Quebec Conference on Information Security
St. Hyacinthe, Quebec
April 25, 2005

Check against delivery

Good evening everyone. I am very happy to be here tonight as part of this information security conference, although I have to admit that I am a little nervous about addressing such an esteemed group of experts.

You will quickly realize that I am not a computer expert; I am just passionate about security. In front of such highly qualified experts, I feel like a mosquito in a nudist colony: I know what to do, but don't know where to begin.

This made-in-Quebec event shows without a doubt that "La Belle Province" is on the leading edge of new technology and emerging trends in information security.

The number and expertise of participants here today also confirms that there is great interest in this issue, which raises many concerns.

At the same time, it is reassuring to see that a number of key players from the IT sector are here today because you are the ones who can really influence the decisions being made in information security.

My presentation today will touch on the following:

1. Information: the black gold of the 21st Century.
2. Dependence on computer systems and information security threats.
3. The first step in a broader revolution.
4. Protecting information systems in the age of terrorism.
5. Information security and aviation.

As President and CEO of the Canadian Air Transport Security Authority (CATSA), information security is obviously of great interest to me. In fact, information is key to all our activities.

We handle an endless amount of information: passenger lists, safety directives, individuals on the black list, baggage information, list of employees with authorized access to certain zones, etc. This information must be protected, but at the same time it must also be available to those who need it.

Information security is complex and difficult. It is a demanding challenge, which has to be met 24 hours a day, 365 days a year. It also requires the cooperation of a large number of private and public sector partners. This only increases my interest in this area. As the head of a public agency, it is my responsibility to understand new trends in this leading-edge field to comfortably and quickly work with players from various areas.

1) Information: the black gold of the 21st Century

Let me begin by asking you a question: what is information? Without going off on a long tangent on this topic, let's just say that at the initial stage, information is a set of data, which, taken individually, mean nothing.

When combined and analyzed, these data become facts that form logical ideas, namely, information.

Information is therefore the basis of knowledge, concepts, thoughts, notions, innovations and actions. Information helps us learn more about our environment and ourselves. However, beyond this rather simplistic definition, we should remember that our relationship with information has changed rapidly over the last few years.

The digital technology revolution has completely transformed our society. This revolution has been quantitative in terms of the sheer number of computer systems, digital technologies and cellular communications that are available today. But the real revolution has been in the quality of the technology. It is mostly related to how we use information.1 Dramatic changes have occurred in the way in which we receive, process, redistribute and store information.

These significant changes have had major consequences: IT is now the engine that powers our society. From now on, information systems will form the basis for everything, from billion dollar financial transactions to scanner systems in supermarkets.

Today, most financial activities depend on the seamless and continuous flow of digital data. A leisure society may not yet exist, but the information society certainly does. And, for better or for worse, we all depend on information.

2) Dependence on computer systems and information security threats

This dependence on IT becomes clear when we look at the financial losses resulting from computer-based attacks.

Based on a global study conducted by Information Week and PricewaterhouseCoopers LLP , it was estimated that computer-based attacks cost the worldwide economy $1.6 trillion in 2000.

In the United States alone, cyberattacks resulted in $266 billion in losses, accounting for 2.5% of the Gross Domestic Product (GDP).2 Based on these statistics, we need to ask ourselves some serious questions about the effectiveness of information security.

The problem isn't limited to resulting huge financial losses. What is even more alarming is that the number of cyberattacks continues to rise. For example, in 2003 alone, the Computer Emergency Response Team Coordination Center (CERT/CC) in the U.S. recorded over 137,529 computer security incidents.3

This represented an increase of about 60% from the previous year. Since 1997, the CERT/CC has recorded an average increase of about 50% in the number of computer-based attacks each year.

In fact, the increase in the number of cyberattacks has been so dramatic that the CERT/CC has decided to stop collecting this type of data. According to the organization, the exponential rise in computer-based attacks has made the statistical work too demanding in terms of human and financial resources.

In any case, according to the CERT/CC, too often, these numbers do not accurately reflect reality. In fact, the organization says that this number represents only the tip of the iceberg: most cyber attacks are never reported to authorities!

You are probably asking yourselves, "Why don't people report cyberattacks against their organization to authorities?" For a number of reasons. One reason that is frequently given is the fear of having to disclose confidential information in the event of is an investigation.

