Quebec Conference on Information Security
St. Hyacinthe, Quebec
April 25, 2005
Check against delivery
Good evening everyone. I am very happy to be here tonight as part of
this information security conference, although I have to admit that I
am a little nervous about addressing such an esteemed group of experts.
You will quickly realize that I am not a computer expert; I am just
passionate about security. In front of such highly qualified experts,
I feel like a mosquito in a nudist colony: I know what to do, but don't
know where to begin.
This made-in-Quebec event shows without a doubt that "La Belle Province" is
on the leading edge of new technology and emerging trends in information
security.
The number and expertise of participants here today also confirms that
there is great interest in this issue, which raises many concerns.
At the same time, it is reassuring to see that a number of key players
from the IT sector are here today because you are the ones who can really
influence the decisions being made in information security.
My presentation today will touch on the following:
- Information: the black gold of the 21st Century.
- Dependence on computer systems and information security threats.
- The first step in a broader revolution.
- Protecting information systems in the age of terrorism.
- Information security and aviation.
As President and CEO of the Canadian Air Transport Security Authority
(CATSA), information security is obviously of great interest to me. In
fact, information is key to all our activities.
We handle an endless amount of information: passenger lists, safety
directives, individuals on the black list, baggage information, list
of employees with authorized access to certain zones, etc. This information
must be protected, but at the same time it must also be available to
those who need it.
Information security is complex and difficult. It is a demanding challenge,
which has to be met 24 hours a day, 365 days a year. It also requires
the cooperation of a large number of private and public sector partners.
This only increases my interest in this area. As the head of a public
agency, it is my responsibility to understand new trends in this leading-edge
field to comfortably and quickly work with players from various areas.
1) Information: the black gold of the 21st Century
Let me begin by asking you a question: what is information? Without
going off on a long tangent on this topic, let's just say that at the
initial stage, information is a set of data, which, taken individually,
mean nothing.
When combined and analyzed, these data become facts that form logical
ideas, namely, information.
Information is therefore the basis of knowledge, concepts, thoughts,
notions, innovations and actions. Information helps us learn more about
our environment and ourselves. However, beyond this rather simplistic
definition, we should remember that our relationship with information
has changed rapidly over the last few years.
The digital technology revolution has completely transformed our society.
This revolution has been quantitative in terms of the sheer number of
computer systems, digital technologies and cellular communications that
are available today. But the real revolution has been in the quality
of the technology. It is mostly related to how we use information.1 Dramatic
changes have occurred in the way in which we receive, process, redistribute
and store information.
These significant changes have had major consequences: IT is now the
engine that powers our society. From now on, information systems will
form the basis for everything, from billion dollar financial transactions
to scanner systems in supermarkets.
Today, most financial activities depend on the seamless and continuous
flow of digital data. A leisure society may not yet exist, but the information
society certainly does. And, for better or for worse, we all depend on
information.
2) Dependence on computer systems and information security threats
This dependence on IT becomes clear when we look at the financial losses
resulting from computer-based attacks.
Based on a global study conducted by Information Week and
PricewaterhouseCoopers LLP , it was estimated that computer-based attacks
cost the worldwide economy $1.6 trillion in 2000.
In the United States alone, cyberattacks resulted in $266 billion in
losses, accounting for 2.5% of the Gross Domestic Product (GDP).2 Based
on these statistics, we need to ask ourselves some serious questions
about the effectiveness of information security.
The problem isn't limited to resulting huge financial losses. What is
even more alarming is that the number of cyberattacks continues to rise.
For example, in 2003 alone, the Computer Emergency Response Team Coordination
Center (CERT/CC) in the U.S. recorded over 137,529 computer security
incidents.3
This represented an increase of about 60% from the previous year. Since
1997, the CERT/CC has recorded an average increase of about 50% in the
number of computer-based attacks each year.
In fact, the increase in the number of cyberattacks has been so dramatic
that the CERT/CC has decided to stop collecting this type of data. According
to the organization, the exponential rise in computer-based attacks has
made the statistical work too demanding in terms of human and financial
resources.
In any case, according to the CERT/CC, too often, these numbers do not
accurately reflect reality. In fact, the organization says that this
number represents only the tip of the iceberg: most cyber attacks are
never reported to authorities!
You are probably asking yourselves, "Why don't people report cyberattacks
against their organization to authorities?" For a number of reasons.
One reason that is frequently given is the fear of having to disclose
confidential information in the event of is an investigation.
In a business environment where any information leak may represent the
loss of a competitive edge over rivals, this is completely understandable.
But the most common reason given is that the organization was not even
aware that it was the victim of a cyberattack.
