Strife

The Academic Blog of the Department of War Studies, King's College London

You are here: Home / Archives for Cybersecurity

Cybersecurity

Review: "Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World" by Bruce Schneier

by

By: Christy Quinn:

Data and Goliath

Bruce Schneier, Data and Goliath: The Hidden Battles to Capture Your Data and Control Your World.
New York, NY: W.W. Norton., 2015. Pp. 400. £ 17.99, ISBN: 978-0-393-24481-6.

If you’re not familiar with the Information Security community in the IT industry, it’s worth knowing that Bruce Schneier has earned the reputation of a prophet, sage and action hero combined. As a renowned cryptologist and technologist, Schneier has been a leading critic of the US government’s attempts to limit the global spread of encryption and recently of the NSA’s ‘bulk collection’ program of communication records of US citizens, following the disclosures by Edward Snowden in 2013. Data and Goliath, his latest book, addresses the challenge posed to privacy and individual liberty posed by both government “mass surveillance” and the exponential amounts of personal information collected by the private sector for profit.

One of the strongest insights to come from Data and Goliath is the symbiotic relationship between the commercial data gathering on users from private businesses and the arms of government security. Some of the more hysterical attacks on government surveillance perpetrated by crypto-anarchist campaigners like Julian Assange and Jacob Appelbaum have suggested that the Snowden revelations are evidence of the US government as an all-powerful police state with no physical or legal restrictions on its capability to reach into the lives of every person utilising digital communications around the world. Schneier suggests that many governments actually depend on private companies for data on their customers they gather for their own benefit in any case, and then either pay them for the privilege of collecting it or require it in return for market access. For example, telecommunications provider Vodafone provides approximately 29 countries direct access to internet traffic passing through their borders. In return, private companies are paying for more access to government records on citizens, such as drivers license data or anonymised health records, to enhance their own services. One of the results of the digital communication era has been the commodification of personal data, both as a means of national security and for private profit.

The crucial point of contention is whether the collection of customer data, often referred to as ‘metadata’, constitutes “mass surveillance”. One of the problems of establishing the nature of surveillance is the many different forms of metadata, which can vary considerably in the amount they tell you about the life of the individual. Schneier gives the example of telephony metadata, better known as call records. These do not give the collector the content of the call but instead the number dialed, the date of the call and the length of the call. A Stanford University study quoted by Schneier was able to establish considerable detail about the private lives of the anonymous participants from their call records alone, such as whether they were planning an abortion or growing marijuana in their own home. CIA director Michael Hayden, who is quoted in the book, is unequivocal about its value to US security; “we kill people based on metadata.”

However, this definition of metadata varies from jurisdiction to jurisdiction; while in the US, the terms used in Google searches are treated by the NSA as metadata, in the UK they are treated under surveillance laws as ‘content’ which requires a warrant from the Home Secretary to access. The changing nature of many online services also masks them from government bulk collection. For example, if the UK government was monitoring your Facebook activity on a passive bulk collection basis, rather than actively spying on you, in theory they would only be able to see that your IP address logged on to Facebook’s online website. Without a warrant, they would not be able to see your friend’s list, any messages you made within your Facebook network or which group pages you visited. Facebook, on the other hand, would have full access to your personal data, which they can utilise to sell advertising to you and would be obliged to hand over were they issued with a warrant. Messages from users outside the UK to users in the UK could qualify for bulk collection, but only if they were deemed ’necessary and proportionate’ under surveillance laws. Other jurisdictions such as Russia and China make no such nice distinctions and seek the ‘full take’ of a user’s internet activity, legalistic niceties be damned.

This results in a confusing picture, particularly as the proportion of metadata collected and analysed by governments remains to be national secrets. The recent backlash against bulk collection of telephony metadata in the US has resulted in the fall of the Patriot Act, of one of the pillars of the post 9/11 national security state. Bruce Schneier’s book is an excellent contribution to the debate over internet surveillance and is an ideal education as to how the processes of personal data collection work. However, it is clear that this debate is far from over and that ultimately users will have to come to terms with how much of their personal lives they are willing to disclose to others.

