Cybersecurity frameworks - Zimmer frames for organisations

Jack Whitsitt’s great new #NISTCSF B-side looks much better than the NIST effort, but it also has, at least in my view, one glaring issue. It places risk management in the wrong section and thus it propagates the notion that risk management is a reactive function and delegated to tactical area of the organisation. What I like about the framework: it includes the business objectives as the driver and the framing of the work it puts external environment where it sits: atop most other things it shows that security, whilst important, isn’t the guiding force but just another sub-component it is simple yet powerful What I don’t like about the framework:

Bitcoin, financial cryptography and payment systems

Ian Grigg’s Financial Cryptography blog (FC) is one of the best sources on (alternative) payment systems. In terms of calling out risks and issues with the Bitcoin currency and market, Ian Grigg’s papers have been a hit and a miss. Bitcoin and Gresham’s Law has been thoroughly beaten by the Bitcoin mining crowd that has kept up to date with technology advances and didn’t focus solely on the potential economic issues of the emerging market. Despite the technology making the main point of the paper moot, it is still a good paper to read.

Intelligence Chinese style (part 1)

Too often we hear about the “Chinese threat” which generally makes Chinese army and polity seem like a monolithic structure: to the (uninformed) outsiders, the journalists covering the issue, and too often to the cyber security experts China is a well-organised single entity - a hivemind if there ever was one in the human history. That this kind of thinking beggars belief on even slightly closer examination just goes to show how well the sceptre of “Chinese Threat” was been sold to the general populace.

FISC and DoJ lift some of the gag order on providers

“IC On The Record” Tumblr blog, or “I Con The Record”, depending on how you want to read it, posted this fine example of bureaucrateese: As indicated in the Justice Department’s filing with the Foreign Intelligence Surveillance Court, the administration is acting to allow more detailed disclosures about the number of national security orders and requests issued to communications providers, the number of customer accounts targeted under those orders and requests, and the underlying legal authorities. Through these new reporting methods, communications providers will be permitted to disclose more information than ever before to their customers.

When you use ordinal scales ...

… you are committing a cardinal risk management sin. Of course that doesn’t stop people from continuing to do qualitative risk assessments, and there’s absolutely nothing wrong with that so long as there is no comparison between the risks. If you use qualitative risk assessment you cannot compare assessed risks. The reason for that lies in the ordinal scale that is typically used: The example above is exaggerated slightly to prove a point: whilst you would generally expect a value of 4 to be double that of 2, this doesn’t work once you start using purely ordinal scales.

CrowdStrike strikes gold with journos that don't check facts

It was with great interest that I read this article on Reuters (home to serious news most of the time) on the latest threat intelligence report. You can never have enough threat intelligence. But you can have more than enough cruddy and ruddy hearsay, fiction, and fortune-telling that passes itself off as threat intelligence. Let’s have a look what the masters of spin produced this time. First off is the outlandish quote: > A U.S. cybersecurity firm says it has gathered evidence that the Russian government spied on hundreds of American, European and Asian companies, the first time Moscow has been linked to cyber attacks for alleged economic - rather than political - gains.

My thoughts on WEF's Global Risk Report 2014

(I’m limiting this short review to two main subjects that I feel I know enough about to comment. The rest I’m a dabbler, but I don’t get paid to have serious opinions on. And the last thing the world needs is yet another armchair general know-it-all.) First, before you read the rest of the Global Risks Report 2014 (GRR14) you really need to keep the following paragraph in mind. Mostly because majority of the outlets will blindly quote the GRR without also providing this disclaimer.

What's an intelligence service to do? (If I were FSB)

The narrative that Snowden was an FSB asset is gaining traction in the mainstream media ready for new soundbites and more importantly for a different narrative that the audience isn’t getting bored with. Cue in omnipotent, yet still second fiddle to the good guys (this is Hollywood story, folks), supervillain, the FSB. According to the new narrative Snowden never worked alone, never talked a number of other NSA analysts and staff into giving him their username and password. Oh, no. He wasn’t just another disgruntled government employee that got emboldened by the leaks by Manning to WikiLeaks.

China's Crackdown on Cyber Activism

To argue that one case led to the abolishment of either system is as simplistic as it is to argue that online activism is capable of having influence without corresponding offline activities. While most online activity is unsuccessful at achieving results like those just described, the importance is arguably not merely in the specific cases or their consequent effects but in the way Chinese civil society has engaged online to investigate or pressure government behavior in a system without rule of law.