In a business environment where any information leak may represent the loss of a competitive edge over rivals, this is completely understandable. But the most common reason given is that the organization was not even aware that it was the victim of a cyberattack.

Although these statistics point to our vulnerability to cyberattacks, they do not reflect the major changes that are currently occurring in the IT world. We are in the midst of a second digital revolution that will profoundly change how we use information systems and the face of information security.

3) Towards an even broader revolution?

In my humble opinion, the biggest trend that will emerge in the coming years is what we call the remote office. If you want proof, all you have to do is dig through your pockets and your briefcases.

I am sure that most of you have a laptop, cell phone or even a BlackBerry. Why? Mainly because you have to stay in touch with your colleagues and superiors. You have to be ready to act in crisis situations or continue your daily work, even if you are out of the office. You have to be able to read your emails or even access documents from your organization's network at all times.

We have to admit that the trend of remote offices creates new security challenges for governments and businesses. The fact that a large number of employees working outside the office have access to their organization's central computer network to read their emails, for example, changes the way we look at information security. Each employee who accesses information remotely now represents a potential security risk for the organization's entire computer network.

If we juxtapose this with the rapid growth of wireless networks, we are clearly faced with a situation that could create new security weaknesses. All employees who access a wireless network risk, to varying degrees, putting the organization's entire computer infrastructure in danger.

This makes me think of the old adage: A chain is only as strong as its weakest link.

In this case, an organization's computer network is only as strong as its least secure access point.

The risks associated with wireless networks are high. A recent article in the New York Times reported that wireless networks are a gold mine for cybercriminals.

In fact, these networks are not only less secure than traditional wire networks, but they also enable hackers to break into computer systems much more easily and make it much more difficult to trace the hacker!

The proliferation of Hotspots , which are locations where the general public can access free wireless Internet service, makes the authorities' job much more difficult. It is not uncommon to see investigators come up against a Hotspot , as they are often the last places that contain clues about the cybercriminals' offences.4

So, if cybercriminals can take advantage of computer network weaknesses, I can assure you, without a shadow of a doubt, that terrorists do the same thing. Clearly, their goals are vastly different; cybercriminals try to make essentially financial gains.

As for terrorists, they will take advantage of our weaknesses to launch devastating attacks against society.

4) Protecting information systems in the age of terrorism

In the National Security Strategy to Combat Weapons of Mass Destruction , released in December 2002, the White House indicated that, "The gravest danger our Nation faces lies at the crossroads of radicalism and technology."5 I believe that this statement is not at all an understatement; it expresses an undeniable reality.

When we consider the current weaknesses of information systems and the context of the war on terror, we must continue to question the risks associated with widespread integration of technology in our organizations.

Does our dependence on digital technology represent a weakness that could be exploited by terrorists?

I can already hear some of you asking yourselves if cyberterrorism is really possible or whether it is just a figment of our imagination.

Several experts in this area maintain that cyberterrorism is comparable to little elves or the Loch Ness monster. Personally, I truly believe that cyberterrorism could become reality.

The increasing strategic value of information systems makes them viable targets.

Some of you will say that there are much more attractive, easier targets for terrorists and that cyberterrorism is probably too complicated and not profitable enough for terrorist organizations.

These arguments are certainly valid. However, I would respond by saying that this was exactly the same line of thinking that the U.S. authorities adopted before the September 11, 2001 attacks.

The possibility of airplanes crashing into buildings was considered. However, this scenario was dismissed because it was considered too complicated, even unthinkable. However, if there is one thing that I have learned about terrorists, it is that they think of the unthinkable and make the impossible possible.

Honest, I have to say that I am always surprised to hear people doubting the possibility of a computer-based attack. However, there are many real-life examples of serious computer-based attacks. All we have to do is go back to the cyberattack described in the July-September 2001 issue of Emergency Preparedness Digest .

This article described how a "[.] computer hacker in Australia altered the control mechanisms in 100 pumping stations, causing one million litres of raw sewage to overflow."6 Hello unpleasant odors and high cleaning costs!

Although this incident may seem insignificant initially, similar incidents have occurred that have actually put citizens' lives at risk.

Take the example of the 12-year-old boy, who, in 1998, succeeded in taking complete control of the Roosevelt Dam in Arizona simply by hacking into the computer system.7

His intentions did not appear to be malicious, since he only wanted to show that he had broken into the network, but the incident could have been quite serious had terrorists perpetrated the same kind of attack.