Christy Quinn studied International History at the London School of Economics & Political Science and is currently reading for an MA in Intelligence & International Security at Kings College London. His research interests are cyber security, national security strategy and the Asia-Pacific region. He is a Guest Editor at Strife. Follow him @ChristyQuinn

Surveillance, bulk data collection and intelligence. Interview with Bruce Schneier

by

bruce_schneier

Bruce Schneier is an internationally renowned security technologist and the author of 13 books — including “Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World” — as well as hundreds of articles, essays, and academic papers. Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School, a program fellow at the New America Foundation’s Open Technology Institute, a board member of the Electronic Frontier Foundation, an Advisory Board Member of the Electronic Privacy Information Center, and the Chief Technology Officer at Resilient Systems, Inc. You can follow him on Twitter @schneierblog

Christy Quinn: As of Tuesday, President Obama has just signed the USA Freedom Act into law, banning the NSA’s bulk collection of telephony metadata. Do you think this marks the acceptance amongst security officials and policymakers in the US that there need to be limits to metadata collection?

Bruce Scheier: It’s certainly a watershed moment, because it’s the first time the US government has placed limitations on the NSA’s metadata collection. The limitations are minimal, and won’t have much actual effect on the surveillance of Americans by the NSA. But symbolically, it’s huge. The question now is whether the members of Congress will pat themselves on the back for a job well done, or actually take the next steps and examine the vast array of domestic government surveillance programs.

The British Security Services have made the argument that they are struggling to cope with the growth in internet metadata produced by UK citizens and they need greater powers of mandated metadata collection to maintain their current surveillance capabilities. Do you think there is any value in this position?

I’m not sure it even makes sense. If an organization is struggling to cope with all the metadata its gets from its surveillance operations, how does giving it the ability to collect even more metadata make its job easier? How does giving it more surveillance data mean that it maintains the current surveillance levels? The governments of both the US and the UK make all sorts of claims about their surveillance capabilities and what they need, but they never back those claims up with any real data. The extreme secrecy surrounding these capabilities precludes substantive policy debates, but the extreme danger in allowing governments to conduct massive surveillance operations means that we must have those debates.

What is your response to the view that bulk collection by security services does not constitute mass surveillance, as no one is actively looking at all the collected data and is it is only examined selectively?

It’s a nonsense argument, and we all know it. Surveillance occurs when our actions are recorded, not when they’re examined. “We’re going to install a camera in your bedroom and record everything, but it’s not surveillance because we won’t look at the footage unless we want to.” “Yes, your cell phone will keep a constant record of your location, but it’s not surveillance, because we won’t access the information unless we think you’re doing something wrong.” These statements make no sense, because we know that once the data is collected and saved, it could be examined; therefore, we have to act as though it will be examined.

In “Data and Goliath” you recommend measures to your readers of how to avoid their metadata being collected, such as using anonymisation services like Tor. Do you think there is a public interest in people maintaining their privacy, or that it should be a matter of choice how much personal information you provide?

It’s a little of both. Privacy should be treated as a right, and not solely as a commodity that can be sold or bartered.

Do you believe there should be limits to encryption, just as there are limits to privacy?

The two are very different. Encryption is a technology; privacy is a human value. We trade off human values with each other all the time; that’s what many of our political debates are about. That has nothing to do with the current debate about limiting the strength of encryption. The debate is about whether we want to all be insecure from criminals, foreign governments, and everyone else because the police find that insecurity useful; or whether we should make our systems as secure as possible from all attackers, even though that inconveniences the police.

Do you agree with former GCHQ Director and Professor Sir David Omand that encryption could lead to ‘ethically worse behaviour’ by intelligence agencies by forcing them to compromise privacy in more intrusive ways?

