==============================================================

Dr JP MacIntosh, Director ISRS recently spoke at FT’s Camp Alphaville panel on When Markets Become Self-Aware – The Rise of AI. Here is a bit more about what he has to say on the subject.

AI can and has been oversold, over packaged, over expensive & doesn’t do the job. That’s been a recurring pattern since cybernetics morphed into AI after WW II. AI investment waves have come and gone. As the recipient of a recent PhD in the field put it, today’s machine learning is “statistics on steroids”. Yes, that’ll doubtless provide a financial engineering competitive advantage for a narrow window of time but we’re some way from the singularity and each competitive advantage snatched at and lost probably doesn’t amount to a singularity let alone the singularity that those suffering narrow inductive rational rapture have long fantasised. Uncertainty still wins through as the Flash Crash perhaps demonstrated.

=========================================================

TSI Director, Tony Dyhouse comments on the recently reported Shellshock vulnerability in Bash software

What is most shocking about this particular situation is that it demonstrates vulnerabilities still exist right at the foundation layers of our software – the operating systems. As a result, everything we layer on top of that can be vulnerable and this is a totally unsustainable situation. Patching software continues to be a relevant short term fix but it cannot be considered a long term security strategy and we need to decrease the need for it in the future and treat the root cause. To achieve a more stable and secure technology environment in which businesses and individuals can feel truly safe, we have to peel back the layers, start at the bottom and work up. This is utterly symptomatic of the historic neglect we have seen for the development of a dependable and trustworthy baseline upon which to develop a software infrastructure for the UK. Ultimately, this is a lifecycle problem. It’s here because people are making mistakes whilst writing code and making further mistakes when patching the original problems.

TSI is the Trustworthy Software Initiative:  http://www.uk-tsi.org/

================================================

ISRS Fellow, Vinay Gupta comments on the recently discovered “Heartbleed” exploit

The new OpenSSL exploit, “heartbleed” illustrates some little-considered modes of failure of our modern critical infrastructure environment.

The error itself is trivial: a single line of code contains the equivalent of a minor clerical error. The bug is a little like a reverse buffer overflow: rather than letting assailants write to memory, it allows them to read from memory – including memory containing valuable information like passwords or crypto keys.

https://xkcd.com/1354/

If this bug had affected one site, it would have been unimportant. However, the severely under-resourced team maintaining the OpenSSL library were actually servicing some 20% of the internet. Because the software worked and was available without cost, it was everywhere.

OpenSSL was widely regarded as a basket case from the beginning: security researchers considered the software (originally written for at most casual use) to have been built on top of far beyond its fundamental integrity. Heartbleed is not the last bug of this size that this codebase might conceal.

There are allegations that the NSA knew of heartbleed for several years and exploited it as part of on-going internet monitoring operations. The NSA strenuously denies this. There is no doubt, however, that trade on the internet has been valuable for several years because of this undetected bug, and if any agency (on any side) detected it, they would have had a substantial intelligence gathering advantage.

These issues do not start and end with e-commerce and secure email. There is every possibility that SCADA and smart cities projects are also effected, and potentially systems like aircraft avionics software development environments.

Bugs are contagious. A breached password is used to load malware, the malware is used to compromise source code, the source code opens up a back door in a factory or on a plane. Contagion was very real in the financial markets, and it is equally real in the sociotechnical systems which develop and support our high-tech economy. We must be wary.

The following is a news release fron Rt Hon Lord Reid of Cardowan, Chair of ISRS:

The challenge of linking national security to economic stability is only just beginning.

We welcome the call from the Joint Committee on National Security Strategy for the government to better link the on-going economic crises with national security. Those of us committed to resilience have been advocating this for over a decade.

However, there is much still to be done if the Committee’s recommendations are to become workable realities. Bringing together orthodox approaches to economics and security could merely reinforce the groupthink that tends to characterise these policies, rather than improve strategy.

National security is the first duty of government but as an island nation the UK at its best has always dealt with the reality of networks, whether real (such as those of goods or people) or virtual (such as cyberspace or financial trading). National economic security must not be equated with protectionism. Protectionism is no substitute for competitiveness in economics or security.

Historically, combining financial services with manufacture, merchant marine and the Royal Navy made the UK an unprecedented asymmetric power. Cyberspace offers a new environment, and one of great prospects, which both enrich and endanger. In partnership with public, private and academic colleagues, ISRS is developing tools and methods for surviving and thriving in this new environment.

One such example is the practice of Net Assessment: the comparative analysis of economic, social, political, and other factors governing the relative capability of countries and organisations, in order to identify competitive advantages and dangers that deserve the attention of decision-takers.