The paradox is that we invest tens of millions of dollars each year to protect the visible aspects of these infrastructures, but tend to forget about the hidden aspects of the system: computer networks.

It is not hard to imagine the resulting disaster had the floodgates of this large dam been opened: neighbouring cities and towns would certainly have faced serious problems.

Individually, these attacks seem to be just mere annoyances. However, these seemingly harmless and anecdotal incidents clearly show that it is possible to exploit computer weaknesses to cripple society. We should not forget that terrorists could coordinate these kinds of attacks simultaneously with more traditional attacks or other cyberattacks.

In my opinion, it is not only dangerous to ignore the very real possibility that terrorists could use IT to attack our society; it is wishful thinking to believe that it is impossible.

The question, therefore, is not whether these attacks will happen, but when they will happen.

Studies on the subject clearly point to this. In T he New Global Terrorism: Characteristics, Causes, Controls , Charles W. Kegley looks at the changes currently underway in terrorist organizations. According to him, there are two main tactical trends that are emerging within these organizations.8

The first one is the willingness to use weapons of mass destruction in attacks. We've stopped keeping track of the number of reports, prepared by various governments and research institutes that sound the alarm about terrorists' interest in obtaining these kinds of weapons.

The second trend is the use of cyberoperations. The purpose of this cybernization of terrorist activities is two-fold.

The first, as I have just explained, is to exploit the weaknesses of information systems to cripple society. This is evident in a number of studies on the subject. The second is to carry out cyberplanning, identity theft and e-funding activities.

Al-Qaeda is probably the best example of a terrorist organization that is looking for ways to carry out cyberattacks. In his studies on cyberterrorism, Dan Verton points out that Al-Qaeda is using IT as a tool to study weaknesses in critical infrastructures to launch cyberattacks.9

Just recently, the Auditor General of Canada indicated that government computer networks were not secure.10

It is clear that these weaknesses must be addressed; the risks are too great to be ignored, especially in the sector in which I work, the air transport sector, where one incident is one incident too many.

The Government of Canada isn't the only one facing problems with insecure computer networks. The United States is dealing with the same problem.

Recently, New York State released a report indicating that its computer network was invaded 72 times over the last five years.

Without going into great detail on the impact of these attacks, what we can say for certain is that they resulted in financial losses and information being stolen.11

It is somewhat reassuring to know that Canada is in a better position than the U.S. to deal with cyberthreats.

According to Charles-Philippe David and Benoît Gagnon of the Raoul Dandurand Chair, UQAM, effective, consistent security measures can be deployed because many critical infrastructures in Quebec and the rest of Canada belong to the public sector. The situation is very different in the U.S. , where most of the infrastructure is controlled by private companies in matters in which the government refuses to interfere.12

The second objective of terrorists seeking to take control of IT is what Timothy L. Thomas describes as cyberplanning.13

In short, cyberplanning involves exploiting the digital world to increase the effectiveness of terrorist organizations. In concrete terms, this translates into activities such as e-funding of terrorist groups.

For example, a recent article in USA Today indicated that it is not uncommon for terrorist organizations to finance their activities through e-fraud14 or the sale of child pornography.15

Another use of IT in the context of terrorist cyberplanning involves identity theft.

Since we are closing in on these types of organizations, they must find new ways of slipping through the safety nets.

The best way to do this is to steal the identity of individuals with no criminal history or to create new identities using stolen documents.

For example, on Ask.Me.Com, a site that specializes in the sale of information, we recently saw that the company's lead legal advisor was none other than a 15-year-old fan of the television program Court TV.

The proliferation of databases and spyware are a gold mine for terrorist groups looking to provide their members with new identities. Databases are vast pools of information that can be stolen and used to create new identities, while spyware can be used to collect information directly from people's computers.

Terrorists are well aware of these techniques. They develop increasingly effective tools to fulfill their objectives. Zombies (unprotected computers that serve as links to carry out other attacks) are also used to steal a large quantity of data from other computers.16

5) Information security and aviation

I am sure you now have a better understanding of why information security is of such concern to me. Given the current context of the war on terror, it is crucial that we identify emerging threats.

We can't allow ourselves to be overtaken by the terrorists: we must take the lead and constantly remain one step ahead of them. We should never forget that terrorists are resourceful and innovative!

September 11 was not an isolated incident. It is the prelude to a more serious conflict. There will be many more battles, attacks and clashes before calm is restored.