It’s hard to imagine those words coming from a legitimate government agency; the only thing GCHQ is “forced” to do is follow the law. To threaten people in this manner is loathsome, and illustrates the extent to which these intelligence agencies consider themselves above the law. Encryption makes everyone more secure. And if that security means that GCHQ has a harder job, that’s okay.

Christy Quinn studied International History at the London School of Economics & Political Science and is currently reading for an MA in Intelligence & International Security at Kings College London. His research interests are cyber security, national security strategy and the Asia-Pacific region. He is a Guest Editor at Strife. Follow him @ChristyQuinn.

Call for papers: A world in flux? Analysis and prospects for the U.S. in global security

by

A world in flux?
Analysis and prospects for the U.S. in global security

Call for papers
US Foreign Policy Research Group and Strife first annual conference
March 4, 2015 at King’s College London

The world is in an increasing state of flux. Growing concerns over the rise of Islamic State and international tensions over Ukraine have compounded with ongoing dilemmas over North Korea’s nuclear program and international terrorism more broadly. Wikileaks has demonstrated gaps in state’s information security, while the growing problem of foreign fighters has showed how global events are linked increasingly with domestic concerns. The tools engaged to manage security are changing, as are partnerships and allies. The concept of security has also widened and deepened over recent decades, expanding from security between states, to areas such as individual and environmental security. At the forefront of these challenges, the United States has remained the hegemon, but how has this position changed and what role will it play in the future?

This one-day conference will bring together a diverse range of practitioners and academics who will critically analyze the shifting state of security and investigate the diverse ways in which the United States, as the continuing dominant force in global affairs has responded, and continues to respond to, these challenges.

The first annual joint United States Foreign Policy Research Group and Strife conference will survey the expansive terrain of global insecurity and the US response across its many diverse aspects. Held in the renowned Department of War Studies, at King’s College London, this conference is interested in theoretical explorations and empirical case studies, with particular emphasis on new approaches and cross-disciplinary dialogue. A selection of excellent papers will be included in a special spring edition of Strife Journal.

Under the conference theme, we welcome submissions of proposals for panels and papers, which address a number of the following cognate (though not exclusive) topics:

1. Military-to-military relations

  • Changing tactics of warfare (i.e. COIN and drones)
  • Counter-terrorism
  • Security sector and military reforms

2. Responses to recent and continuing conflicts

  • Middle East (Palestine-Israel, Iraq, Syria)
  • Europe (Ukraine)
  • Asia (South China Sea disputes, Afghanistan, Pakistan)

3. Emerging security concerns

  • Environment
  • Health care/epidemics
  • Cyber security

4. Homeland security

  • Detainees/Guantanamo/extraordinary rendition
  • Information security (i.e Wikileaks, the Bradley Manning case)
  • Impacts of the global on the domestic (i.e. civil liberties)

We welcome abstract submissions of 300 words and brief biographies from postgraduate research students. Consideration will also be made for exceptional graduate applications. Please submit to [email protected] by November 1, 2014 with the subject line “USFPRG-Strife Conference.”

The conference will take place on March 4, 2015 at King’s College London, Strand Campus. Attendance at the conference will be free and open to all.

Untitled-1

___________________________

Downloadable version: Strife-USFP First Annual Conference - Call for Papers

The problem with curtains

by

By Andreas Haggman:

A. Van Dam cartoon modified by N. Gourof
Arend van Dam cartoon, respectfully modified by the Webmaster, Strife

 

Edward Snowden’s revelations have prompted fierce debates in both the intelligence world and the cyber domain more generally. Opinions and analyses on the impact of the revelations can be found at every level of publication from academic journals to online discussion forums. The outcome of the debates with regards to the long-term operations of intelligence agencies is still unclear. However, what has already manifested itself is the public relations nightmare resulting from the much-maligned electronic snooping, conducted in particular by United States’ NSA and UK’s GCHQ signals intelligence agencies. Chiefly thanks to The Guardian’s publications, there have been outcries from the general public of foul play and invasions of privacy on the part of intelligence agencies.