We are keen to support the significant work that now needs to be done.

ENDS

For more information: Dan Fox +44 (0) 20 3108 5074.

Last night, ISRS Chair, Rt Hon Lord Reid of Cardowan, was interviewed on the BBC World Service’s Newshour about cybersecurity and resilience, and the launch of Cyber Doctrine.

John’s interview begins at 37.40.

A full transcript is below.

BBC World Service Newshour’s Lyse Doucet interviews Lord Reid – 8 June 2011

LD: An attack a day and even more on the Ministry of Defence in London, that’s what Britain’s Minister of Defence, Liam Fox has revealed in talking about the threat posed by ‘cyber attacks’.  Another report said the attack on the sensitive computer network could run into thousands every month.  The growing dangers of ‘cyber crime’ have been concentrating minds in western capitals around the world.  This growing evidence of the threat comes from many sources, whether it’s clever hackers or criminal networks in states as well.  Accusing fingers have been pointed in recent years to both China and Russia.  So how should Governments tackle the threat? John Reid is a former British Home and Defence Secretary, he’s now Chairman of the Institute of Security and Resilience Studies here in London.  I asked him what he made of the figure of thousands of attempted infiltrations.

JR: That’s only the tip of the iceberg; there are other estimates on the American whole public system which has proven to be 50,000 an hour.  Now that doesn’t mean to say they’re all malware or they’re all vicious attacks but these are unidentified and un-attributable entries into their system.  The one thing it does illustrate I think, whether it’s in the United States, here, China or anywhere else in the world, is that we’re dealing not just with the new technology, we’re dealing with a completely new domain.  This is a man-made environment – probably the first man-made environment and it permeates absolutely everything we do, it’s almost like a force of nature like the sea or the weather.  The old legal structures and political structures, government powers and the business cultures and so on are so often inadequate and why I and others at the Institute of Security and Resilience Studies want to try and address this bigger picture, get a conceptual framework for handling them in the absence of the ability of our inherited legal structures and powers to do so.

LD: Well it’s interesting that you use the metaphor about force of nature because what we’re seeing is that the forces of nature are getting so much more brutal and devastating such as governments and others can’t keep up with them.  Is it the same in this sphere of cyber attacks?

JR: Well it is to some extent you see, because although there are a lot of good people doing lots of good things, they tend to be doing it in sort of silos so that we’re technologically patching up this or that system, when a virus is found here we’re patching up this computer system or this software system so what’s missing from that is if you like, a conceptual framework.  I call it a doctrine and that is what we’re going to try and start rolling at the end of June in London and although we’re launching it through the Institute in London, it’s open to everyone to take part in and we hope that the lead will be taken in building on this by governments and corporates and bright individuals throughout the world.

LD: You’re emphasising this that every country has to do it but these threats are transnational, we’ve seen some rollback on intelligence cooperation, is this an area where it really does have to be transnational?

JR: Oh I think the nature of this cyber is that it is transnational and just as in the beginning when people started on the sea, a great force of nature to expand across the seas when the great empires did it, they had to develop a doctrine for handling risks, for reassurance, for piracy, for all sorts of dangers that came alongside the opportunities. Now that was a big enough problem.  With cyber it’s even more difficult because of course generally with the extension of empires, there are one or two powers, now, cyber, the internet, digital communications empower every individual on this globe potentially, not just states but non-state actors and therefore you not only get old legal frameworks that are not capable of keeping up with the threats, possibilities and dangers of the cyber environment, but the present power structures – national and international are also rendered relatively impotent since cyber itself is passing power down to individuals.  One of the elements has to be continual innovation.  If you’d like me to give you an example, in most of the countries in the world when you recruit to the public sector, you look for selection criteria for the people who will join it, including their tendency to stay within the rules, to think within the guidelines, to adhere to the common discipline, not to think outside the box, not to rebel, but it’s precisely that type of thinking that is necessary in the new cyber environment.

LD: And that was Lord Reid of the Institute of Security and Resilience Studies in London talking about the going threat posed by cyber attacks

ISRS Chair, Rt Hon Lord Reid of Cardowan, wrote for The Guardian on 3 June on the risks and opportunities in cybersecurity and resilience:

“The cyber world, including the internet, brings huge benefits and opportunities. It can cut resource waste, open new business markets, expand learning and understanding, strengthen citizen politics, and bring many other social, educational and information advantages. All of which could sow a wide and deep resilience – which is as much about creativity and innovation spurring social and economic growth as it is about research to defend our way of life.”