Chapter 1

Understanding the Past and Present Cyber-Information World Environment

Abstract

The objective of this chapter is to provide a general overview of the cyber-information-dominated and information-technology-dependent and constantly changing global environment in which the cyber security officer must work.

Keywords

Communications technology; Cost-effective cyber security program; Cyber information; Cyber security officers; Cyberspace; Global information infrastructure (GII); Internet-enabled communications; National information infrastructure (NII); Off-ramp

This is a terrible time of unwanted liberties

Sandy Nichol1

Chapter Objective
The objective of this chapter is to provide a general overview of the cyber-information-dominated and information-technology-dependent and constantly changing global environment in which the cyber security officer must work.

Ah, the Good Ol’ Days!

Yes, much has happened and yet, little has changed.
What has not changed are the threats, vulnerabilities, and risks to information and information systems. What has changed is the level of sophistication of the threats—the attacks and the threat agents—as well as the exponentially growing number of them all over the world and from various sources.
Information2:
1. Facts provided or learned about something or someone.
2. What is conveyed or represented by a particular arrangement or sequence of things.
2.1. Computing Data as processed, stored, or transmitted by a computer.

2 Oxford Dictionary.

We have gone from an environment of young hackers with a 300-baud external modem, writing hacker programs in BASIC, looking for dial-up tones, to a world of extremely sophisticated attackers, from government agents to organized crime groups to terrorists. Yes, the teenage hacker and “computer enthusiast” is still out there among the threat agents a cyber security officer must face; however, compared to the others out there now, one only wishes for some of the good ol’ days when such hackers were the greatest threat to information and systems.
Even so, it is important to understand the environment in which today’s cyber security officer must do battle—and yes, it is a battle, and yes, we are at war and should be on a war footing. However, we are not, and thus, we are losing to those threat agents who are attacking our systems and destroying our information, or stealing our information, 24/7.
We live in a world of information, known these days as cyber information, computer information, the information environment, or the like. More than ever, the world wants to talk to the world about anything and everything. In fact, the world now demands it at an unprecedented scale and is doing it at a level never seen before. Thus, vulnerability types and numbers have also continued to increase.
Furthermore, the users that the cyber security professional must support and defend do not want to be tied down to any physical location. Today’s users, which basically means pretty much all of the technology-driven world and increasingly those in the Third World, who may not have running water but do have a cell phone and increasingly Internet and other network connections, want—demand—it all, with mobile capabilities!
Information is pulled, pushed, dragged around the world through wireless, cable, optical fiber, satellite, and other assorted physical and increasingly more than ever mobile devices—and all of us along with it. We are dependent on information as individuals, companies, and government agencies. In fact, has that not always been the case? It’s just that now, it is in a cyber form more than ever.
In days gone by, information was communicated by word of mouth, by drums, by smoke signals, in writing carried by couriers on horseback, by telegraph, by telephone, and now through the use of high technology.
The difference today is that in the “modern” countries of the world, we are more dependent on information and the high technology that allows us to communicate and do business, globally, at the speed of light. Today, more than ever, information—accurate information, and more of it, delivered faster—allows one an advantage. More than ever, this applies not only to companies—especially the increasing number of them going or trying to go global to take advantage of opportunities for new customers—and to governments of nations, but also to groups and individuals. We have all been sucked into the quicksand of technology dependency.
Fast, accurate, and complete information that is secured and protects privacy—yeah, good luck with that one—is what is demanded; however, it is seldom realized these days as our identity, networks, and information are hacked, sold, and misused. The old saying “information is power” is probably more true today than ever before.
Information of greatest value must be:
Accurate, acted upon correctly, and acted upon before it is used by the adversary, e.g., a competitor, another government, etc.
Remember that if the information you need is on an information system that is a victim, for example, of a successful denial-of-service attack, important information could not get to you or others at the right time so that you or they could use that information to your advantage; this may have serious consequences in terms of lives, money, or other negative factors.

