Sunday, 27 November 2011

Cyber Security Strategy 2011

On Friday, the UK government released its latest Cyber Security Strategy. The Strategy sets out three objectives, underpinned by a fourth:

  1. "Tackle" cybercrime.
  2. Build resilience against cybercrime.
  3. Contribute to an "open, stable and vibrant" cyberspace.
  4. Attract & build upon skills to support all of these objectives.
In my view, the fourth is by far the most important of these objectives. There is a great deal that we do not yet know about Internet-mediated harms. Not only is the nature of the threat constantly developing, but so much is still to be learned about the individuals who drive criminality online.

Much of the Strategy is concerned with building defences against such harms. Certainly, resilience is very important, and I am pleased that the Strategy acknowledges that both industry standards and security awareness are important to reducing the opportunities for such harms. However, resilience strategies ultimately amount to nothing more than target hardening, ignoring the underlying issues. No crime, in my view, can adequately be understood as a 'routine activity', and policies which make this mistake can never hope to "tackle" crime.

The Strategy seems to be driven by a belief that it is possible to "design out crime online" (page 30, para. 4.32). Unfortunately, this is simply not possible. As Murray has argued, code-based solutions are ultimately 'worked around' by the active matrix: skilled and motivated users capable, ultimately, of rejecting code-based regulation by subversion. Further, any infrastructure-based solutions (e.g. the 'Internet kill switch', in any case useful only against certain kinds of harm) risk compromising the openness and neutrality of the network (see Carolina on the bordered Internet): an indirectly topical area in light of the Leveson Inquiry into the proper relationship between the state and the free media.

Returning to the question of whether cybercrime can be 'designed out' of the global network, readily manipulable but privatised and decentralised, it will come as no surprise that I prefer an approach that preserves both the neutrality of the network and the "open, stable and vibrant cyberspace" that it is an objective of this government to preserve and to further. Indeed, the two arguably go hand in hand.

I say that the solution demands a better understanding of the social causes of cybercrimes, of all flavours. Tackle these, and we stand a chance of enjoying a network shaped not just by code, but by common norms. Technical resilience is important, but social resilience and Durkheim's "internal policeman" cannot be overlooked, else in my view we risk "liddism" in our policymaking (Rogers 2002, Reiner 2010).

Clearly, achieving an understanding of cybercrimes in all their flavours is a big nut to crack, however I suspect that there are certain commonalities between offenders operating across each 'generation' of cybercrime (Wall 2007). In my dissertation 'Policing the Internet', I relabel Wall's three generations: e-jemmies (crimes committed within discrete computer systems), network crime (crimes exploiting connectedness to inflict harms remotely), and distributed crime (crimes which use networks to distribute and automate the infliction of remote harm). Wall predicts a fourth generation will exploit emerging ambient intelligence technologies as we move towards the 'Internet of Things'. Analysing this tendency in people to exploit new technologies could well reveal something important about the nature of criminality more broadly — especially important in light of this impending fourth generation of cybercrime. While it is likely that offenders for whom the Internet is merely a tool for offending that would happen in a world without the Internet remain the elusive province of ordinary criminologies, research into the nature and degree of social exclusion of other categories of cyber-offenders is desirable to understand what it is about the Internet that fuels offending, and how we can work to address it.

Worryingly, the Report seems to make assumptions about the nature of offending online: the sentence "criminals still regard exploiting cyberspace as a profitable and low-risk option" (emphasis added) marks an assumption that all cybercriminals are rational agents. Perhaps some behaviour can be so explained, but not all, and in any case there seems to be very little evidence (certainly none of which appears in the Strategy) to support this view.

Buried at page 23 of the Strategy is this precious sentence: "We want a UK where[, inter alia, p]eople are clear that, as in the offline world, we are each responsible for our behaviour in cyberspace". How do we (as a society, not just a state) inject this sense of responsibility, this normative code into the disparate and privatised fabric of cyberspace? Certainly not, in my view, by focusing entirely upon "threat management" in a technical sense.

