WRITTEN ON April 11th, 2008 BY William Heath AND STORED IN Foundation of Trust, What do we want?

Thanks to my good mate JJ I’ve been invited to an interesting-looking session in Berlin looking at “security & society”. I’m looking forward to it, and wondering what sort of homework to do. Our hosts have sent over some facts to get us thinking. It’s worked. They’ve got me thinking. Whaddyerreckon?

Security and Society Index
The below is a cross-section of statistics to provide context for some of the key issues on the topic of security.

Personal Security
Closed-circuit television (CCTV) cameras in public places in the U.K.: 5 million
Average number of times a Briton is filmed on CCTV in one day: 300
Crime reduction in UK credited to CCTV: 5%
Americans using the same password for most online accounts: 63%
Average number of people with access to a patient’s records during a hospitalization: 150
Computers that are daily controlled by malicious bots: 40%
Unique samples of malicious software discovered in 2007: 5 million
Increase in number of unique samples of malicious software over 2006: 5X
Average time before an unprotected online computer becomes infected with a virus: 20 minutes
Hours of victim’s personal time required to reclaim stolen identity: 600

Commercial Security
Personal-data records compromised by security breaches last year: 162 million
Total arrests made in conjunction with these security breaches: 19
Cost to companies per compromised record last year: $197
Estimated cost of all compromised records last year: $32 billion
Size of the worldwide security software market in 2007: $9.1 billion
Growth rate of security costs over IT budgets: 3X
Total losses worldwide due to phishing attacks last year: $3 billion
Estimated cyber crime market size: $100 billion
Global mobile operators hit by mobile device infections last year: 83%
IT executives who do not monitor their databases for suspicious activity: 40%
Organizations worldwide that have separate information security departments: 27%
Cost of corporate espionage to the world’s 1,000 largest companies: $45 billion
Corporate security breaches perpetrated by employees or contractors: 70%

Societal Security
Number of people crossing national borders every second: 25
Average Foreign Direct Investment loss due to increase risk of terrorism: $16 billion
Potential economic impact per 100,000 persons of a bioterrorist attack: $26.2 billion
Cost to vaccinate 100,000 people against such attack: $16.3 million
Total costs per 100,000 lives caused by all natural disasters worldwide in 2003: $22 billion
Annual number of people given terrorist risk-assessment scores by the USA’s Automated
Targeting System: 431 million
Accuracy of Automated Targeting System: 99.9%
Annual number of false alarms by Automated Targeting System: 431,000
Reduction of Middle East & South Asia’s Internet capacity due to damaged undersea cable: 70%
Duration of YouTube.com’s global outage due to interference by Pakistani government: 2 hours

What I want to take to Berlin is a good set of facts but above all the right frame of mind to have a constructive discussion about the ideal way to get to secure e-enabled society. There’s more to it than I can yet see here. There’s a load more as well:

Security & Society – Reading Resources
Excerpts and links to relevant articles

Security: Power to the People
By: John Robb, Fast Company: March 2006 Issue 103, © 2007 Mansueto Ventures LLC. All rights reserved.
http://www.fastcompany.com/magazine/103/essay-security.html

The next decade holds mind-bending promise for businesses. Globalization is prying open vast new markets.
Technology is plowing ahead, fueling–and transforming–entire industries, creating services we never
thought possible. Clever people worldwide are capitalizing every which way. But because globalization and
technology are morally neutral forces, they can also drive change of a different sort. In short, despite the
aura of limitless possibility, our lives are evolving in ways we can control only if we recognize the new
landscape. It’s time to take an unblinking look. We have entered the age of the faceless, agile enemy.

From London to Madrid and Nigeria to Russia, stateless terrorist groups have emerged to score blow after
blow against us. Driven by cultural fragmentation, schooled in the most sophisticated technologies, and
fueled by transnational crime, these groups are forcing corporations and individuals to develop new ways of
defending themselves. The end result of this struggle will be a new, more resilient approach to national
security, one built not around the state but around private citizens and companies. That new system will
change how we live and work–for the better, in many ways–but the road getting there may seem long at
times.

“The Hallmarks of a Totalitarian State”
By Josh Ward, Der Spiegel, March 27 2008
http://www.spiegel.de/international/germany/0,1518,541025,00.html

Germany’s high court has declared laws enabling British-style total surveillance of drivers illegal. Privacy
advocates and commentators applaud the ruling, but they ask if the court is trying to stop the laws from
snowballing into a police state — or just water them down.