Although these statistics point to our vulnerability to cyberattacks,
they do not reflect the major changes that are currently occurring in
the IT world. We are in the midst of a second digital revolution that
will profoundly change how we use information systems and the face of
information security.
3) Towards an even broader revolution?
In my humble opinion, the biggest trend that will emerge in the coming
years is what we call the remote office. If you want proof, all you have
to do is dig through your pockets and your briefcases.
I am sure that most of you have a laptop, cell phone or even a BlackBerry.
Why? Mainly because you have to stay in touch with your colleagues
and superiors. You have to be ready to act in crisis situations or continue
your daily work, even if you are out of the office. You have to be able
to read your emails or even access documents from your organization's
network at all times.
We have to admit that the trend of remote offices creates new security
challenges for governments and businesses. The fact that a large number
of employees working outside the office have access to their organization's
central computer network to read their emails, for example, changes the
way we look at information security. Each employee who accesses information
remotely now represents a potential security risk for the organization's
entire computer network.
If we juxtapose this with the rapid growth of wireless networks, we
are clearly faced with a situation that could create new security weaknesses.
All employees who access a wireless network risk, to varying degrees,
putting the organization's entire computer infrastructure in danger.
This makes me think of the old adage: A chain is only as strong as its
weakest link.
In this case, an organization's computer network is only as strong as
its least secure access point.
The risks associated with wireless networks are high. A recent article
in the New York Times reported that wireless networks are a
gold mine for cybercriminals.
In fact, these networks are not only less secure than traditional wire
networks, but they also enable hackers to break into computer systems
much more easily and make it much more difficult to trace the hacker!
The proliferation of Hotspots , which are locations where the
general public can access free wireless Internet service, makes the authorities'
job much more difficult. It is not uncommon to see investigators come
up against a Hotspot , as they are often the last places that
contain clues about the cybercriminals' offences.4
So, if cybercriminals can take advantage of computer network weaknesses,
I can assure you, without a shadow of a doubt, that terrorists do the
same thing. Clearly, their goals are vastly different; cybercriminals
try to make essentially financial gains.
As for terrorists, they will take advantage of our weaknesses to launch
devastating attacks against society.
4) Protecting information systems in the age of terrorism
In the National Security Strategy to Combat Weapons of Mass Destruction ,
released in December 2002, the White House indicated that, "The gravest
danger our Nation faces lies at the crossroads of radicalism and technology."5 I believe that this statement is not at all an understatement; it expresses
an undeniable reality.
When we consider the current weaknesses of information systems and the
context of the war on terror, we must continue to question the risks
associated with widespread integration of technology in our organizations.
Does our dependence on digital technology represent a weakness that
could be exploited by terrorists?
I can already hear some of you asking yourselves if cyberterrorism is
really possible or whether it is just a figment of our imagination.
Several experts in this area maintain that cyberterrorism is comparable
to little elves or the Loch Ness monster. Personally, I truly believe
that cyberterrorism could become reality.
The increasing strategic value of information systems makes them viable
targets.
Some of you will say that there are much more attractive, easier targets
for terrorists and that cyberterrorism is probably too complicated and
not profitable enough for terrorist organizations.
These arguments are certainly valid. However, I would respond by saying
that this was exactly the same line of thinking that the U.S. authorities
adopted before the September 11, 2001 attacks.
The possibility of airplanes crashing into buildings was considered.
However, this scenario was dismissed because it was considered too complicated,
even unthinkable. However, if there is one thing that I have learned
about terrorists, it is that they think of the unthinkable and make the
impossible possible.
Honest, I have to say that I am always surprised to hear people doubting
the possibility of a computer-based attack. However, there are many real-life
examples of serious computer-based attacks. All we have to do is go back
to the cyberattack described in the July-September 2001 issue of Emergency
Preparedness Digest .
This article described how a "[.] computer hacker in Australia altered
the control mechanisms in 100 pumping stations, causing one million litres
of raw sewage to overflow."6 Hello
unpleasant odors and high cleaning costs!
Although this incident may seem insignificant initially, similar incidents
have occurred that have actually put citizens' lives at risk.
Take the example of the 12-year-old boy, who, in 1998, succeeded in
taking complete control of the Roosevelt Dam in Arizona simply by hacking
into the computer system.7
His intentions did not appear to be malicious, since he only wanted
to show that he had broken into the network, but the incident could have
been quite serious had terrorists perpetrated the same kind of attack.
The paradox is that we invest tens of millions of dollars each year
to protect the visible aspects of these infrastructures, but tend to
forget about the hidden aspects of the system: computer networks.