Understanding Your Information-Driven Environment

As a cyber security officer, it is very easy to get caught up in high technology and view that as “your world.” After all, in today’s high-technology-driven and high-technology-dependent world, and one can also say cyber world, it is very easy to look at information and high technology as your working environment, as what causes your problems, and as where the solutions to your problems lie. However, the truth is that high technology is just a tool like any other tool. And as with any tool, it can be used as intended, abused, or used for illegal purposes—by people.
It seems that we are so focused on the information and technology for answers to cyber security and mitigating risks, we forget our first priority should be the people who are using and abusing these systems and information. It is especially necessary to focus not only on the outside threat agents but also on those people who have authorized access to those systems and information.
In today’s information world environment that a cyber security officer must work in, it is much more than just high technology. You, as a cyber security officer, must understand this world and also us humans, as all these topics have a direct bearing on the protection of information and information systems—cyber security. They include such things as:
• Global and national marketplaces;
• Global and nation-states’ economies;
• International politics;
• World cultures and societies;
• International and national laws and treaties;
• Major languages of the world;
• Major religions;
• Business;
• Human relations and psychology; and
• Governments of nation-states.
To be successful, the cyber security officer should have a varied background not only in such things as computer sciences but also in psychology, criminology, social science, geopolitical matters, international business, world history, economics, accounting, and finance. Also, the more foreign languages the cyber security officer knows, the better. Volumes have been written about each of these topics. It would behoove the cyber security officer to have a working understanding of each of these topics, as they all affect the cyber security officer’s ability to successfully establish and manage a successful cyber security program. There are few professions today that offer the challenges that face the cyber security officer, whether that person is in a government agency or business—no matter what country or business that person works for.
Cyber security officers must understand the world in which they will work in order to be successful. In the past, this understanding was generally limited to the company or government agency in which that person worked, and to its computer systems, which were isolated within the company or government agency or even just in one’s home. The cyber security officers generally were once concerned only with the events that took place within their respective working environment or living environment or even just within their country, as what happened outside of that limited world usually did not affect their work or life. However, that was in the past.
If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
Sun Tzu
The environment of the cyber security officer that may affect the protection of information and information systems is now global in scope, and high technology and global networking are changing more rapidly with each passing year. This new global environment and its associated high technology must be clearly understood. This is because it is all integrated into a driving force that will dictate what must be done to protect the information systems and the information that they store, process, display, and transmit. It will also determine how successful the cyber security officer’s information systems security program, now generally referred to as cyber security program, will be in providing protection at the lowest cost to the business or government agency.
Today’s computer system environments—networks that span the globe—are all based on the microprocessor. Microprocessors have become cheaper and more powerful at the same time. This is the primary cause for their proliferation throughout the world. Some say that today’s cell phone has more computer power than the computer systems in the vehicle that landed on the moon.
When we think of computers, we sometimes look at them as very complicated devices, when in fact it is not that difficult to understand the basics at least. Computers are composed of hardware, the physical pieces; software, the instructions to the computer, which can be altered; and firmware, which are instructions embedded on a microprocessor. The process includes input, process, output, transmit, and storage. Your cyber security program can be broken down into these elements and each looked at to defend as a separate entity and then in a holistic manner.
There is a rumor going around that at least one nation-state involved in computer building and sales has embedded into the firmware a code that allows that nation-state to gain access to that sold computer, bypassing security software, when it wants.
It was also rumored that, in the past, there have been covertly installed electrical outlets that allowed the manipulation of the electrical current to turn a desktop computer on, download information, and turn the system back off. Some say that was valid only some years ago; however, today’s modern systems have eliminated that risk.
Of course the more a cyber security officer knows about how hardware, firmware, and software work, the better position that person will be in to protect those systems and the information they process, store, display, and/or transmit.
In many of today’s information-based nation-states, we have been able to network thousands of systems because of the rapid advances in high technology and cheap hardware. We have built the information systems of the nation-states’ businesses and government agencies into major information infrastructures some call national information infrastructures. A stand-alone computer system (one with no external connections between it and other computers) today is relegated to a small minority of businesses and government agencies. We cannot function in today’s business world and in our government agencies without being connected to other information systems—both national and international.
The protection of information systems and the information that they process, store, display, and/or transmit is obviously of vital concern in this information world. Many nation-states are already in the Information Age, progressing into what some call the “Knowledge Age,” with many other nation-states now entering the Information Age and yet many more close behind. This will obviously complicate the problems of the cyber security officer, as in this case the phrase “the more the merrier” describes something a cyber security officer does not want to deal with, because it means more threats, more vulnerabilities, simply by connecting to their systems.
The cyber security officer must remember that the cyber security program must be service and support oriented. This is of vital importance.
The cyber security officer must understand that the cyber security program, once it is too costly, is outdated, and does not meet the service and support needs of the business or government agency, will be discarded or ignored. So, one of the cyber security officer’s challenges is to facilitate the networking of systems nationally and internationally while protecting company information and systems, but mitigating the risks in a cost-effective manner.
To provide a cost-effective cyber security program, the cyber security officer must continually keep up with high technology. That person must be familiar with technological changes in general and intimately familiar with the technology being planned for installation within his or her business or government agency.
The cyber security officer must understand how to apply information protection (cyber security) and integrate it around, and onto, the new high technology. Failure to do so would leave the information and his or her systems vulnerable to attack. In that case, the cyber security officer would have a serious problem—possibly a job security problem—if a successful attack occurred owing to the new-found vulnerability brought on by the newly implemented technology.
Management in businesses and government agencies will hold the cyber security officer responsible for any successful attacks, whether or not it was management or the technical staff that was clearly responsible for the vulnerability that allowed the successful attack. Such is the nature of the position.
The cyber security officer could delay installation of the new high technology until a suitable information protection “umbrella” could be installed. However, in most businesses, this would be considered a career-limiting or career-ending move. In today’s business world, the phrase “time is money” is truer than ever. In today’s and tomorrow’s highly technology-based environment, innovation and flexibility are key words for the cyber security officer to understand and apply to the company’s or government agencies’ information protection program.
Thus, the cyber security officer has very little choice but to support the installation of the new high technology and incorporate information protection as effectively and efficiently as possible. And one of the ways to successfully provide that service and support is to keep up with technological changes.

