All Talk-Talk and No Action

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.scmagazine.com/all-talk-talk-and-no-action/article/451314/

Yes, it's happened again. And I'm not altogether surprised. The latest
cyber attack, a breach compromising the data of up to four million of
Talk-Talk's loyal customers, is yet another in a growing line of pernicious
cyber attacks against corporate infrastructure.

Worryingly, this isn't the first time for Talk-Talk; the telecom provider
experienced concerted attacks from last December through to February as
well as a breach of up to 2 million of its customers' data in August.
T-Mobile US Inc., Dixons Carphone Plc and Sony Corp. have also sustained
attacks over the last twelve months. Despite this growing trend, Talk-Talk
have made scant effort in the fallout of its previous attacks to install
even the most basic security measures such as encrypting customer data.
British MP Keith Vaz, Chairman of the Home Affairs Select Committee, was
absolutely right to brand this complacency as 'alarming and unacceptable'
and it is only appropriate that the company and those responsible come
under immediate scrutiny.

If anything is to be applauded, it's that Talk-Talk's CEO, Lady Harding,
has finally recognised that more could have been done, but this reactive
posture is all to prevalent in our society when it comes to cyber.
Preemptive measures to secure against cyber attacks are few and far between
and only embryonic steps are taken to manage the aftermath when an attack
does occur. This sends a clear signal that not only are companies not
serious in tackling this threat, but that they simply don't understand it.
And this is the real issue - what are we talking about?

On Wednesday, the U.K. and China agreed a non-aggression pact to tackle
cyber-crime, pledging to end the 'cyber-enabled theft of intellectual
property, trade secrets or confidential business information'. In a similar
vein to an earlier agreement between China and the U.S., the agreement is
highly problematic for it exposes just how little government - much like
the individuals at Talk-Talk - understand about cyber. The pact is
essentially meaningless - what has been agreed does not concern crime,
rather espionage. When states steal confidential information and trade
secrets it falls within the remit of espionage; states cannot commit crime
in the same manner as an individual.

As President Obama commented in the wake of the Office of Personal
Management (OPM) attack, “it'snon-state actors who are engaging in criminal
activity and potential theft… in the case of state actors, they're probing
for intelligence”. Indeed, the practice of state espionage is widely
accepted within the international community. Brigham Young University
professor of law and former U.S. Army Judge Advocate Eric Talbot Jensen
reinforces the fact that "true espionage is by definition not illegal under
international law”. States will no doubt continue to engage in it and those
who fail to do so will only fall victim to it. The failure to make the
distinction between espionage and crime reveals the crux of the issue -
there is no clear paradigm or terms of reference for defining sinister
activity in the cyber domain. Without an explicit set of terms and
definitions for the cyber (fifth) domain, government will invariably remain
ignorant in what they are talking about.

When I spoke with No. 10 recently about the U.K.-China pact, they were not
readily capable of providing any exact details or explanation of what the
pact entailed, instead directing me to the gov.uk website. The website, in
just two sentences, simply reiterated the hollow promise of agreeing not to
conduct espionage in the cyber domain.

However, government is not alone in its misunderstanding. The media equally
highlight this mass confusion - some calling it a cyber crime pact, some a
cyber security pact and the BBC calling it a cybercrime truce. How can
there be a truce when we are not at war? With no agreed understanding or
delineation between different forms of sinister cyber activity amongst
international actors, the government has agreed a pact which it cannot
define or understand; it is scrambling in the margins to show its
competence but has made an agreement that is wholly ineffectual. In a paper
I published in 2013 (link below), I highlighted the requirement for
explicit terms and definitions for all sinister cyber activity and
developed the helpful acronym of cyber TWESC (terrorism, warfare,
espionage, sabotage and crime). Each category is preceded by the prefix of
cyber and can be distinguished from one other.

Since making a clear distinction between crime and espionage in 2013, I
have repeatedly appealed to government to develop these much-needed terms
of reference but such pleas have fell on deaf ears. How can the government
formulate coherent and meaningful policy if it cannot even agree or define
what it is talking about?

There is an ancient Chinese proverb that states “when reading, don't let a
single word escape your attention; one word may be worth a thousand pieces
of gold”. Simply put, the adage stresses that study requires undivided
attention and that no single word should be passed over before one fully
understands it. David Cameron should heed the sagacious advice of the
Chinese, grasp the nettle and begin developing the requisite definitions
for all forms of sinister cyber activity. Enough talk, time for action.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!