It is not hard to imagine the resulting disaster had the floodgates
of this large dam been opened: neighbouring cities and towns would certainly
have faced serious problems.
Individually, these attacks seem to be just mere annoyances. However,
these seemingly harmless and anecdotal incidents clearly show that
it is possible to exploit computer weaknesses to cripple society.
We should not forget that terrorists could coordinate these kinds of
attacks simultaneously with more traditional attacks or other cyberattacks.
In my opinion, it is not only dangerous to ignore the very real possibility
that terrorists could use IT to attack our society; it is wishful thinking
to believe that it is impossible.
The question, therefore, is not whether these attacks will happen, but
when they will happen.
Studies on the subject clearly point to this. In T he New
Global Terrorism: Characteristics, Causes, Controls , Charles
W. Kegley looks at the changes currently underway in terrorist organizations.
According to him, there are two main tactical trends that are emerging
within these organizations.8
The first one is the willingness to use weapons of mass destruction
in attacks. We've stopped keeping track of the number of reports, prepared
by various governments and research institutes that sound the alarm about
terrorists' interest in obtaining these kinds of weapons.
The second trend is the use of cyberoperations. The purpose of this
cybernization of terrorist activities is two-fold.
The first, as I have just explained, is to exploit the weaknesses of
information systems to cripple society. This is evident in a number of
studies on the subject. The second is to carry out cyberplanning, identity
theft and e-funding activities.
Al-Qaeda is probably the best example of a terrorist organization that
is looking for ways to carry out cyberattacks. In his studies on cyberterrorism,
Dan Verton points out that Al-Qaeda is using IT as a tool to study weaknesses
in critical infrastructures to launch cyberattacks.9
Just recently, the Auditor General of Canada indicated that government
computer networks were not secure.10
It is clear that these weaknesses must be addressed; the risks are too
great to be ignored, especially in the sector in which I work, the air
transport sector, where one incident is one incident too many.
The Government of Canada isn't the only one facing problems with insecure
computer networks. The United States is dealing with the same problem.
Recently, New York State released a report indicating that its computer
network was invaded 72 times over the last five years.
Without going into great detail on the impact of these attacks, what
we can say for certain is that they resulted in financial losses and
information being stolen.11
It is somewhat reassuring to know that Canada is in a better position
than the U.S. to deal with cyberthreats.
According to Charles-Philippe David and Benoît Gagnon of the Raoul
Dandurand Chair, UQAM, effective, consistent security measures can be
deployed because many critical infrastructures in Quebec and the rest
of Canada belong to the public sector. The situation is very different
in the U.S. , where most of the infrastructure is controlled by private
companies in matters in which the government refuses to interfere.12
The second objective of terrorists seeking to take control of IT is
what Timothy L. Thomas describes as cyberplanning.13
In short, cyberplanning involves exploiting the digital world to increase
the effectiveness of terrorist organizations. In concrete terms, this
translates into activities such as e-funding of terrorist groups.
For example, a recent article in USA Today indicated that
it is not uncommon for terrorist organizations to finance their activities
through e-fraud14 or the sale of
child pornography.15
Another use of IT in the context of terrorist cyberplanning involves
identity theft.
Since we are closing in on these types of organizations, they must find
new ways of slipping through the safety nets.
The best way to do this is to steal the identity of individuals with
no criminal history or to create new identities using stolen documents.
For example, on Ask.Me.Com, a site that specializes in the sale of information,
we recently saw that the company's lead legal advisor was none other
than a 15-year-old fan of the television program Court TV.
The proliferation of databases and spyware are a gold mine for terrorist
groups looking to provide their members with new identities. Databases
are vast pools of information that can be stolen and used to create new
identities, while spyware can be used to collect information directly
from people's computers.
Terrorists are well aware of these techniques. They develop increasingly
effective tools to fulfill their objectives. Zombies (unprotected computers
that serve as links to carry out other attacks) are also used to steal
a large quantity of data from other computers.16
5) Information security and aviation
I am sure you now have a better understanding of why information security
is of such concern to me. Given the current context of the war on terror,
it is crucial that we identify emerging threats.
We can't allow ourselves to be overtaken by the terrorists: we must
take the lead and constantly remain one step ahead of them. We should
never forget that terrorists are resourceful and innovative!
September 11 was not an isolated incident. It is the prelude to a more
serious conflict. There will be many more battles, attacks and clashes
before calm is restored.
We must continue to be vigilant by implementing security measures that
meet today's challenges, for example. IT is obviously among these challenges.
My role at CATSA leads me to think about how terrorists could exploit
our computer system, even more so in light of the widespread introduction
of information systems in the air transport sector over the last few
years. This trend is attributable in part to the airlines' desire to
achieve workforce savings.