In defence, the UK government’s stance was to assert that those who have nothing to hide have nothing to fear. GCHQ’s digital hoover may sweep up an unprecedented amount of internet traffic, but if you simply form part of the proverbial dust you will be ejected unmolested at the other end. If, on the other hand, you have more sinister objects strewn all over your digital floor, these will be caught in the filter and you will be dealt with accordingly.

Many commentators have noted that this explanation is not sufficient to justify large-scale privacy invasions. In a survey, Daniel Solove collated a number of responses to this issue, with one objection being particularly resonant. The complaint was the blunt question ‘So do you have curtains?’ The reasoning behind this is that if we follow the UK government’s logic, law-abiding citizens have no need to obscure from view what they do in their own homes. Because they don’t fear any reprisals for wrongdoing (since they do no wrong), they have no need to hide their actions.

At first glance the argument is compelling, but the analogy fails because of the inherent problem that it does not distinguish between privacy and secrecy. ‘Privacy,’ Eric Hughes stated in A Cypherpunk’s Manifesto, ‘is the power to selectively reveal oneself to the world.’ The key word here is ‘selectively’. Something that is hidden from everyone is a secret; something that is hidden from people you choose is private. Curtains, by their nature, entail privacy – you can choose when they are open and closed – and no one thinks anything of it when they are closed. However, if they were permanently drawn closed they would be tools of secrecy and, indeed, arouse some suspicion in the neighbourhood. For our purposes, it is this last point which is problematic.

The electronic equivalent of curtains is encryption. With so-called public key encryption protocols, two people are able to communicate without any outsider being able to read the content of the messages being passed. This can be used with discretion, so sending an unencrypted email equates to having curtains open, and sending an encrypted email entails having them closed. The problem here is that whereas curtains are a societally accepted privacy tool, encryption maintains a dubious status outside cyber security-aware circles. Because the default approach for the vast majority of people is to not actively encrypt their data and communications, those who do encrypt can be viewed with suspicion; especially those who encrypt consistently – that is, have their curtains closed all the time.

The issue, then, is that in encryption we have tools endowing us with the ability to create privacy in the digital domain, yet our attitude towards these tools means they are thought of as tools for secrecy. This is in contrast to the analogous curtains, which are accepted as tools of privacy.

All of this seems to be a great contradiction. Government organisations and corporations use encryption to protect the data they hold about us and for this we are thankful; indeed this is something we have come to demand. Similarly, many email providers encrypt the messages we send despite us not actively choosing to do so, which we nevertheless welcome. So those institutions of which we increasingly request transparency, we simultaneously embrace for their use of (perceived) secrecy tools.

This contradictory stance has stringent implications for security. If encryption is embraced at an organisational level, governments and corporations are able to maintain integrity of data, therefore keeping it secure. When this data concerns, for example, national infrastructure or defence details, security of data is directly connected to security of the state. On a personal level, however, if encrypting one’s own data is seen as illegitimate and not widely practiced, the same logic implies negative connotations for personal security.

In liberal democratic states this presents a problem. Such states espouse individual values and hold the safety of people in high regard. If personal security is compromised, upholding the values and safety falls to those entities whose security remains intact – that of governments and corporations. However, it is in the public interest to maintain some measure of control of their own security, for completely relying on others could be dangerous, lest the interests of the public and the interests of other entities (governments and corporations) unexpectedly diverge.

This line of reasoning is suspiciously Palmerstonian and, I suspect, would sit well with anti-gun control activists (particularly in the US). It could also be argued that at this point the analogy is overstepping its limits: encryption concerns only data on computers and extrapolating effects in the digital world to the physical world is stretching it too far. But this argument looks at the problem too abstractly. The data concerned often has a direct effect on the physical world, so encryption of this is necessary to maintain personal security.

The point here is that we need curtains. We need them not for any sinister purpose, but to maintain control over our privacy and personal security. In the digital world encryption offers these curtains. Unfortunately, until the taboo of encryption is overcome, personal security will remain in the hands of other entities. If we want to to seize control it is up to us, collectively, to embrace the protection offered by encryption.

