cut-price product by reducing functionality and/or performance and security. The secondary factor is the result of a failure to move from the old system of classification of data to holistic risk management.

Holistic risk management is important because it requires all risks to be identified and rated. In the process it places accurate mathematical and financial values to risk and calculates the true cost of reduction, or failure to reduce adequately. It then records the reasons for deciding how far to reduce any specific risk and how the reduction is to be achieved. It involves the accreditation of all risk management systems and records the dates and results of random audits to ensure continuing effectiveness. It should not be confused with politically correct ‘risk management’ which is only a bureaucratic method of employing risk aversion and shifting blame when anything goes wrong.

Every government system can employ a compartmented operating system. There are a number of products of this type that first appeared thirty years ago and were once mandated by a number of government security accreditors when a system was to be connected to any form of external line or network and held data at or above ‘secret’. It was also the exception rather than the routine for any computer, holding classified data, to be connected with any form of public network.

Compartmented operating systems offer very strong protection because they are difficult to burrow under, defeat frontal attacks by serious attackers, minimize any penetration risks by dividing data of different classification and sensitivity into individual virtual secure systems within the computer, close the common vulnerabilities present in most untrusted computer systems (these being around 97% of all computers), and have monitoring and auditing systems that are virtually impossible to attack and which give early warning of an attack in progress.

Today the first compartmented OS to be built using formal methods are available to governments and many other users. These systems achieve the highest level of protection and are not necessarily more costly than untrusted commercial computer products. Their main additional cost is in the administration labour because they force the people, who keep the system running, to do their jobs properly, requiring rather more manhours than is the case in typical systems, where every corner is cut.

Beyond this simple and effective measure for each computer, networks need to be designed for reliable operation and data should be monitored and marked so that it is possible to see exactly who has done what with it and where it originally came from. Most of this is simple common sense and a failure to work this way demonstrates incompetence and a very urgent need for personnel to be retrained or replaced.

If a government takes reasonable steps to ensure protection of data and then ensures that the integrity and origins of every data item are known without doubt, we are then well on our way to reliable systems that use data only for legitimate purposes in a way that can always be proven. If an effective auditor is then appointed, we begin to return civil liberties, to the citizens, that have been stolen in recent years by incompetent, overbearing and malicious governments.

That is of course not the whole story but an approach to technology and operation of technology. An even more fundamental and simple stage is for governments to collect only that information which is essential to government in the interests of citizens, and to use the information only for the purposes that it was originally collected. That means smaller government, which means smaller IT systems, holding less information, and results in considerably less information cost, making secure management of data affordable, reliable and demonstrable.

The golden rules are:

Collect only that information necessary to meet legitimate objectives.
Know the origins of all data in the system
Know who has access each item of data
Know what they have done when they accessed
Allow only those with a legitimate need to access data
Allow only legitimate use of data by those who have a proven need to read, write, amend, print or copy data.
Ensure that every action, by every user is audited in a system that prevents users from modifying the audit data.
Identify any aggregation of data and delimit the aggregation
Prevent data from migrating down to lower levels of sensitivity and classification
Allow only the security officer to reclassify and declassify data and prevent that officer from being able to modify the audit records that monitor the changes of classification and sensitivity values of data items
Delete permanently and completely all data which no longer has a value purpose.

Those rules apply to any computer system and not just to systems that hold defence and intelligence information of the highest value.

IJB.

ftnews.firetrench.com

broadlyrisks.firetrench.com

ftd.firetrench.com

Leave a Reply