Check-in procedures in particular are affected by this move toward digitization.
Airlines are increasingly using computerized systems to improve ticket
management and passenger and baggage check-in procedures.
A recent article in The Economist highlighted this trend.
One of the observations made in the article was that airlines are increasingly
turning to e-tickets.
E-tickets and self-service check-in help realize substantial savings.
Self-service check-in would cost $0.16 US per passenger, compared with
the current cost of $3.68 US for a manual system. 17
Continuing along these lines, telecommunication technology is being
considered to send e-tickets to passengers' cell phones. Passengers would
then just simply access the airline's computer system, confirm their
ticket purchase and their seat on the flight and then go through the
rest of the check-in procedures. Although this is a promising area of
development, this method raises a series of security issues.
For example, would this type of system be insecure and therefore vulnerable
to computer fraud?
Since it is a known fact that most databases have recurring weaknesses,
these types of questions are completely valid.
We know that, despite the fact that IT is everywhere in the aviation
sector, the possible and real risks of this computer boom are not being
sufficiently considered. And the risks are not limited to possible cases
of fraud. More serious risks are emerging in this digital wave.
For example, air traffic management systems are no doubt targets of
choice for terrorists who decide to launch computer-based attacks. Since
these systems are all completely computerized now, they are the Achilles
heel of the aviation world because they are the eyes and ears of air
traffic controllers.
A successful cyberattack against these systems would be as devastating
as a bomb going off in an airport. Granted, it would probably be much
less deadly, but the anxiety caused by this kind of attack would be just
as damaging from a psychological point of view. 18
Furthermore, in-flight computer systems and management systems on the
ground are so closely linked that we need to consider whether other threats
could emerge. Is it possible that a computer hacker or a cyberterrorist
could one day take control of a plane while it is in flight simply by
attacking the air navigation system? This may sound like science fiction
now, but an evil mind may attempt to disprove the theory that this could
never happen.
We must also question the potential impacts of wireless Internet on
air security.
Passengers-especially those in business class-are putting increasing
pressure on airlines to allow wireless Internet access on planes. Once
again, the potential effects of this new technology on air traffic management
must be considered.
Could wireless Internet access interfere with aircraft and airport communications,
or worse, become the communication tool of choice between terrorists
on the ground and those onboard planes?
The answers are still unclear. But, as you can see, the remote offices
that I mentioned earlier are now a reality and are part of CATSA's day-to-day
activities.
However, when dealing with the issue of IT in the security sector, we
must realize that it is often a challenge to reconcile this technology
with security procedures. Why?
Because digital technology and security have conflicting objectives.
The new technologies are intended to enable actions, while security
looks to prevent certain actions.
Clearly, the point is not that technology hinders security. The sheer
number of computerized security systems is proof that technology can
support security. It just means that in a security context, we must be
cautious in implementing information technologies.
The introduction of new technology in any environment, particularly
in the area of security, inevitably results in consequences that, quite
often, were not fully considered. That is why we need to start looking
at these issues.
Similarly, it is a mistake to think that technology alone can respond
to today's security challenges.19
In many cases, technology can only support human activities; it cannot
replace them.
Summary
So to summarize:
1) |
For all the reasons I mentioned above, it is crucial
to protect information: the black gold of the 21st century. |
2) |
Given that society is now dependent on the smooth operation of
digital technology, computer systems must be functional at all times.
This is a tedious task that requires a great deal of personal sacrifice. |
|
In fact, this work often goes unrecognized. On one hand, security
systems are imperfect by nature because they are based on human activities,
and on the other hand, these systems can only really be tested when
there is an actual threat. Successes in this area are rarely acknowledged
or publicized. However, failures always make the front page of newspapers. |
3) |
What we have experienced thus far is only the first phase of a
broader revolution, and you are a part of it. |
|
Your presence here is therefore very important. In fact, it is
crucial because it underlines the close ties that must exist between
IT sector players and those responsible for security. Your expertise
is needed to better reconcile new information technologies and security. |
4) |
I wouldn't want to be in your shoes! You are responsible for protecting
computer systems in the age of terrorism. Your work is very demanding
because you have to make existing systems-which are the targets of
attacks on a daily basis-more secure, while thinking about the security
of tomorrow's systems. |
5) |
I am counting on your assistance and dedication to attain a high
level of excellence in information security, and because I am just
a little selfish, I ask that you look at information security in
the aviation sector in particular. |
When I see the impressive group of people here in this room, I am confident
about the future. And I know that together we can improve our security
practices and attain the level of excellence necessary to meet current
challenges.
