The problem with a belief system is that it is built on interlocking argument and is always right.
But it defies logic that anything can be always right. Therefore a belief system is sometimes wrong – but to maintain a belief system, believers have to act in denial of any of it being wrong (because it’s all interlocking); which makes the entire belief system lack credibility.
Better by far to have a disbelief system in belief systems. Since it cannot possibly be always right, that disbelief will sometimes being wrong – and it is the disbelief system that becomes questioned, not the belief.
The logical conclusion is that to believe in anything, start with blanket denial. That’s what I strongly don’t believe.
One thing that RSA week always brings is dozens of new surveys and research reports. I looked at three for Infosecurity Magazine on Friday:
- 2013 Security Report (Check Point)
- Targeted attacks and how to defend against them (Trend Micro/Quocirca)
- Managing information security: Public sector survey report (Clearswift/SPS)
They are all looking at different issues, but there is a common finding in all of them – a disconnect between recognising a threat and taking the right or adequate action to mitigate that threat. More specifically, they all say that the public sector is the worst offender.
From Check Point we learn that government is the leading offender in the use of high risk applications (remote admin, file storage and sharing, P2P file sharing, and anonymizers). In particular government is more likely than any other sector to suffer an incident that could lead to data loss at least once every week; and government is the leading offender in sending credit card information to external resources.
From Clearswift we learn that “Despite 93% of [UK public sector] organisations sharing sensitive information with external partners, 30% don’t view information security as a high priority when selecting a partner.”
Trend Micro, commenting on its own report, says, “Public sector respondents were guilty of a worrying level of complacency, with over a third claiming targeted attacks are not a concern, despite 74 per cent of such organisations having been a victim of these attacks in the past.”
Put quite simply, government cannot and must not be trusted with our personal information. In the UK, this is the government that plans to build a national DNA database within the NHS; and that wishes to be able to intercept our private communications at will. For the sake of our security, it must be stopped.
Have you noticed our dearly beloved prime minister trying to recruit Indian students for our UK universities?
That’s because he denuded the universities with excessive tuition charges. Even with the incredibly poor education system we now have, kids coming out of school are intelligent enough to know that wracking up debts of £30,000 to get a degree that no employer wants in a market that has no jobs just doesn’t make any sense. So it’s better to go straight on job seekers allowance now, debt free, than in 3 years time with a millstone around the neck.
But the danger in attracting Indian and Chinese and Brazilian students is that Cameron will reduce our higher education system to just another commercial enterprise. Those foreign students will come in, pay their fees, get their degrees and then go back to their native countries – not out of any anti-British sentiment, but simply because their own economies are growing much faster and creating more jobs.
The tragedy is that British companies haven’t seen the opportunity. They should be creaming off our top Sixth Formers with offers to pay off student debts if they join the company at the end of tuition with a first or second class degree.
Thing is, I don’t trust Mandiant. (I did a news story on the new ‘China did it’ report on Infosecurity here – but now this is my opinion, not news). Mandiant suffers from being trusted by governments. I do not trust governments – and so, by association, I do not trust Mandiant.
Every time that governments want to pass some new legislation further restricting, or decimating, personal privacy and internet freedom, there is a sudden flurry of Chinese and Iranian hacks – but mostly Chinese. I think many people get it the wrong way round. The proposed legislation is not necessary because of the hacks, the hacks are necessary because of the proposed legislation.
So, in the last few weeks we have had the New York Times, Washington Post, Wall Street Journal, Twitter and Facebook. And today Mandiant says quite categorically that it was the Chinese military what did it. Which just goes to prove that Obama was right to issue his Cybersecurity Executive Order and demand the return of the Cybersecurity Act; that Ruppersberger is right to reintroduce CISPA; that Cameron is correct in his insistence on the Communications Bill; and that the unelected European Commission has only proposed the Cybersecurity Directive for our own good – all because of China.
None of these new laws will do anything much for security; but they will all allow government to maintain closer control over innocent people.
But let’s look at the Mandiant report. It makes strong argument that proof of Chinese involvement is the use of Chinese IP addresses by the hackers. Given the hacking skill that Mandiant bestows upon the Chinese military, I can’t help wondering why China would leave this obvious proof so open when it could easily use some other country’s IP addresses. Must be a double bluff, I guess.
But what about Mandiant’s motives? In the section headed “Why We Are Exposing APT1” (APT1 is the name it gives to the hacking crew it says is really the Chinese military), it says, “It is time to acknowledge the threat is originating in China, and we wanted to do our part to arm and prepare security professionals to combat that threat effectively.”
The latter part of that statement is pure philanthropy. Good on ‘em. But I’m not quite sure of the relevance of the first part to that second part. If I have a mad axeman at my front door, all I’m really concerned about is keeping him out. It isn’t actually relevant to me whether the axeman is British, American, Chinese or Aztec – I just want to keep him out. The fact is, he could indeed be Chinese. But he could equally be Israeli or British or Iranian or French or Russian or American in Halloween dress. The threat is the issue, not its source; and I don’t see why I need to give up my freedom to go out because my own government says I will be safer if I stay in and give the local policeman the keys to my door.
So for me there is a slight suggestion that perhaps there is another motive behind this report. And that’s where the closeness of Mandiant with the UKUSA government worries me.