Global Information Infrastructure

The importance of information protection continues to grow, as we become more and more dependent on high-technology systems. The networking of systems around the world is continuing to expand the global information infrastructure (GII). Today, because of the microprocessor and its availability, power, and low cost, the world is “building” the GII. The GII is the massive international connections of world computers that are carrying business and personal communications as well as those of the social and government sectors of nation-states. Some say it could connect entire cultures, erase international borders, support “cyber economies,” establish new markets, and change our entire concept of international relations.
The GII is based on the Internet and much of the growth of the Internet. The GII is not a formal project; rather, it is the result of the need of thousands of individuals, corporations, and governments to communicate and conduct business by the most efficient and effective means possible.
The importance of information protection takes on added meaning because of the increased threats to the systems and the information they store, process, display, and transmit owing to this expanded connectivity provided by the GII. After all, it will come as no surprise that there are people and nation-states in the world that consider your company and your country an adversary—the enemy. That being the case, they will do whatever they can to meet their own objectives—generally at the expense of your company or nation-state.

National Information Infrastructure

The national information infrastructure (NII) is basically the network of computers upon which the nation-state and its people rely in this information–knowledge age. The NII is the high-technology, critical information infrastructure of a nation-state. The critical infrastructures, according to several nation-states, are generally defined as systems whose incapacity or destruction would have a debilitating impact on the defense or economic security of the nation-state. They include:
• Telecommunications,
• Electrical power systems,
• Gas and oil,
• Banking and finance,
• Transportation,
• Water supply systems,
• Government services, and
• Emergency services.
Many have been sounding the alarm for some time now of the vulnerability to and the catastrophic results of some adversary such as terrorists hacking into such systems and setting off a nuclear meltdown, opening the floodgates of dams, and other catastrophes.

How Did We Get from Adam to the Internet?3

The use of the Tofflers’ model of technological evolution provides a useful framework for discussing changes arising from the impact of technology, generally, and the Internet specifically. For those of you who have never heard of Alvin and Heidi Toffler, read their books. Yes, they were written maybe before you were born, but the Tofflers are excellent futurists who looked into the future, which is now ours, and their books point to where we have been and what may be coming.
The model begins by describing the Agricultural Age, which lasted from about the time of Adam until about 1745 in the United States. Manual labor and a focus on accumulating a minimum food surplus to allow for governance characterized this long period. During this time, technological progress was very limited, slow, and laborious. The major lack of understanding of even the most basic concepts of science impeded progress.4
Warfare, although common, was generally short in duration and was often decided by major battles or campaigns lasting less than a year, with some exceptions, such as the Hundred Years’ War and the Crusades. Although large armies were possible (at one point the Roman Empire fielded more than 700,000 soldiers), there were limited and relatively ineffective methods for communicating and controlling more than a small percentage of these forces. Runners and horse-borne message couriers supplemented by flags and other visual media were the major methods of remote communication.
The “Industrial Age,” in the United States, lasted a much shorter time, only from approximately 1745 until about 1955. The defining event of the Industrial Age was the introduction of the steam engine, which allowed mechanical equipment to replace muscle-powered efforts of both humans and animals. These devices introduced a new and much accelerated pace of technical innovation. During this 200-year period, there was a dramatic expansion of human knowledge and understanding of the basic principles of physical science. Enhanced agriculture allowed nations to accumulate huge food surpluses. Upon the foundation of the food surplus, the nation-states increased their power, which was driven by mass production. Mass production of weapons and the mass slaughter of both combatants and noncombatants characterized the conflicts of this period.5
Communications technology evolved from primitive signaling involving lanterns and reflected lights (heliograph) to supplement the continued use of human couriers, whether riding horses, trains, or waterborne craft. The inventions of the telegraph in the early 1800s, followed in the late 1890s by the telephone and then by wireless radio in the early 1900s, were essential evolutionary steps toward today’s telecommunications infrastructure.
The “Information Age” in the United States, according to the Tofflers, began about 1955, which is the first year that the number of white-collar employees exceeded the number in blue-collar production jobs. This has been the era with the most explosive growth in human knowledge. More has been discovered in the past 50 years in both science and engineering than in the thousands of years of recorded human history. In the information age, knowledge is growing exponentially.
The pace of evolution in communications and other technologies accelerated during the early years of the Information Age with the advent of satellites, fiber-optic connections, and other high-speed and high-bandwidth telecommunications technologies.
It is in the context of this phenomenal growth of technology and human knowledge that the Internet arises as one of the mechanisms to facilitate sharing of information and as a medium that encourages global communications.
In the past, the U.S. General Accounting Office, in a report to Congress, detailed the rapid development of the telecommunications infrastructure in the United States, resulting in the creation of three separate and frequently incompatible communications networks:6
• Wire-based voice and data telephone networks,
• Cable-based video networks, and
• Wireless voice, data, and video networks.
From that past until now, look how far we have come, and imagine, as a cyber security officer, what is yet to come. It behooves all cyber security officers to always project into the future and plan now to address the future environment in which the cyber security officer will work and wage war again all adversaries to their networks (hardware, software, information, data, users, and other entities) for which they are responsible.