Conclusion
So, what does everything that I have been saying mean. I want to be
clear about one thing: I don't claim to have the solutions to all of
these increasingly complex situations.
A wise man once said that a leader's first job - so the job of all of
you here tonight - is to define reality. Unfortunately, the reality we
have to face in the coming years seems quite overwhelming.
Which leads me to three key terms for our motto:
Honesty
Courage
Common sense
The honesty to ask ourselves the real questions; to
say what needs to be said; to give and take sometimes harsh criticism;
and to be honest with ourselves, our colleagues and the people around
us.
The courage to Dare, Risk and Act, according to our
real values.
And finally, the common sense to take the necessary
action, while fully respecting others.
I hope that I have demonstrated honesty and courage by
telling you what is really going on in an open and thought-provoking
way.
And now I hope to demonstrate common sense by taking
my seat.
Have a good evening, and thank you very much for your warm welcome and
your attention.
1 Bruce D. Berkowitz and Allan E.
Goodman, Best Truth: Intelligence in the Information Age , Yale
University Press, London, 2000, p. xi (in the preface).
2 Dorothy E. Denning, "Cyber-Security
as an Emergent Infrastructure," Bombs and Bandwidth: The Emerging
Relationship Between Information Technology and Security . Edited
by Robert Latham. New York: The New Press, 2003, p. 38.
3 Computer Emergency Response Team
Coordination Center, CERT/CC Statistics 1988-2004 , (web page
consulted on March 13, 2005), [online], URL address: http://www.cert.org/stats/cert_stats.html
4 Seth Schiesel, Growth of Wireless
Internet Opens New Path for Thieves , (web page consulted on March
19, 2005), [online], URL address: http://www.nytimes.com
5 White House, The National Security
Strategy to Combat Weapons of Mass Destruction, Washington D.C.,
2002, p. 1.
6 See Art Eggleton , New approach
to disaster management in Canada , (web page consulted on March
19, 2005), [online], URL address: http://www.psepc-sppcc.gc.ca/media/sp/2005/sp20050711-en.asp
7 Gellman Barton, "Cyber-Attacks
by Al Qaeda Feared: Terrorists at Threshold of Using Internet as Tool
of Bloodshed, Experts Say," Washington Post , June 27, 2002,
p. A 01.
8 Charles W. Kegley, The New
Global Terrorism: Characteristics, Causes, Controls , Upper Saddle
River: Prentice Hall, 2003, p. 76-77.
9 Dan Verton, Black Ice: The Invisible
Threat of Cyber-Terrorism, Emeryville: McGraw-Hill, 2003, p. 86.
10 Office of the Auditor General
of Canada, Information Technology Security ,
(web page consulted on March 22, 2005), [online], URL address: http://www.oag-bvg.gc.ca/domino/reports.nsf/html/20050201ce.html
11 Barbara Woller, Hackers
Invaded State Web Sites 72 Times in Five Years , (web page consulted
on March 20, 2005), [online], URL address: http://www.thejournalnews.com/apps/pbcs.dll/article?AID=/20050226/BUSINESS
01/502260306/1066/BUSINESS01
12 Charles-Philippe David and Benoît
Gagnon, "Il y a un problème avec toutes les infrastructures critiques!," Le
Devoir , Saturday, February 19, 2005, p. B5.
13 Timothy L. Thomas, "Al Qaeda
and the Internet: The Danger of 'Cyberplanning'," Parameters ,
vol. 33, no. 1, spring 2003, p. 117.
14 John Swartz, Terrorists'
Use of Internet Spreads , (web page consulted on March 20, 2004),
[online], URL address: http://www.usatoday.com/money/industries/technology/2005-02-20-cyber-terror-usat_x.htm
15 Agence France-Presse, Russia
a Major Source of Child Porn , (web page consulted on March 22,
2005), [online], URL address: http://cooltech.iafrica.com/technews/193119.htm
16 Robert Lemos, Zombie PCs
being sent to steal IDs , (web page consulted on March 16, 2005),
[online], URL address: http://news.zdnet.com/2100-1009_22-5616202.html
17 The Economist, "Change is in
the air", The Economist Technology Quarterly , vol. 374, no.
8417, March 12 to 18, 2005, p. 30.
18 Paul Wilkinson and Brian M. Jenkins,
eds., "Enhancing Global Aviation Security?," Aviation Terrorism and
Security , Portland: Frank Cass, 1999, p. 158-159.
19 Bruce Schneier, Beyond Fear:
Thinking Sensibly About Security in an Uncertain World , New York:
Copernicus Book, 2003, p. 13.
|