Following the publication of the government’s UK Cyber Security Strategy in November 2011, Louise Bennett FBCS CITP gives her thoughts on it and what it means for the industry and the nation.

The UK Cyber Security Strategy1 is a well constructed starting point for achieving its stated aims of ensuring the UK reduces the risks and secures the benefits of a trusted digital environment for business and individuals.

The aspiration is that by 2015 ‘the measures outlined in this strategy will mean the UK is in a position where: law enforcement is tackling cyber criminals; citizens know what to do to protect themselves; effective cyber security is seen as a positive for UK business; a thriving cyber security sector has been established; public services online are secure and resilient; and the threats to our national infrastructure and national security have been confronted.’ This is, rightly, an ambitious goal.

In the strategy, the opportunities and threats are well explained. However, in order to achieve the objectives there are four areas that require more attention. They are: identity assurance for online transactions; a framework for accountability, liability and redress in online business; leadership in addressing the governance of the internet of things and computing education in the UK.

The OECD has stated that digital identity management is at the core of the internet economy2.

Identity assurance at some level is vital in connection with business transactions over the internet. You need to be certain who the other party is and that they are ‘good’ for the transaction you want to undertake.

This covers a whole spectrum of problems from the certainty that you have logged on to a legitimate supplier’s website before ordering your goods or travel tickets to being certain you are transferring funds with your bank related to your bank account.

The UK government is developing and piloting a federated identity assurance scheme for UK citizens. In this individuals and businesses will be able to register with identity providers who will offer different levels of assurance.

However, online business crosses international boundaries. Often internet shoppers are not certain what jurisdiction the entity they are doing business with is operating from and the UK government must push for an internationally federated scheme for identity assurance through the UN Internet Governance Forum (IGF).

Associated with the need for assurance about the identity of businesses and individuals to transact business safely online is the need for a contractual framework for accountability, liability and redress associated with online business. As with identity assurance the problems stem mainly from the international dimensions of online businesses.

Banking

It took many years for the banks to agree, in the context of online transactions, exactly who was liable for any failure at any point in the system.

To date similar clarity does not exist in global online business transactions, particularly when individuals are purchasing products and services from suppliers in other countries and jurisdictions.

The reality is that individuals users expect their identity data and consumer rights to retain their domestic levels of protection (whatever these might be) whatever jurisdiction they are in on the internet. The UK government needs to push for a resolution to this with the UN IGF.

More widely, as far as policing the internet is concerned, in financial transactions, credit checks and fraud prevention are all about context. ‘This transaction seems unusual from this person with this history, suddenly using this IP address in this context’.

However, the degree of granularity in those checks is a major concern. Both businesses, for their own protection, and customers for confidence to transact online, need an optimum balance between false positives and false negatives either preventing a genuine transaction or blocking a fraudulent one.

Blocking

At present the granularity of that balance has not been reached to everyone’s satisfaction. There can be, on the one hand, very crude blocking of transactions from and to individuals in countries with a poor reputation for probity and, on the other hand, no warnings for individuals that they might be entering into a transaction with a fraudulent company outside the UK (and little or no chance of redress if they do).

In addition to the need to know who an individual or business is when you are interacting with them on the internet you may also need to know about other ‘things’.

This overlaps with the notion of ubiquitous computing, which usually conjures up a vision of small, inexpensive, robust networked processing devices, distributed at all scales throughout everyday life and generally turned to distinctly common-place ends.

For example, a domestic ubiquitous computing environment might interconnect lighting and environmental controls with personal biometric monitors woven into clothing so that illumination and heating conditions in a room might be modulated, continuously and imperceptibly.

Internet of things

Another common scenario posits refrigerators ‘aware’ of their suitably tagged contents, able to both plan a variety of menus from the food actually on hand, and warn users of stale or spoiled food.

The scope of the internet of things (IoT) applications is expected to contribute to addressing today’s societal challenges. For examples: health monitoring systems will help meet the challenges of an ageing society and connected cars will help reduce traffic congestion and improve their recyclability, thus reducing their carbon footprint.

This interconnection of physical objects is expected to amplify the profound effects that large-scale networked communications are having on our society, gradually resulting in a genuine paradigm shift.

The security implications of interference with these networks of things are profound. Stuxnet attacked controllers in specific locations and configurations. Even though it did not reach its target over the internet (as there was an air gap around the nuclear installations in Iran), it demonstrates what could happen should anyone decide to attack the IoT.

Teaching

Finally, while being totally supportive of the measures to encourage a cadre of cyber security professionals, these need to be underpinned by significant improvement in the teaching of mathematics, and in particular computer science in schools. In response to this I fully support the moves made by Michael Gove and the coalition government to overhaul the way that IT is taught in schools.

We do need to ensure that it does come to fruition so that there is a pool of young people in the UK both to draw into the profession and to ensure, in the long-term, that the understanding of basic cyber security by the general public is such that everyone can safely access government services and conduct business online.

References

1 The UK Cyber Security Strategy - Protecting and promoting the UK in a digital world Cabinet Office November 2011

2 OECD (2011), “Digital Identity Management for Natural Persons: Enabling Innovation and Trust in the Internet Economy - Guidance for Government Policy Makers”, OECD Digital Economy Papers, No. 186, OECD Publishing.