Birth of the Internet7

It is vital to understand the history and ever-changing environment if the cyber security officer is to succeed in fulfilling all duties and responsibilities through a cyber security program that defends his or her networks against “all enemies, foreign and domestic.”
The global collection of networks that evolved in the late twentieth century, and continue to evolve in the twenty-first century, to become the Internet represents what could be described as a “global nervous system,” transmitting from anywhere to anywhere facts, opinions, and opportunity. However, when most security and law enforcement professionals think of the Internet, it seems to be something either vaguely sinister or of such complexity that it is difficult to understand. Popular culture, as manifested by Hollywood and network television programs, does little to dispel this impression of danger and out-of-control complexity.
The Internet arose out of projects sponsored by the Advanced Research Project Agency in the United States in the 1960s. It is perhaps one of the most exciting legacy developments of that era. Originally an effort to facilitate sharing of expensive computer resources and enhance military communications, over the 10 years from about 1988 until 1998 it rapidly evolved from its scientific and military roots into one of the premier commercial communications media. The Internet, which is described as a global meta-network, or network of networks, provides the foundation upon which the global information superhighway will be built.8
It was not until the early 1990s, however, that Internet communication technologies became easily accessible to the average person. Prior to that time, Internet accesses required mastery of many arcane and difficult-to-remember programming language codes. However, the combination of declining microcomputer prices, enhanced microcomputer performance, and the advent of easy-to-use browser software created the foundation for mass Internet activity. When these variables aligned with the developing global telecommunications infrastructure, they allowed a rare convergence of capability.9
It has now become a simple matter for average people, even those who had trouble programming their VCRs, to obtain access to the global Internet and with the access search the huge volume of information it contains. The most commonly accessed application on the Internet is the World Wide Web (Web). Originally developed in Switzerland, the Web was envisioned by its inventor as a way to help share information. The ability to find information concerning virtually any topic via search engines from among the rapidly growing array of Web servers is an amazing example of how the Internet increases the information available to nearly everyone. One gains some sense of how fast and pervasive the Internet has become as more TV, radio, and print advertisements direct prospective customers to visit their business or government agency Web sites.
An important fact to understand, and which is of supreme importance for security and law enforcement professionals, is that the Web is truly global in scope. Physical borders as well as geographical distance are almost meaningless in “cyberspace”; the distant target is as easily attacked as a local one. This is an important concept for security and law enforcement professionals to understand because it will affect their ability to successfully do their jobs. The annihilation of time and space makes the Internet an almost perfect environment for Internet robbers. When finding a desired server located on the other side of the planet is as easy and convenient as calling directory assistance to find a local telephone number, Internet robbers have the potential to act in ways that we can only begin to imagine. The potential bonanza awaiting the Internet robber, who is undeterred by distance, borders, time, or season, is a chilling prospect for those who are responsible for safeguarding the assets of a business or government agency. As the ISSO, you have responsibility for deterring these miscreants, as well as helping security and law enforcement personnel investigate them.

“Future Shock”

With appreciation for the Tofflers’ book Future Shock, the reaction of people and organizations to the dizzying pace of Internet progress has been mixed. Although some technologically sophisticated individuals and organizations have been very quick to exploit the potential of this new technology, many have been slower, adopting more of a wait-and-see posture. The rapid pace of evolution of the Internet does raise some questions as to how much a society can absorb and how much can actually be used to benefit organizations in such a compressed time frame. Sometimes lost in the technological hype concerning the physical speed of Internet-enabled communications or the new technologies that are making it easier to display commercial content is the reality of the Internet’s greatest impact: It provides unprecedented access to information. The access is unprecedented in terms of the total volume of information that is moving online and may be tapped for decision-making.
It also is unprecedented when we consider the increasing percentage of the world’s population that enjoys this access. More and more information moves online and becomes available to more and more people, causing fundamental changes in how we communicate, do business, and think of the world we live in. Consequently, there are also fundamental changes in how criminals and miscreants commit crimes.
Throughout much of human history, the educated elites of every culture have jealously guarded their knowledge. Access to knowledge, whether in written or spoken form, was often the source of the elite’s privileged position and often allowed them to dominate or control the great uninformed masses of uneducated humanity—information was and still is a means to power. “Outsiders” were never granted accesses to the store of wisdom unless they were inducted into the privileged elite. Now, however, the average Internet traveler, wherever resident, with little more than a fast modem and a mediocre microcomputer, can access, analyze, and/or distribute information around the world on almost any topic.
Some pundits decades ago had concluded that we now live in an era in which there are “no more secrets.” By some estimates, early in this century there will be more information published and available online than has ever been accessible in all the libraries on earth. How this torrent of information will be managed to ensure that Internet robbers do not wreak havoc and dominate the Internet, or have power over others, is now (or should be) the primary objective of every security and law enforcement professional whose business or government agency travels the Internet.
So, what do you think of our current environment? Are we winning or losing the cyber security battles and wars?

