From traditional hackers to PacCERT

I thought that I would post this piece that formed part of my half-day workshop on information security at PacINET 2008 in the Cook Islands. My slides were almost the same set that I used last year in Honiara.

Historically speaking, information security is not new. There is evidence of people protecting and of course attacking information in all cultures as far back as there is a historical record. If we take early missionary accounts in Fiji, for example, as containing at least a kernel of truth, we find that access to spiritual information was a closely protected monopoly of a priestly class. The confidentiality, integrity, and availability of information from the world beyond – which was extremely valuable information about the weather, the future, the correct course of action, and many other things – was strictly limited to established priests who seem to have been kept under close control by the chiefs.

However, even pre-European contact Fiji had its hackers. Living at the fringes of Vitian society were (and still are in remote areas) medicine men and witches who could also tap into spiritual information. Their status as relative social outsiders made them either an enemy or a counter-balance to the priestly information monopoly. Some witches and medicine men could even hack (I mean, influence) the spiritual world and alter the confidentiality, integrity, or availability of information to priests.

Even the technology focused information security that jumps to mind when we hear terms like infosec, has very old and mostly military roots going back in Europe to before the time of Christ. One perspective that is used in military, governmental, and business circles today is that information security forms the defensive aspect of information warfare – that is the part of information warfare that is concerned with protecting information assets. For example, information security was something that the USA knew that Iraq was lacking in the first Gulf War in 1991 when they disabled Iraqi air defense computers with a virus smuggled in on dot matrix printers (see Dorothy Denning, Information Warfare and Security, 1991).

Of course, with the rise of the personal computer and the Internet in recent history, information security has become much more than a military concern. With the growth of the so-called information economy has come an equal and predicable growth of information crime, leading to some staggering statistics including a 2005 estimate that the cost of computer crime in the USA exceeded the size of the combined economies of all the nations in the South Pacific.

I have been quoted in the past as saying that despite all of the fascinating mathematics and technology that underly modern infosec, information security is fundamentally a very human discipline. Certainly, no one likes to have money stolen from them, but increasingly information security is focusing on our privacy, our public personae, our collective identity, our fundamental rights, and even our legal identity.

Fiji's anti-government bloggers, who are only able to voice their (all too often slanderous) opinions due to technology which assures their anonymity, are playing a role in shaping the future of Fiji and the region. Only time will tell how significant that role is. However, anonymous political activists everywhere should be wary of the behavior of America's Internet giants in repressive regimes, as they are not always on your side. The most striking example is the case of the activist Shi Tao who was essentially handed over to Chinese authorities by US-based Yahoo. Yahoo, and other international firms, have agreed to work with Chinese authorities in order to gain access to the immense Chinese market.

Information security even has a role in protecting the function of entire nations. Take the case of Estonia, a small former Soviet republic on the coast of the Baltic Sea with a population of around 1.3 million people. In May this year, Estonia moved a certain Russian war memorial to a location more desirable to Estonians but less desirable to Russian nationals living both in and out of Estonia. Soon, various blogs were posting instructions on how to wage a denial of service attack against Estonian institutions, and a little while later, this attack was in full swing bringing down government and financial sector systems across the tiny maritime nation. Should this story concern other, perhaps more tropical, small maritime nations who are rushing to get their institutions online? The answer is a resounding, "Yes".

Still, one of the largest challenges facing information security today is the heady combination of social engineering and user ignorance. Many computer criminals have discovered that hacking just does not pay off as well as simply fooling people into giving up either their money (to help move funds out of Nigeria to help a poor window, for example) or enough information to get to their money. To give a somewhat trivial example, I have never received so many chain emails from people I know since I came to Fiji – and I was part of the first wave of Internet users in Canada. It goes without saying that nations with large populations of new Internet users are more at risk.

Technology policy makers in the South Pacific should indeed be worried by all of this. By joining the global information economy, the region is embarking on an enterprise that is as fraught with danger and as ripe with rewards as the great Melanesian and Polynesian migrations of days past. Fortunately, it is not necessary to sail the seas blind – technology policy navigators need only to look across the ocean to the experiences of other nations to see what problems to expect and which solutions are effective.