 

Andreas Haggman is a MA student in Intelligence and International Security at King’s College London. His academic focus is on cyber security, particularly the development of weaponised code and organisational responses to cyber security issues.

Lies, Damn Lies, and Statistics: Understanding the 2013 Verizon DBIR

by

By David Grebe

Every year, Verizon publishes the Data Breach Investigations Report (DBIR). This report, while far from perfect, gives us a glimpse into the state of the field, and allows us to challenge some common misconceptions about cybersecurity.

Firstly, it should be noted that the datasets used in the report are far from normally distributed. Firms and organizations freely volunteer the data used to create the report. Because of this, and the fact that Verizon is only partnered with organizations in the US, Europe, Australia, and Malaysia, the data can be expected to be skewed at certain points. Verizon makes a note of this in the report, but then still presents some bizarre data because the validity of the datasets is left unquestioned. For example, the claim that the Chinese government and its affiliates make up around 95% of all espionage cases seems a very bold claim. Another problematic claim by the report, that Romania is the second largest perpetrator of cyberattacks (as the origin of 28% of all external attacks), also seems fishy.

In addition, the report makes use of two separate datasets (one is larger, while the other uses better described security incidents), which ends up presenting problems. For example, one dataset claims that social means to gain access made up 29% of all attacks – the other claims 1%. This is because the report includes many cases of credit card fraud, misuse of equipment, and the user error of sending emails to the wrong people in the larger, rarely used dataset. As these types of cases make up over half of the dataset (and previously took up about one percent), it overwhelms the dataset as well as creating a mixed picture by having different sets of definitions. However, this reminds us that little changes in what a “data breach” consists of drastically affects the data that is presented. Thus, because of the nature of this data, the percentages in the findings ought to be taken with some salt – the importance of this data is to begin to understand about broader trends and possible misconceptions, not the individual values themselves.

As this report has been going on for several years, some trends have emerged that challenge our previous conceptions. For one, external attacks are far more prevalent that internal ones. If true, this turns a common fallacy taught to most of our IT professionals on its head. According to the report, in 2012 only 14% of breaches we committed by insiders, a trend that has held up for the last 5 years. While disgruntled employees striking back at their workplaces may be flashy and costly, most of the cases (92%) appear to be external (keep in mind that a breach may be both internal and external). That being said, once the data includes various extra types of misuse and error (such as namely, losing devices, mis-delivering emails, and misuse of equipment), this picture becomes murkier.

Secondly, people interested in cybersecurity often hear too many buzzwords about massive plans by states to exploit backdoors and use logic bombs to infiltrate their opponents. However, ‘95% of all state-affiliated espionage attacks relied on phishing’. While I doubt that the popularity of phishing is that high, I think it is safe to conclude that even states rely on simple means to steal data. Likewise, of the 631 reports that make up the main dataset, only one required significant customizations and advanced skills to perform. Over 75% of the attacks fit into the low or very low difficulty ratings, demonstrating that a hacker could perpetrate the attacks with little or no knowledge, and with little adjustment to existing hacking tools. In fact, just over half all data breaches studied involved hacking at all to gain access to the targeted computer(s).

Thirdly, even computer illiterate end users can make a simple change to help protect themselves. 76% of network intrusions exploited lost, stolen or weak passwords. Thus, simply taking a step such as two factor authentication (where a person does not just provide a password, but also a code sent by text to their phone or their thumbprint), while a hassle, could solve a large portion of all data breaches.

We thank Verizon and its various partners for making this report public. Open statistical data is incredibly difficult to come by in the field. While the report certainly has its problems, it is usually clear about them. From the data, hopefully we can start to understand some of the areas where our conceptions are not meeting reality, and start to change our tactics because of it.

The 2013 DBIR can be found here: http://www.verizonenterprise.com/DBIR/2013/