Road Map for the Internet

The Internet can be compared in some ways to a road map for a superhighway. Some basic examples will help explain it in common terms.
When multiple computers (whether microcomputers or larger) are linked together by various communications protocols to allow digital information to be transmitted and shared among the connected systems, they become a network. The combination of tens of thousands of organizational networks interconnected with high-capacity “backbone” data communications and the public telephone networks now constitutes the global Internet. However, there is a major difference in this environment that is important to consider for security and law enforcement professionals.
When the isolated byways of individual business or government agency networks become connected to the global Internet, they become an “off-ramp” accessible to other Internet travelers. The number and diversity of locations that provide Internet “on-ramps” are vast and growing. Today, one can access the Internet from public libraries, cybercafés in many cities around the world, even kiosks in some airports. These and other locations provide Internet on-ramps to anyone who has a legitimate account—or an Internet robber can hijack one from an authorized user.
Typically a business or government agency will use centrally controlled computers, called servers, to store the information and the sophisticated software applications used to manage and control its information flow. These systems could be equated to a superhighway interchange.
Commonly business and government agency networks are considered private property and the information they contain as proprietary for the exclusive use of the organization. These business and government agency networks are connected to large networks operated by Internet service providers who provide the equivalent of toll roads and turnpikes—the highways for the flow of information.

The Internet: No Traffic Controls

The Internet challenges the security and law enforcement professional with an array of new and old responsibilities in a new environment. From the perspective of managing risks, this new access to information creates new kinds of dangers to businesses and government agencies. It also allows well-understood security issues to recur in new or unique ways. No longer can organizations assume they will obtain any security through obscurity, no matter where they are physically located. In other words, because there is an Internet off-ramp, they will be visible to Internet robbers. Everything from a nation’s most critical defense secrets to business information is vulnerable to easy destruction, modification, and compromise by unauthorized Internet travelers.
Too often careless managers fail to take adequate measures to safeguard sensitive information, which results in premature disclosure with attendant adverse impact. The major part of the controllable risk arises from inadvertent disclosure to the ever-vigilant eyes of Internet robbers and others, such as competitive intelligence analysts with Internet access.
When the Internet was limited to scientists, academic researchers, and government employees, such a collaborative framework was probably a very cost-effective means of controlling the virtual world. However, in the early 1990s, for the first time there were more commercial sites than educational and governmental sites using the Internet. Since that time matters have become increasingly complex. The informal array of social sanctions and technical forums for cooperation is no longer capable of ensuring a modicum of civilized behavior.

What Has Been the Impact of the Internet?