Germany’s Federal Constitutional Court declared Tuesday that laws allowing police to indiscriminately scan
license plates using electronic surveillance devices and match them against databases kept by law
enforcement and state officials were unconstitutional — at least if strict provisions weren’t placed on the
practice.

This decision is the second large privacy decision handed down by the court in recent days. Less than two
weeks ago, the court ruled that spying on personal computers and online activity violates the right to privacy
and was therefore, in most cases, unconstitutional.

This has done nothing less than establish a new “fundamental right” for the 21st century, according to
German observers.

Strategies against Industrial Espionage – Manager Lounge in Munich
By Renate Lüdke, manager-magazin.de, February 5 2008
http://www.manager-magazin.de/koepfe/karriere/0,2828,533148,00.html

German companies suffer from losses of over eight billion Euro each year through industrial espionage.
Approximately half of all German companies, especially small and medium businesses, have been affected
by data theft in the past two years. “Germany as world champion for high-tech export is highly eligible for
industrial espionage,” warns security expert and EU consultant Felix Juhl in the context of this year’s first
local manager lounge in Munich.

Defending oneself against espionage is difficult, but not impossible. First, it has to be detected, however,
which is not always that simple. It often only becomes obvious when original and plagiarized product clash at
trade fairs; or if the copied product fails – such as medication with life-threatening components or faulty
technology in cars.

A good prevention strategy is paramount. Firewall, antivirus programs and PIN-secured printers are a good
start. But one should also know that printers can save up to five gigabytes of data, shredders can have
integrated scanners, meeting rooms can be wiretapped from as far as 70 meters, and there are giveaways
which are made to spy on you.

Aggressors Enter through the Data Cable
By Thorsten Riedl, Süddeutsche Zeitung, March 27 2008

Viruses, worms, Trojans, armies of remote-control computers for mail attacks: The criminals’ creativity is
boundless. And according to experts, they attack business computers more often than ever in order to make
money. They blackmail companies by threatening to shut down data services or internet sites or they steal
information electronically. Especially mid-market companies, who do not have sufficient IT-specialists, lack
awareness for such risks. Therefore, it is important to sensitize all employees.

While the programming of virus programs used to be a boasting of technical skills – often amongst youths –
the tools are much more intricate now and the goal is to make money. Many cases where money was lost
never become public because people are scared that this will have more negative effects. But every now and
then, there are big cases such as when Russian hackers shut down the internet sites of several Estonian
institutions for several days, for example the biggest bank of the country.

Apparently, one third of all betting agencies pays protection money because otherwise, their websites are
bombarded with inane inquiries which make the companies’ computers crash. Thus, customers cannot get in
contact with the system and the companies’ existence is endangered.

Interview with Udo Helmbrecht, President, German Federal Office for Security in Information Technology:
The German Federal Office for Security in Information Technology advises small and medium businesses
(SMBs) to make sure that their data is secured adequately, both physically and technically. Many SMBs are
not aware that their know-how in industries such as defence, electronics, optics, aerospace, energy,
environment or automotive makes them a prime target for attacks, especially from Asia and emerging
markets.

It has become easier than ever to spy on companies. While data had to be copied and smuggled out of the
company in former times, it can now be carried out on a little USB-stick. Plus, people are not aware that e-
mails are about as safe as postcards if they are not encrypted. Therefore, it is important that companies,
especially SMBs, become aware of the fact that IT-security is top priority.

Your World. . . Hacked
By: Stephanie Overby, CIO Magazine October, 2007 Copyright 2008 IDG Communications
http://www.cio.com.au/index.php/id;1084457046;fp;4;fpid;51238

As your business becomes more collaborative and global, the risks to your company’s trade secrets rise
proportionally. Fortunately, there are new strategies to protect the data that allows you to compete.

Most IT organizations approach the risk to IP the way they approach all IT security: focusing on the corporate
perimeter and developing security tactics and policies from the system level up. Instead, CIOs must take a
top-down approach. What’s required today is a counterintelligence mind-set that assumes someone,
somewhere, wants your data, along with multiple layers of defense to thwart would-be cyberspies and
respond when (not if) they get through your defenses.