I cannot stress enough that the Strategy certainly has laudable aims, and much is to be said for its content. It pledges to improve the police response to cybercrime and work internationally to deny cybercriminals 'safe havens' where regulation is weak, backed by a timely pledge to reinforce the Convention on Cybercrime as the UK enters its chairmanship of the Council of Europe. The judiciary are to be encouraged to respond to new threats using existing laws, whilst Parliament reviews the fitness for purpose of the Computer Misuse Act (see my earlier post on the risk of moral panic and over-criminalisation). Security agencies are to be encouraged to focus on the disruption of cybercrime even where convictions are unlikely: again, a laudable and realistic view in light of the inevitable jurisdictional issues inherent in e-crime, but one that flirts with defeatist 'liddism' (see above).

Also to be commended is this official recognition of the crucial role of the private sector. But how is this awkward relationship to be managed? Only 2% of the budget is allocated to this project (page 26), the rest being spent mostly on resilience measures. The Strategy mentions a partnership with the private sector to develop "cyber-relevant sanctions": what are these? Mention is made of "online sanctions for online offences" — does this allude to the controversial disconnection rule, or are we talking about something else? How would these sanctions be metered out, and by whom? On what standard of proof? Questions of legitimacy, oppression and subversion seem far too important to be answered by a fraction of a 2% cut of the cyber security budget. (See Laidlaw on the human rights responsibilites of Internet Information Gatekeepers.)

Returning to the fourth and overarching objective, the Strategy strongly encourages "R&D". What is not clear is whether the government had technical or social research in mind. Technical research is of course important to continue to improve resilience. However, we need social research to answer the question of normativity in cyberspace.

In summary, we seem to be focusing too much on target hardening and disruption. The deterrence and prevention of cybercrimes can only be effective in the long run if we understand the threat as necessarily social rather than merely technological. Is it merely opportunity that drives cybercrime? Is it true that those who commit crimes online would just be committing crimes offline anyway? Perhaps not.

As Clemente points out, the extent to which even this Strategy can be delivered in an age of austerity remains to be seen. However, what I am suggesting need not cost any more. I am simply arguing that the policymakers behind the Strategy seem to be making assumptions about the criminologies of cyberspace that could ultimately be the undoing of their otherwise laudable objectives. The involvement of foreign states and the private sector are crucial if we are to build this "open, stable and vibrant cyberspace", and I am pleased that the Strategy recognises this. However, by focusing too much on target hardening and too little on understanding the causes of cybercrime, we risk losing an opportunity to nip cybercriminality in the bud. My plea therefore is to legislators and independent research councils the world over, to fund the social research that these policies so badly need.

39 comments:

  1. C-mount security cameras are exceptionally successful when utilized inside, yet confront challenges when utilized outside. poe security camera system

    ReplyDelete
    Replies
    1. Great Article
      Cyber Security Projects

      projects for cse

      Networking Security Projects

      JavaScript Training in Chennai

      JavaScript Training in Chennai

      The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training

      Delete
  2. In a somewhat late film change of a great spy TV program the fundamental character wears a couple of dull shades that have a camera implanted in them Mister Stevens

    ReplyDelete
  3. By disregarding these commentators and concentrating on all the more recognizing destinations, you can get great data on the spy cameras you're thinking about. wittyspy.com

    ReplyDelete
  4. IP spy cameras share indistinguishable guideline from different sorts of spy cams, the main contrast being that you can see what it sees straightforwardly on your PC. spy books for teens

    ReplyDelete
  5. In the previous couple of decades there has been an upset in figuring and interchanges, and all signs are that mechanical advancement and utilization of information technology will proceed at a fast pace. privacidadenlared.es

    ReplyDelete
  6. PCs and the Internet have turned out to be key for homes and associations alike. The reliance on them increments constantly, be it for family clients, in mission basic space control, control matrix the board, medicinal applications or for corporate money frameworks. big tech

    ReplyDelete
  7. This article will help you in gaining better understanding of edge computing and how it helps organizations to drive business values:https://www.techpally.com/mobile-edge-computing-security/

    ReplyDelete
  8. Awesome and interesting article. Great things you've always shared with us. Thanks. Just continue composing this kind of post. security camera installation

    ReplyDelete
  9. Awesome and interesting article. Great things you've always shared with us. Thanks. Just continue composing this kind of post. Serious Security Melbourne

    ReplyDelete
  10. Hey what a brilliant post I have come across and believe me I have been searching out for this similar kind of post for past a week and hardly came across this. Thank you very much and will look for more postings from you. Hikvision CCTV