It is apparent that the Internet has rapidly become a significant element in modern society, figuring in advertising, films, and television, even facilitating the rapid dissemination of investigative reports involving a U.S. president. The Internet has provided many additional information services, and they are all becoming easier to access. The two primary new avenues for increased volume of information access are the Web browser and net-enabled e-mail. This increased access to information has been principally an advantage for law-abiding citizens and legitimate businesses, but it also offers both hardened and prospective Internet robbers new, high-speed venues for perpetrating their crimes and schemes.
Almost everyone working in America has been exposed to some form of computer technology. From the front-line retail clerk at the local fast-food franchise, to the Wall Street analyst, to the farmer planning his crop rotations, individual work performance has been substantially enabled by the widespread proliferation of microcomputer technologies. But the macro impacts on organizations are in some ways less remarkable than they have been for individuals. Go to any good computer store, or better yet, if you have Internet access, browse the Web sites of major microcomputer manufacturers. You will discover a wide range of systems with memory, speed, and storage capabilities that would have been descriptive of large, mainframe-type computers in the early 1980s. For example, a large regional bank in southern California in the late 1980s operated its electronic wire/funds transfer machine with only 48 MB of RAM and 120 MB of disk storage, and the system transferred billions of dollars nightly for the bank. Now a much greater performance is available to anyone with a few hundred dollars in a cell phone.
In business, it has become in some ways a David versus Goliath world, in which the advantages do not always accrue to the organization that can field the bigger battalions. Advanced information technology was once the province exclusively of governments, the military, universities, and large corporate entities. This is no longer true. Now anyone with a modest investment in hardware and software can acquire a powerful processor and attach it to the Internet. It should be obvious that criminals and those with criminal intentions also have access to powerful information technology. The question remains: How will they use it?
As we consider the potential for criminal actions directed against organizations, it is critically important to consider these factors. The same information technology we use to manage our organizations can and will be used by savvy Internet robbers to the detriment of governments, businesses, and others.
When powerful microcomputers are networked, the communication capabilities inherent in these arrangements multiply their value. A single microcomputer standing alone is little more than a sophisticated typewriter or calculating machine. The real power comes when individual machines link together to create networks that will allow the flow of information from one person to the entire world. As a case in point, consider the story of Russia’s transition from communism. When the military coup against Gorbachev occurred in the early 1990s, the military plotters seized control of all the classic means of communication: newspapers, telephones, and radio and TV stations. However, the anti-coup forces quickly drove their message on the Internet to get word to the outside world of the situation, and timely communications played a significant part in defeating an attempt by the most powerful military and police apparatus on earth to regain power over the Russian people.
The capabilities brought to the individual by the Internet are considerable and growing almost daily. One example is the ability to sign up for investment services from low-cost brokerages and stock market advisors and enjoy the kind of timely advice that for generations has been the perquisite of the rich and powerful classes. Grass-roots political organizing and civic action are also enabled. For example, in California, a concerned parent scanned into a database and posted on a Web page the details of the state’s list of sexual predators/pedophiles, thus allowing average people to determine whether there was a registered sex offender residing in their neighborhood.
From shopping for homes and automobiles, where online services promise to eliminate the brokers’ monopoly of information, to traffic, weather forecasts, and directions prior to trips, the Internet is providing more information to more people every day, and we are only at the beginning of that process! The major trend here is clear: There will be more information accessible to more people than has ever been possible in the past. How this information power will be used ultimately depends on the ethics and motives of the individual: Internet robbers can use such power negatively.

Organizational Impacts

The major benefits to organizations of the Internet and related technologies are significant and far ranging. In large part, the impacts may be characterized as dramatically lower costs for transmitting and sharing information. To appreciate how far we have come, before electronic mail became ubiquitous, it took as long as a week for first-class postal mail, derisively called “snail mail” by Internet aficionados, to travel from one coast of the United States to the other. Even the fax machine, which itself was a significant improvement over postal and overnight courier services, requires dedicated fax equipment and operates only from point to point. Contrast these with the capabilities of Internet e-mail. E-mail, which may transit the globe in seconds, allows the recipients to obtain the message when it is convenient; they need not be present to receive it. Through the use of digital attachments, e-mail can carry more information in a convenient compression of transmission times.
Whereas the innocent e-mail user sees only increased speed and volume of communication, security and law enforcement professionals must understand how damaging even one message could be to a business or government agency. A single e-mail message could contain the whole strategic business plan of the organization or the source code to a breakthrough product and could be transmitted anywhere on earth in a nanosecond.
To show that this threat is much more than theoretical, consider the allegations involving two leading Silicon Valley software companies, A and B. Company A accused rival Company B of theft of trade secrets and proprietary source code. Company A’s management alleged as one element in their complaint that a former Company A employee used his company-provided Internet access to transfer source code of key products to his own, personal account. The employee then tendered his resignation. Upon arrival at his home-based office, the now-former Company A employee allegedly downloaded the stolen source code to his home computer system. Employed as a programmer consultant by rival startup Company B, he reportedly used the purloined source code as the foundation for a remarkably similar product created at Company B.10
Another example is a former employee of Company X who was accused of transmitting the source code for a new digital device to rival Company Y. This scheme apparently was discovered only by accident when the highly confidential materials created such a long message that it caused the e-mail system to crash and allowed a system administrator to discover the purported scheme.
These two incidents are drawn from press reports in the media, and it is likely that they are only the very tip of the iceberg. In fact, many organizations do not have the security systems and technologies to detect similar incidents. Because of the adverse publicity and the prospect of a lengthy criminal justice process, even those businesses and government agencies that have been victimized by Internet robbers frequently do not report similar incidents to the proper authorities.