In today’s global economy, the number of insiders within any organization has increased dramatically if you
count external partners among them. “Organizations now have to deal with employees connecting from
home offices, the local Starbucks and shady hotels,” says John Bumgarner, research director for security
technology at the US Cyber Consequences Unit. “They also have to deal with business partners and
customers having access to their networks via VPNs, dial-up connections and Web portals, any of which can
be used to compromise the organization’s resources.”

The vast majority of IP loss incidents are simple errors: posting information to externally facing Web sites
wrongly assumed to be protected or including confidential information in a reply to an e-mail that includes
external recipients. The most successful hacks, says Bumgarner, occur because attackers get lucky,
stumbling across vulnerability while scanning thousands of IP addresses. But the most dangerous attacks
are deliberate.

Without a clear idea about which IP assets most need protecting, CIOs may put their security dollars in the
wrong places. But as with cybercrime generally, perimeter defense goes only so far. Companies need a
cyberdefense strategy that is multilayered with different types of protection at each layer.

One strategy, called “defense in depth”, derives from the military technique for slowing down rather than
trying to stop the advance of an adversary. The model applies when the question is not if, but when, hackers
will break in. “If you reinforce one area, [attackers] will look to another,” says James Lewis, director and
senior fellow with the Centre for Strategic and International Studies. “The job is to reduce the chance that
they’ll be able to get in.”

Learning to Live with Big Brother
From The Economist print edition, Sep. 27 2007, Copyright © 2008 The Economist Group. All rights reserved.
http://www.economist.com/world/international/displaystory.cfm?story_id=9867324

Look at the new technologies for collecting personal information, and the dangers of abuse.

These days, data about people’s whereabouts, purchases, behavior and personal lives are gathered, stored
and shared on a scale that no dictator of the old school ever thought possible. Most of the time, there is
nothing obviously malign about this. Governments say they need to gather data to ward off terrorism or
protect public health; corporations say they do it to deliver goods and services more efficiently. But the
ubiquity of electronic data-gathering and processing—and above all, its acceptance by the public—is still
astonishing, even compared with a decade ago. Nor is it confined to one region or political system.

Across the rich and not-so-rich world, electronic devices are already being used to keep tabs on ordinary
citizens as never before. Closed-circuit television cameras (CCTV) with infra-red night vision peer down at
citizens from street corners, and in banks, airports and shopping malls. Every time someone clicks on a web
page, makes a phone call, uses a credit card, or checks in with a microchipped pass at work, that person
leaves a data trail that can later be tracked. Every day, billions of bits of such personal data are stored, sifted,
analyzed, cross-referenced with other information and, in many cases, used to build up profiles to predict
possible future behavior. Sometimes this information is collected by governments; mostly it is gathered by
companies, though in many cases they are obliged to make it available to law-enforcement agencies and
other state bodies when asked.

What does seem to worry people is the sheer volume of information now being kept on them and the degree
to which it is being made accessible to an ever wider group of individuals and agencies. The government is
now developing the world’s first national children’s database for every child under 18. The National Health
Service database, already the biggest of its kind in Europe, will eventually hold the medical records of all
53m people in England and Wales.

Even more controversial is Britain’s National Identity Register, due to hold up to 49 different items on
everyone living in the country. From 2009, everybody is to be issued with a “smart” biometric ID card, linked
to the national register, which will be required for access to public services such as doctors’ surgeries,
unemployment offices, libraries and the like—leaving a new, readily traceable, electronic data-trail.

As a series of leaks in the past few years has shown, no data are ever really secure. Laptops containing
sensitive data are stolen from cars, backup tapes go missing in transit and hackers can break into databases,
even the Pentagon’s. Then there are “insider attacks”, in which people abuse the access they enjoy through
their jobs. National Health Service workers in Britain were recently reported to have peeked at the intimate
medical details of an unnamed celebrity. All of this can lead to invasions of privacy and identity theft. As the
Surveillance Studies Network concludes in its recent report on the “surveillance society”, drawn up for
Britain’s information commissioner, Richard Thomas, “The jury is out on whether privacy regulation…is not
ineffective in the face of novel threats.”

