BitDepth 546 - October 17

Cybersecurity experts from Carnegie Mellon University brief Trinidad and Tobago's IT Professionals Society...
Decoding cybersecurity

Jody Westby and Pradeep Khosla of Carnegie Mellon University. Photo by Mark Lyndersay.

The Information Technology Professional Society's recent breakfast session on "Cybersecurity: Implications for Government and the Private Sector" was only the second of that body's morning meetings that I'd been able to attend and it was as challenging as the first.

The problem the ITPS is always going to face is that its membership wants more information that it can get working in the field every day and that means that visitors to these meetings, even faux geeks like me, can be faced with a daunting surge of information that's undiluted for the masses.

That was certainly the case when two Carnegie Mellon University scholars got going at the end of last month, and Jody Westby, an Adjunct Distinguished Fellow of the University and her colleague Pradeep Khosla, Dean of Engineering delivered their presentations.
Jody Westby defined a "complex web" of 233 interconnected countries and 1.2 billion connected online users engaged in Internet access which includes crossborder dataflows and outsourcing based on bits which spans the legal territories of individual nations effortlessly.

Those differences are increasingly a big deal as companies do business simultaneously in a multitude of countries. Even first world countries like America and much of Europe have sometimes conflicting legal models for key issues like data protection, privacy and security.
While data can travel freely across the world, what happens to it in each nation is a matter for local laws and here is where problems can crop up.
Key outsourcing locations such as India, China and the Phillipines have no privacy laws at all, making security breaches a greater concern for the businesses operating there than for local law enforcement.

Pradeep Khosla, founder and director of Carnegie Mellon's CyLab, focused his presentation on where the digital rubber hits the information superhighway, noting that the "velocity of propogation" of computer attacks now makes a human response impossible. Khosla advocates better systems designed to have an automated response to the crippling attacks that take down systems and networks that are more resilient and self-healing.

"The cost of entry into cybercrime is low, but it is knowledge intensive," Khosla noted. "The adversary is as smart as we are...I think he's smarter."
The challenge is not only in computing, but in policy and legal strategy to put backbone and structure into a situation that's difficult for lay people to understand.
Steal a mango from a farmer's tree and you're guilty of praedial larceny, smash a storefront's glass showcase and you're guilty of vandalism. But hack a website and steal crucial company data and in many parts of the world, you're guilty of being a clever annoyance.

Just about the only thing that can get a critical mass of attention is a denial of service attack, a sustained assault on a webserver that can bring web access down for a group of users, and that's only because it's causing them, personally, a problem with their surfing.
For that reason, much of the IT world has concentrated on setting its own, personal house in order, investing in software and hardware protections that guard their own little corner of the networked world, with little or no spending on the kind of common tools and technologies that would make malicious hacking harder to accomplish.

Even trying to understand the problem calls for some sophistication. Khosla had a presentation with graphics, movie clips and illustration diagrams, but many of the solutions that his research department works on demand careful study because they have no ready real world equivalents. Solutions such as packet marking and software attestation take advantage of the limitless patience of software and hardware to verify the provenance of data on a network.
As a result, as Khosla put it, there have been "problems with bad legislation championed by clueless lawmakers."

The legal divide-models of privacy law
• US laws vary at the state and federal level, but emphasise self-regulation and the primacy of market forces. Public and private sector information are managed differently, and enforcement is the domain of regulatory agencies. Most personal information is protected, but arrest records are exempt under Federal law

• European Union laws apply to all 25 member states and must become part of national law. Cross-border data flow must have "adequate" protections and the legal status of EU information remains with data wherever it goes. Strict adherence to "Opt-in, Opt-out" rules for data collection.

• Asia-Pacific Economic Cooperation (APEC) uses a hybrid of both approaches, adopting EU guidelines for privacy demarcations for information and is geared to managing the commercial use of personal information. Initial implementation was designed to facilitate data flows for outsourcing. Emphasises self-regulation. Currently there are no restrictions on cross-border data flows and remedial measures are weak.
blog comments powered by Disqus