Geneva Security Forum

GSF07: Small links, big risks, quantum crypto and other miscellaneous security considerations

The first Geneva Security Forum took place last week. I was moderating several sessions, so no liveblogging. Here are my (scattered and fragmentary) notes.

Alyson Bailes (director SIPRI): "When dealing with risks the human brain is not good at getting priorities right -- that' s why we focus on shorter, more fashionable risks".
How do you prioritize? "People are the answer. A good personal security culture is going to stop a lot of natural and casual risks, and give us a stronger position to deal with man-made ones. Integrated solutions: we should cyber-defend Estonia, but also my personal computer against spam and viruses -- that would make the whole system more secure".

Brian Jenkins (RAND Corp): Since 9/11 in the US we find it difficult to make a distinction between the risk to the community (large-scale threats) and the risk to the individual (the average American has 1/7000 chances of dying in a car accident; 1/18000 of being a victim of a homicide; 1/650000 of being involved in a terrorist attack: "so we are not living in peril, as individuals, as a consequence of terrorism").
There is a change in the way we analyze threats. Traditional analysis is based on an assessment of your enemy's capabilities, which are easily quantifiable. With terrorist networks instead, there is a great deal of uncertainty, so we do vulnerability analysis (how vulnerable are our energy systems, airports, ports, etc), postulate an attack, and then evaluate worst-case scenarios. That's a legitimate form of analysis to evaluate the consequences of an attack and figure out how to respond, but these are not good substitute for assessment. Moreover, the fact that all of this is discussed in public turns politicians into champions of their specific threat, and this starts a competition of threats, leading to a sense of alarm, complicating intelligence, possibly inspiring terrorists, etc. Over time this cranks up in a society irrational levels of fear, and leads to bizarre allocations of security resources.
Today's threats do not match how we have organized our societies politically and economically to do business. Cyberterrorism and epidemics don't know borders. But nobody gives up sovereignty easily. Instead of cooperation, we see proliferation of perimeters, wall building, the recreation of a medieval society, not with castles and towers but with security-driven protections at national frontiers or within nations, an enclavisation of societies within them.
Risk = threat + vulnerability + consequences. But right now we have an overweight on consequences (because they are easier to assess), which makes it difficult to price risks and prioritize.
We should move from the traditional reactive approach (law-enforcement approach) to a proactive approach. But in democracies we don't have a well developed corpus of law for dealing with intent. At what point does intent (to kill, to terrorize) moves out of the realm of free speech and becomes a crime that requires the intervention of the state? The only answer we have now is that of avoiding extrajudicial action, keeping things within the judicial space, having oversight,

Mike Ryan (WHO head of epidemics): The current major epidemic risk is avian flu.
If we look at the history of disasters and wars, most of them are local, geographically identified events, where help can arrive from outside. If you think of a global pandemic, that's a totally different scale. The preparedness/response ot the health impact of a pandemic is one thing; the societal preparedness is something we have never truly dealt with at a global scale (if large numbers of people can't get to work; if politics needs to respond to panic; etc). Ten years ago we believed that having information was an advantage; today everybody has the information, the real challenge is understanding which piece is relevant, is finding sophisticated ways to process it fast: analyze, assess, and respond.
(BG: see INSTEDD; and WHO is working on an early alert system using mobile phones, probably SMS, but many questions are open, such as how to establish the credibility of the source).

Alain Deletroz (VP, International Crisis Group): Five pillars of post-conflict reconstruction and lasting peace-building: 1) a peace agreement that's seen by all parties as accommodating their needs, that can be seen as a starting point and not an ending; 2) very good transition mechanism that inspires confidence to all parties and the international community; 3) a real truth and reconciliation process -- every country has to invent its own process: if you try to get a peace without exposing the facts and the doers, resentment in that society can remain. Best example of course is South-Africa; 4) real commitment from the international community; 5) an ambitious state-rebuilding program (rule of law, security and judiciary reform).

Thomas Tighe (DirectRelief): Markets work when they can work, where there is money to be made. But maybe a third of humans are in places where market forces won't work, so the expectations that the market will come in and develop is false. There are many places where the market fails.
(BG: DirectRelief works on getting medical supplies and drugs to clinics that are "off the grid" -- too far, too isolated, too off-the-market).

Stefan Wolff (University of Nottingham and author): What is emerging as one of the major new security threats: it's not longer just about international terrorism or just about organized crime or just about human security. There is now in many parts of the world an increasing conflagration between these three types of security challenges. This exposes our inability to think more comprehensively about security.
The incapacity to contain ethnic conflicts creates enabling environments for organized crime -- which in turn provides incentives as well as resources for many of the conflicts we see around the world today.

Abdulaziz Sager (Gulf Research Center Dubai): One of the indirect effects of the Irak war: the neighboring countries have been forced to come together (ministers, intelligence agencies) and work together.