The Spy in Your Pocket
By Kristina Dell, Time Magazine, March 19, 2006, Copyright 2008 Time Inc. All rights reserved.
http://www.time.com/time/magazine/article/0,9171,1174705,00.html

The embrace of mobile phones has far outpaced efforts to keep what we do with them private. That has
cleared the way for a cottage industry devoted to exploiting phone numbers, calling records and even the
locations of unsuspecting subscribers for profit. A second business segment is developing applications like
anonymous traffic monitoring and employee tracking. It’s not just the con artists who are a worry. Every new
mobile-phone technology, even a useful, perfectly legal one, comes with unintended privacy concerns.

Most mobile phones are powerful tracking devices, with globalpositioning systems (GPS) inside. Companies
combine GPS data with information about users to create practical applications. One technology allows
rental-car companies to track their cars with GPS. For about $26 a month per employee, a boss can se up a
“geofence” to track how workers use company-issued cell phones or even if they go home early.

AirSage, for example, gets data from wireless carriers to monitor drivers’ cell-phone signals and map them
over road grids. That lets it see exactly where gridlock is forming and quickly alert drivers to delays and
alternative routes. The data it gets from carriers are aggregated from many users and scrambled, so no one
can track an individual phone.

Younger Workers and Data Security
By James E. Gaskin, Network World, March 13, 2008
http://www.linuxworld.com/columnists/2008/031008gaskin.html

Smart phones, portable music players and social network addiction make for happy Millennials, but sad
security officers. There are almost as many Millennials – born between 1980 and 2000 – as there are Baby
Boomers. Call them the Internet Generation, Echo Boomers or whippersnappers, there’s a bunch of them
now hitting the job market.

Fortune Magazine called the Millennials “the most high-maintenance, but also most high-performing
workforce in the history of the world.” And they’re driving big companies with strict security guidelines crazy
with their demands to use Facebook and Instant Messaging, download any new program they see on the
Web, and sneer at anything not Web-enabled.

It’s one thing to have products that help you stop an employee from copying data to her iPod (and Symantec
does), but another to mesh old-line security people with young “let’s all share everything and talk about it on
MySpace” employees.

Inside the Global Hacking Service Economy
By Scott Berinato, CSO Online, September 2007
http://www.cio.com/article/135500/

This article details the new criminal “service” model for hacking has developed across the globe, full-fledged
e-commerce operations that are slick and accessible, with comprehensive product offerings and a strong
customer focus.

Climate Change ‘Threatens’ European Security
By Tony Barber, Financial Times, March 11 2008
http://www.ft.com/cms/s/0/2b4df7fe-eef5-11dc-97ec-0000779fd2ac,dwp_uuid=70662e7c-3027-11da-ba9f-
00000e2511c8.html

Climate change poses serious security risks for the European Union, ranging from sharper competition for
global energy resources to the arrival of numerous “environmental migrants”, warns a report prepared for an
EU summit.

The report is the EU’s first in-depth study of the impact of global warming on the bloc’s foreign and security
policies. It identifies several regions where climate change appears all too likely to threaten the EU’s security
or damage its political and economic interests.

“The multilateral system is at risk if the international community fails to address the threats. Climate change
impacts will fuel the politics of resentment between those most responsible for climate change and those
most affected by it … and drive political tension nationally and internationally,” the report warns.

National Threat Assessment
By: Michael Evans, Defense Editor, The Times, March 20, 2008, © Copyright 2008 Times Newspapers Ltd.
http://www.timesonline.co.uk/tol/news/politics/article3587101.ece

The full gamut of dangers facing Britain, from terrorist plots to disasters caused by climate change, is to be
spelt out by the Government in the form of an annual national threat register, Gordon Brown announced.
A new-style civil defense network, modeled on the Second World War air-raid wardens – “but without the
uniforms” – is also to be set up. Members of the public can join it to help local authorities and emergency
services at a time of national crisis.

As he announced a national security strategy, the Prime Minister made it clear that he wanted the public to
be more involved and better informed about the threats facing this country over the next ten to twenty years.

Robert Hannigan, the Prime Minister’s intelligence and security adviser, confirmed that as part of the
attempts to be more open about security threats, the heads of MI6, MI5 and GCHQ would soon be required
to give evidence in public to MPs. They will appear before the parliamentary Intelligence and Security
Committee (ISC).

The Cabinet Office White Paper emphasized that the overarching aim of the security strategy was to enable
“people to go about their daily lives freely and with confidence”, and with a “reasonable assurance of safety”.