Three Laws of Cyber: Thou Shalt Not Pass!

ah okay no content well before I start those who have been good enough to go to if you're hungry you can have my booster bar because i looked at my is it kosher app and yes I really do have one and apparently then not so I can't get my sugar rush thank you very much um I'd like if I may to tell you a story and take you on a journey today so let's just quickly look back in time how many people are familiar with the Three Laws of Robotics not everybody I'm always surprised by this but then again I thought it was a clear cut a success offering science fiction to a security conference but basically three laws and

remember them there might be a test later on a robot may mark palmer human being robot must do as it's cold and a robot must look after itself so just hold on to those three ideas we will come across them later it may or may not be apparent to many of you I'm sure it is that we are under attack cyber is a problem when we say cyber we tend to talk about security all of this online living there is one little bit of excitement as far as I'm concerned it gets me on the telly whether it's the Zeus virus nice local story because of a sulphur couples are putting it on people's pcs whether it's fishing

whether it's Ashley Madison I'm never sure whether a pink Paisley cravat was a good decision that day or of course the famous talks or one trend that we see is that attacks are causing more and more damage more and more grief and the other trend whether there is actually a correlation are we need to my hairline I really do not do not know so we have a challenge many of these will be familiar to you so no prizes no points for spotting the various attacks and issues all I can say is that on each case everyone causes some sort of personal tragedy so there is certainly no hotels from there so he told some hotel rooms

and victimless crimes so various people over the years come up with various solutions and we have catalogs of what are referred to as controls jolly good ideas things to do that you can actually start to mitigate some of these attacks the problem is is that they tend to turn out to be rather like these magazines that start to hit the shelves around the vendor time telling you have 340 ways to makes Christmas simple and they get more and more and more remember that the organization's fire as they are that produce these these guides are in the business of publishing so it's never in their interest really to consolidate but at the same time is often a shame that

so much good information gets lost in the midst and this is a Jewish guy saying it you've got to be careful to worship the objectives rather than the actual rituals themselves I got into some hot water about some of these because most of what is done a good deal even about what is talked about in what has been talked about here over the sessions today have been sticking plasters they have not been about good strong development and I would like to propose to you the future if we have a negative attitude about the problems and to these controls and to these good practices well perhaps resistance will be futile so let me tell you about the

story of the tween d-conn vector short story here bear with me once upon a time everybody is sitting out side in hundreds of years in the future waiting for a time of the traveller to arrive it is a time of a little disease no famine or wonderful utopian world and a utopian world scene and developed after this time travel had made his trip into the future seen this developed world after eight world perhaps not like our own weather is the breed disease Wars famine and any number of inequalities I mean come back with his report he gave them a goal and they move towards it and created this utopian future of course the time traveler never

arrives his vision was all made up but he was basing it on Arnold Toynbee's the historians idea that any civilization that does not grasp the future with positive objectives is going to stagnate and start to decay so how did we get to this state situation of stagnation and decay where we are fire fighting and running as fast as we can and probably not keeping up Marcus raynham tells us that we are founded on 6 dumb ideas yes all seems very nice that we should get everything everywhere are the telephone networks are available of course ah rather than look for the few applications that we want to use we search frequently and constantly for millions of pieces of software which we

actually don't want to run did you know that probably for every bug that you fix you / episodes every 6 bugs that you think she probably introduce one new vulnerability and still the public perception that hacking is this really cool thing the bad hacking has taken over from the good idea to doing clever stuff and every so often people will say our biggest problem is the users well it may well be but as soon as you stop start talking about top tens and biggest problems of course everybody starts to focus on that and tends to lose sight of what the real problems are and how they have to work and interact together work and interact together and pick up on the

feedback and monitor and find out what's going on looking at the dash boards altering stuff that's what cybers all about summer is all about cybernetics but it's not always about jumping to action you might think great fantastic we're under attack let's pull the plug and of course the guys from the forensic Department come up because they would just about to attribute the attack and find out how to actually stop it in the first place so rather than the sticking plasters that we have now made a habit of putting over our systems and finding the cuts and the grazers and the vulnerabilities that we need we need to patch how much better would be if we

find ourselves with a new Bible to follow and remember the objectives that actually what we want is trustworthy software trustworthy software and trustworthy systems anybody want to define trust wake you up at this time of day trust anybody come across Angela Sassa from the University College London no other people are nodding you look up some of her work Trust is a positive expectation that your vulnerabilities will not be exploited keep that in mind when you're designing systems for other people whether their vulnerabilities whether your vulnerabilities will be exploited how much can trust can you put in to putting your information into some of those systems so remember the trustworthy software framework so we've got to get out of where where we are at

the moment we have a force of historically talked about buying boundaries and I'm still seeing more talk about bound boundaries I'm all for the basics of the five cyber essentials but hey guess what the first of the cyber essentials is protect your boundaries it's actually all down to the risk it's where you are or doing whether it's actually safe to have my phone and my laptop in a conference for the people who know to really take X and exploit it but there we go back to trust again so we want to get to a state of cybersecurity this isn't a taken the box it's not a solid-state it's not something concrete we we can achieve and say yes we are there