Using the Internet to Share Information

One of the truly remarkable developments in information technology has been the widespread use of the Web browser and related technology to deliver information both to internal employees and to the external customers of an organization. If e-mail could be described as a virtual duplication of the postal services into the global Internet environment, then Web servers can be thought of as kiosks or bulletin boards. On these “virtual bulletin boards,” an organization can make accessible to target populations the information they need to make decisions and perform administrative, operational, or other functions. For example, one very common intranet (internal company Internet) application is to provide a central “forms page” on which employees find the most current version of a form to be downloaded and printed for everything from payroll deductions to medical reimbursements. Another use is to front-end a database in which is stored information that must be accessible to a widely dispersed population of users or broad cross section of Internet travelers.
Currently the most common and growing destination for the Internet traveler is the business or government agency Web site. For the Internet traveler, Web sites are a combination of superhighway billboards, banks, shopping malls, rest stops, and even fast-food delivery services. All of these services as well as hundreds of others can be found located at the on- and off-ramps to the Internet.
These Web sites are used by businesses for advertising, public relations, and marketing, as well as to sell or deliver products or services to Internet travelers.
Web sites may contain and dispense government information concerning everything from how to prepare and submit forms, to descriptions of the most wanted criminal fugitives, to recruiting advertisements for future employees. Even the most secretive U.S. government agencies such as the Central Intelligence Agency, the National Security Agency, and others have established Web sites that provide useful information to Internet travelers.
Business and government agency Web sites are often the targets of miscreants, juvenile delinquents, and other Internet robbers. Successful attacks against these Web sites can be disruptive and destructive of the reputation of the sponsoring organization. Therefore the protection of the Web site should be an important part of the business or government agency plan for using this technology.

Changing Criminal Justice Systems

Thus far, it appears that information protection will increase in importance. If so, the world’s criminal justice systems and processes undoubtedly will also be affected. The question is, will they change for the better or for the worse? If the United States is any indication, they will worsen. Why, in such a technologically advanced country? Ironically, technology brings with it rapid social change as well.
One may wonder, what is the impact of the criminal justice system on the cyber security officer and cyber security. The answer is simple: The people who steal business or national secrets; damage, destroy, or modify information and systems; and commit other criminal acts are the main reasons the cyber security officer and information protection program exist. After all, if no one violated laws or company policies, and everyone protected information and systems, why would businesses or government agencies need a cyber security officer or an information protection program?
At some point in your career, you will become involved in a high-technology crime investigation and thus will become actively involved in the criminal justice system. You must understand how that system operates, or you will not only be at a disadvantage, but probably disappointed as well!
In the global marketplace that your company undoubtedly works in and is affected by, you as the cyber security officer must understand the international and foreign nation-state laws that have an impact on your business, especially those related to privacy and security. For example, your company may operate in a foreign country. If so, that country’s government may not allow the encryption of transmissions through their country. If this is the case, do you violate that law, understanding its entire ramifications, to protect company secrets, or do you not encrypt and understand the risks of others reading the “company mail”?
As society embraces the Third Wave, as described by the Tofflers, it does not wait for the two prior waves’ processes to catch up. Thus, one can see the continuing trend of a disintegrating U.S. criminal justice system in which crime increases faster than the criminal justice system can deal with it. More discretionary arrests, plea-bargaining prosecutions, overburdened court systems, and the release of convicted criminals from jails and prisons are indications of this change to a Third Wave society. We seem to be trying to use Second Wave criminal justice system processes and functions to handle Third Wave problems, and it does not seem to be working.
One of the disadvantages of being a leading technology-based country such as the United States is that one does not have the opportunity to learn from the mistakes of others who are more advanced. This is an extremely important point, especially when discussing the criminal justice system, because the criminal justice system is the primary system responsible for the prevention of crime and the promotion of social stability of a nation.
If a nation is to be strong economically to compete in the world, it must have stability in which businesses can operate and people can have a secure and peaceful life. Lack of security and peace leads to increases in crime. It follows that high-technology crimes would be likely to increase. In addition, without a good criminal justice system, frauds and other crimes not only will be more frequent, but also will sap the economic strength from the people, businesses, and the country.
We know that technology is increasing at a rapid rate. Computer-based technology has become a necessary and integral part of businesses, government agencies, and our personal lives. No longer can we efficiently function without the use of today’s modern, computer-based technology.
As with any tool, computers, including telecommunication systems, can be a target or used as a tool by criminals, also known as techno-criminals. The threats to society, businesses, and government agencies by techno-criminals are increasing as our technology and our dependence on technology increase.
The techno-criminals, vis-à-vis the world’s criminal justice systems, are also faced with a system that provides them some measure of immunity to techno-crimes. For example, the attacks against U.S. computer systems are becoming more internationally oriented. Today’s techno-criminal can attack any place in the world from any place in the world.
What is worse, because of our complicated communication systems, it is difficult to trace the attacks back to the attackers. Also, many countries’ laws do not even address the issue of techno-crimes, making it almost impossible to prosecute anyone attacking a U.S. computer from outside the United States. And because of the political ramifications alone, extradition of these attackers to the United States, or any other country, for prosecution is a complicated and generally impossible task! After all, what nation-state wants to give up sovereignty over its citizens?
For the cyber security officer, it is imperative to understand the criminal justice systems of the United States and other countries in which the company or government agency does business. The problems with the criminal justice systems, conflicts, and changes, will continue to be an underlying force whose impact on information protection functions will extend into the twenty-first century.
The fact that white-collar crimes, frauds, are being perpetrated more and more through the use of computers and telecommunications systems seems to be an obvious result of the rapid changes in societies and our reliance on information systems. This is understandable, as alluded to earlier, because what once was done by paper and pencil has now been automated, for example, accounting systems. Therefore, although today’s criminals have the same motive as in the past, they must now operate in a new environment, a technological environment. If criminals want to steal money, they must use and attack information systems. To paraphrase an old-time bank robber: “Because that’s where the money is!”
Since it appears that more crimes are being committed by using the computer as a tool to attack other computers, and that trend is likely to continue, the cyber security officer’s responsibilities include an information protection program, which will assist in minimizing the opportunities for frauds and other crimes through the systems. If such crimes do occur, it is expected that the cyber security officer will play a vital role in the investigation and in any disciplinary action or prosecution of the offenders—thus offering another challenge and opportunity to the cyber security profession.