Carlos Moreira (Wisekey): "There is an emerging digital identification divide, which is much more serious than just the digital divide. The digital divide was about connectivity. But if you want to participate in the network economy in an active way, you need identification/trust".

Christian Buchs (HEIG) and Oliver Ribaux (UNIL) want to receive more spam. They are working on a tool to track and trace the "Nigerian internet scam" e-mails (the messages you get asking you for help in transferring big sums of money out of a developing country, against a commission) and the online check frauds or other investment frauds. The system will be up and running in October.

Mikko Hypponen (F-Secure): The online population of Asia is currently 389 million (with a penetration of 10%), Europe 313 (39%), North America 232 (69%), so it's gonna be an Asian Internet very soon.
Hackers are turning into attackers, becoming more sophisticated, doing it for money rather than for fame. They want to turn viruses into cash. Many forms: spam, denial-of-service extortion, credit card number/email address/password theft, targeted attacks (industrial espionage). Latest: theft of passwords to poker sites (they steal your password then play -- badly -- against their own account, and of course the latter wins, and it looks as if you lost during a normal game: "the money is good, and nobody gets caught").
"Spam is like cockroaches: you can try to limit the problem, but it will never go away".
"People are still worried that a virus will come and destroy their data. Today that never happens, viruses are not destructive anymore, the last destructive virus we saw was one year ago: there is no money to be made in destroying data".
Where are attackers coming from? Mostly USA, China, Brazil and former URSS.

Kelly Richdale (A4vision), Jurgen Junghanns (Interflex), Philippe Niederhauser (Fastcom), Jean-Pierre Therre (Pictet): At Swiss private bank Pictet in Geneva -- founded in 1805 -- they've implemented a cardless, keyless, pinless security system based on biometrics for their new headquarter (about 2000 employees). The four speakers alternate in explaining the various pieces of the system, which has been "live" for over 8 months now. Pictetbiometrics There are three circles of identification: outdoors/supervised area (parking lots etc) is checked through automatic car plate recognition; indoors/security area, and to segregate access between different areas within the building: 3D face recognition (see picture); indoors/high security area (vaults, data centers etc): iris scanning, combined with anti-tailgating tech (avoid that a second person walks in closely following an authorized person). Key principle: purposeful limitation. Requirements for an ideal biometric system: universality, uniqueness, permanence, collectability, acceptability. On this last point, they have done alot of explaining to employees ("dimistify biometrics"): three most asked questions: is there any health risk in the use of biometrics? Can biometrics detect illnesses or addictions? What's the situation as far as individual privacy is concerned? Pictet is working on extending the system to access to documents and computers. Clients and visitors of course have a separate entrance and reception. Questioned by an auditor, Thierre states that the data about movements of employees within the building are not used to monitor their work.

Patrick Amon (EPFL): Information technology is becoming pervasive, and that has consequences. Because more and more systems are connected to networks and managed via networks, the theoretical risk of losing your Internet connection is morphing into the possibility of losing your water or your electricity. Does anyone still understand the whole complexity of the systems? To a large extent: no.

Nicolas Gisin (University of Geneva): There are two things that everyone should know about quantum physics: 1) this is the only physics that is not deterministic, it is random: we can use this characteristic of nature to produce random numbers. 2) Non-locality: according to quantum physics, the same random event may manifest itself in several places; this is of immediate potential for cryptography, it's like getting a code. The existing encryption techniques are based on mathematics: a code is "unbreakable" because it takes too much computational power to break it. But theoretically, an algorithm to factorize efficiently large numbers could exist, we just don't know it. If someone tomorrow publishes such an algorithm, it would stop the whole world economy immediately (because all data would be wide open). Quantum cryptography is an answer, but quantum computers are a threat: if a quantum computer is developed (order of magnitudes more powerful than current computers) it would be easy to crack current codes. For what we know, criminals may be storing encrypted data that they can't use, waiting for a quantum computer to come along -- in a decade or two? -- to decrypt it all. Conventional cryptology is OK for data with limited value or limited shelf life.

Cédric Renouard (Ilion Security): The attack on the public and private e-infrastructure of Estonia in April and May may have been led by a government, but it was a very simple attack: massive, non-destructive, more a demonstration than an attack from a technical point of view. But still very efficient (there was real disruption - see previous posts). Ilion performs "ethical hacking" -- trying to penetrate sensitive systems such as power plants, financial networks, etc, to spot the weaknesses. Call it "pragmatic risk assessment". "Hackers can break anywhere with time and money". Systems are not well protected, and security holes are often underestimated. He recalls a company where there was separation between the internal network and the Internet, but Ilion found a website that was dynamically updated with information coming from the internal system, he asked their IT people and the reply was: "oh, it's just a small link, it's OK". He tells of a recent trip to Russia where he visited cyberpirates that "are organized like real companies, with big offices and R&D etc, and benefit from significant levels of immunity".

Author Simon Singh closed the conference with a keynote on the history of cryptography.