We must continue to be vigilant by implementing security measures that meet today's challenges, for example. IT is obviously among these challenges.

My role at CATSA leads me to think about how terrorists could exploit our computer system, even more so in light of the widespread introduction of information systems in the air transport sector over the last few years. This trend is attributable in part to the airlines' desire to achieve workforce savings.

Check-in procedures in particular are affected by this move toward digitization. Airlines are increasingly using computerized systems to improve ticket management and passenger and baggage check-in procedures.

A recent article in The Economist highlighted this trend. One of the observations made in the article was that airlines are increasingly turning to e-tickets.

E-tickets and self-service check-in help realize substantial savings. Self-service check-in would cost $0.16 US per passenger, compared with the current cost of $3.68 US for a manual system. 17

Continuing along these lines, telecommunication technology is being considered to send e-tickets to passengers' cell phones. Passengers would then just simply access the airline's computer system, confirm their ticket purchase and their seat on the flight and then go through the rest of the check-in procedures. Although this is a promising area of development, this method raises a series of security issues.

For example, would this type of system be insecure and therefore vulnerable to computer fraud?

Since it is a known fact that most databases have recurring weaknesses, these types of questions are completely valid.

We know that, despite the fact that IT is everywhere in the aviation sector, the possible and real risks of this computer boom are not being sufficiently considered. And the risks are not limited to possible cases of fraud. More serious risks are emerging in this digital wave.

For example, air traffic management systems are no doubt targets of choice for terrorists who decide to launch computer-based attacks. Since these systems are all completely computerized now, they are the Achilles heel of the aviation world because they are the eyes and ears of air traffic controllers.

A successful cyberattack against these systems would be as devastating as a bomb going off in an airport. Granted, it would probably be much less deadly, but the anxiety caused by this kind of attack would be just as damaging from a psychological point of view. 18

Furthermore, in-flight computer systems and management systems on the ground are so closely linked that we need to consider whether other threats could emerge. Is it possible that a computer hacker or a cyberterrorist could one day take control of a plane while it is in flight simply by attacking the air navigation system? This may sound like science fiction now, but an evil mind may attempt to disprove the theory that this could never happen.

We must also question the potential impacts of wireless Internet on air security.

Passengers-especially those in business class-are putting increasing pressure on airlines to allow wireless Internet access on planes. Once again, the potential effects of this new technology on air traffic management must be considered.

Could wireless Internet access interfere with aircraft and airport communications, or worse, become the communication tool of choice between terrorists on the ground and those onboard planes?

The answers are still unclear. But, as you can see, the remote offices that I mentioned earlier are now a reality and are part of CATSA's day-to-day activities.

However, when dealing with the issue of IT in the security sector, we must realize that it is often a challenge to reconcile this technology with security procedures. Why?

Because digital technology and security have conflicting objectives.

The new technologies are intended to enable actions, while security looks to prevent certain actions.

Clearly, the point is not that technology hinders security. The sheer number of computerized security systems is proof that technology can support security. It just means that in a security context, we must be cautious in implementing information technologies.

The introduction of new technology in any environment, particularly in the area of security, inevitably results in consequences that, quite often, were not fully considered. That is why we need to start looking at these issues.

Similarly, it is a mistake to think that technology alone can respond to today's security challenges.19

In many cases, technology can only support human activities; it cannot replace them.

Summary

So to summarize:

When I see the impressive group of people here in this room, I am confident about the future. And I know that together we can improve our security practices and attain the level of excellence necessary to meet current challenges.

Conclusion

So, what does everything that I have been saying mean. I want to be clear about one thing: I don't claim to have the solutions to all of these increasingly complex situations.

A wise man once said that a leader's first job - so the job of all of you here tonight - is to define reality. Unfortunately, the reality we have to face in the coming years seems quite overwhelming.

Which leads me to three key terms for our motto:

Honesty

Courage

Common sense

The honesty to ask ourselves the real questions; to say what needs to be said; to give and take sometimes harsh criticism; and to be honest with ourselves, our colleagues and the people around us.

The courage to Dare, Risk and Act, according to our real values.

And finally, the common sense to take the necessary action, while fully respecting others.

I hope that I have demonstrated honesty and courage by telling you what is really going on in an open and thought-provoking way.

And now I hope to demonstrate common sense by taking my seat.