    ReplyDelete
  11. Wow i can say that this is another great article as expected of this blog.Bookmarked this site.. Hikvision

    ReplyDelete
  12. Wow, cool post. I'd like to write like this too - taking time and real hard work to make a great article... but I put things off too much and never seem to get started. Thanks though. baby monitor

    ReplyDelete
  13. That leads us to facial recognition. This priority camera must incorporate facial recognition. That means you must be able to identify the person that is taking food out of the mouths or your children and stealing the Christmas presents of your Grandchildren from under your tree (both figuratively and physically).Reolink software

    ReplyDelete
  14. Great article Lot's of information to Read...Great Man Keep Posting and update to People..Thanks DS-2CD2165G0

    ReplyDelete
  15. I think this is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article. Smarter Security CCTV Installers

    ReplyDelete
  16. It is not to capture a crystal clear identification for law enforcement. That's stuff might work on CSI-Miami. The only thing it will do for you is empty your bank account much more quickly. outdoor surveillance camera system

    ReplyDelete
  17. Thanks for a very interesting blog. What else may I get that kind of info written in such a perfect approach? I’ve a undertaking that I am simply now operating on, and I have been at the look out for such info. Serious Security Melbourne

    ReplyDelete
  18. I wanted to thank you for this great read!! I definitely enjoying every little bit of it I have you bookmarked to check out new stuff you post. Sydney CCTV Installation

    ReplyDelete
  19. Excellent article. Very interesting to read. I really love to read such a nice article. Thanks! keep rocking. cctv camera

    ReplyDelete
  20. I wanted to thank you for this great read!! I definitely enjoying every little bit of it I have you bookmarked to check out new stuff you post. CCTV Sydney

    ReplyDelete
  21. TouchTec is a leading company in region with more than 10 years of experience that provides Security, Safety and Surveillance Solutions with high assurance to improve security and efficiencies for identity management, access to critical facilities, intelligence analysis, guest worker programs, and national identity programs
    CCTV for School
    Cctv Camera for Office

    ReplyDelete
  22. This comment has been removed by the author.

    ReplyDelete
  23. This is my first visit to your web journal! We are a group of volunteers and new activities in the same specialty. Website gave us helpful data to work. Home Security Systems

    ReplyDelete
  24. In this manner it is fundamental to consider the motivation behind employing these administrations before picking a specific security organization. security guard for construction site

    ReplyDelete
  25. Every business process has become online and almost every industry is turning out to be more techno oriented. cyber security course in hyderabad

    ReplyDelete
  26. Thumbs up guys your doing a really good job. It is the intent to provide valuable information and best practices, including an understanding of the regulatory process.
    Cyber Security Course in Bangalore

    ReplyDelete
  27. Very nice blog and articles. I am realy very happy to visit your blog. Now I am found which I actually want. I check your blog everyday and try to learn something from your blog. Thank you and waiting for your new post.
    Cyber Security Training in Bangalore

    ReplyDelete
  28. I will really appreciate the writer's choice for choosing this excellent article appropriate to my matter. Here is deep description about the article matter which helped me more.
    Best Institute for Cyber Security in Bangalore

    ReplyDelete
  29. This comment has been removed by the author.

    ReplyDelete
  30. After reading your article I was amazed. I know that you explain it very well. And I hope that other readers will also experience how I feel after reading your article.
    Ethical Hacking Course in Bangalore
    Certified Ethical Hacker Course

    ReplyDelete

  31. Wow! Such an amazing and helpful post this is. I really really love it. I hope that you continue to do your work like this in the future also.
    Ethical Hacking Training in Bangalore
    Ethical Hacking Training

    ReplyDelete
  32. If you are paralyzing yourself with an external definition of security, you're squandering you're life away. If you aren't spending your precious time working on your dreams -- today, 24 response app right now -- then you're just counting the days until you die. That external security will never come.

    ReplyDelete
  33. The Legislature has set up "The Cyber Guidelines Re-appraising Council" under the Data Innovation Act, 2000.it security

    ReplyDelete
  34. The scary part of their technique is that the user will see Facebook.com on the URL line with no indication that they are anywhere else but Facebook.com. How to hire a cybersecurity expert

    ReplyDelete
  35. A great content material as well as great layout. Your website deserves all of the positive feedback it’s been getting. I will be back soon for further quality contents. Dotcom secrets

    ReplyDelete