The Human Factor

With all the talk of high technology, the need for information protection, computer crimes, and the like, there is one important factor to remember. It is the human being who uses the tools for good or bad purposes, and it is the human being whom the cyber security officer often loses sight of when trying to protect information and high technology.
Yes, it is true that for the cyber security officer to be successful, that person must understand not only information systems—computers and their associated networks—but also other forms of high technology, for example, cellular phones, faxes, and pagers. However, one must never lose sight of the human element—usually the most neglected factor in information protection. To be sure, one talks about information protection awareness programs, but the human factor must be addressed in more detail and given more emphasis if the cyber security officer is to protect information.

Laws, Regulations, Standards, and Legal Issues

There are many laws and government regulations such as those related to protecting the stockholders’ interests in publicly traded corporations in which you may work. There are too many of them to discuss here, except to say that just because a law or regulation exists, it does not mean that the entity where you work is complying with them. Therefore, it is important to determine what the laws are, and to do so, one should develop a working relationship with the corporation’s legal staff.
After all, you must be in compliance with the laws, so obviously, you first must know what they are. In addition, knowing them and working with the legal staff will help support your case to executive management when you show the connection of why you are running a cyber security program or particular parts of it. You should be able to get the legal staff to support your case by having them explain what happens when you do not safeguard the corporate owners’ assets. Yes, assets protection insurance is one way to handle risks; however, the corporation must still be in compliance. An insurance corporation should obviously demand it, as security would still be required.
As the cyber security officer, you should search the Internet and identify such laws and regulations. There are also international standards to consider. Know them and implement them in a cost-effective manner using risk management/risk analyses methodologies.
ISO/IEC 2700111 is the international standard for information security management. By implementing the standard, organizations can identify security risks and put controls in place to manage or eliminate them, gain stakeholder and customer trust that their confidential data are protected, and help achieve preferred supplier status, helping to win new business.
Another example is from the National Institute of Standards & Technology (The Framework Core):
The Framework Core is a set of cyber security activities and references that are common across critical infrastructure sectors organized around particular outcomes. The Core presents standards and best practices in a manner that allows for communication of cyber security risk across the organization from the senior executive level to the implementation/operations level. The Framework Core consists of five functions—Identify, Protect, Detect, Respond, Recover—which can provide a high-level, strategic view of an organization’s management of cyber security risk. The Framework Core then identifies underlying key categories and subcategories for each of these functions and matches them with example informative references such as existing standards, guidelines, and practices for each subcategory. This structure ties the high-level strategic view, outcomes, and standards-based actions together for a cross-organization view of cyber security activities. For instance, for the Protect function, categories include Data Security, Access Control, Awareness and Training, and Protective Technology. ISO/IEC 27001 Control A.10.8.3 is an informative reference that supports the subcategory “Data during transportation/transmission is protected to achieve confidentiality, integrity, and availability goals” of the Data Security category in the Protect function.

Summary

To be a successful cyber security officer, you must:
Understand today’s world of business, politics, various cultures, people, threat agents, technology—in other words the world of external forces that have an impact on your working world.
Understand your corporation or government agency and its culture, people, policies, laws, regulations, international and nation standards, procedures, attitudes relative to cyber security, systems, processes, political dynamics—everything there is to know about your government agency or corporation.

1 Sandy Nichol is a freelance editor based in the United Kingdom.

3 This information was taken from the author’s coauthored book, Internet Robbery: Crime on the Internet, published by Butterworth–Heinemann.

4 The time of the agricultural period varies by progress of individual nations.

5 As with the Agricultural Age, dates vary for individual nations.

6 “Information Superhighway: An Overview of Technology Challenges.” GAO-AIMD 95-23, p. 12.

7 See the book I-Way Robbery: Crime on the Internet, published by Butterworth–Heinemann, 2000, and coauthored by Dr. Gerald L. Kovacich and William C. Boni, for more details about the Internet and criminal activities.

8 Ibid., p. 11.

9 Software that simplifies the search and display of information supplied by the World Wide Web.

10 Although based on actual cases, the names have not been used because, as of this writing, the cases are still being adjudicated through the criminal justice process.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.221.18.145