we can only really be happy when we are in this cybernetic cycle of movement and understanding of the issues and solving those issues and replacing the bad stuff with the good stuff more of which i will say later on so when the compliance people talk about regulation they are actually using a really good word for their all the wrong reasons because regulation should be but we are doing with our systems and the interaction so perhaps we could introduce some very basic principles to our systems which will dampen the problem and keep it under control keep the problem under control rather than focusing and getting lost in hundreds and hundreds of controls that people dance switch off

because they no longer know to which risks they are associated and of course the more confusion that we make for ourselves the more opportunities we open up for other people to take advantage so how about like I say some guiding principles that probably is a little bit simplistic having said that it generally is the organizations and the people who have that attitude and we'll do something about it that mean that the issues are reflected on to people who do not put the measures in place so there's not necessarily a bad thing so think about the controls that can be programmed in and designed into the systems in the first place I'm not saying it's simple I might even give a

chocolate bar to people who can spot that particular quote anybody guesses somebody looking at these slides earlier on said it was the rocky horror show which shame on them actually was meeting that they so I get another quote so here we are thousands of controls multiplying day by day the National Institute for Science and Technology in the state's publish a basic set of controls theirs is about 570 pages long the so called 20 controls which we mentioned earlier on actually as twenty headings and there are more pages and water controls so where do we go from here another question from you another or before you rather another question who is the greatest science fiction hero or

at least the greatest TV science fiction hero on thicker bash dr. do any other any other takers will have arguments is whether he's actually Doctor Who I know what's his name they showed up anyway good hmm say again well no I was thought he was real nevermind it's actually quite a mass quite a mass there's a beautiful place in my story where the earth as in as often is is getting zapped from outer space but they detect this thin skin of energy around the world which hits the places that it needs to upon the detection of certain activities and this is almost what our cloud and by views that word advisedly of controls and good practices needs to

do to be able to know where to come together so with all of those controls all of those ideas is there some sort of anchor point some sort of basic set of principles that we can remember and aim towards to maintain and develop a better cyber digital experience a digital environment using some of the terms that people have used today what about going back just in the same way that arthur c clarke predicted things like satellites and other son and submarines were envisaged by Jules Verne or long before they were actually built perhaps we can learn the science fiction of the past to create some of the ideas of today remember a robot mustn't harm it's a bit

like the Hippocratic oath for doctors that at least they should do no harm fine we want to go digital we want to digitize this system well at least let's not make it bad as bad as the previous system I think a good deal of Our Stars only our office systems suffer because all we could a really innovative beyond the Lions Tea Room it was fantastic to automate stuff but we keep automating things and we keep automating bad things so we don't actually get as far as doing anything really clever as improving and taking real advantage of the technologies so what if we could create three laws of some ebert and information security that that system principal idea that it

shouldn't make things worse and actually should do something good it should do as its told it needs to purify our water sort of our patients it's you money from the teller machine make sure that the lights stay on that's the key process at the key thing that systems have to do they have to operate and we have gone beyond the stage where we can sedately detect an attack and do something about it let's face it hackers are often on our system they're bad guys 42 up to 200 days before we actually find out about them that's a long time to do damage and a long time for them to embed their working practices their business

processes within our business processes so we need to think when we develop and we deliver systems that they should protect operate and sell preserve nevermind the controls whether it's fine whether it's 113 whether it's 576 pages always going back to this basic mantra so what might this actually look like again this is a little bit of a concept album quite appropriate for me because although I am NOT musical I do have more keyboards than Rick Wakeman three elements protector protect operate and sell preserve to create a standing wave between us and the bad guys people frequently ask me where do they start well first principle is to remember what your objectives are and then in terms of basics you can

argue in terms of the things you ought to do but make sure that your systems are doing five cyber security essentials by little things yes of course there's a lot more that you need to do and i can think of the irony of large banks large corporate organizations standing up and boasting that they have now been tested to the five security essentials but it's not whether you're tested or got a certificate it's what you're actually doing and from the other end think about how you would react to a breach and how would you would manage in those situations when somebody has actually attacked you both from the social side of how you will interact and do stuff

it's all the way through to the technical side as well protect operate and self preserve remember those principles it even fits on a t-shirt which is more than you can say for 27 double oh one sorry I'm to lose the the jacket and I decided I better put the trainers on because besides sent me the running order so trustworthiness is something that we should be striving for in our systems it's almost obligatory in a PowerPoint presentation to talk about icebergs I normally talk about gold bugs but this time it's a nice book and our mantra our structure our process of protecting operating sell preserve when we understand that that's when we need to understand take that to the press and

there are basic things that we should do look at the green surf code for children look at the desert island standards for small businesses take the I as me standard which actually helps the processes and tells not business small business has not put these controls in but make yourself secure I am so worried by the number of organizations who are saying we will make 27001 easy like Christmas easy with 340 things to do now you won't you might get them a certificate but you won't make them secure and this is me the gas standards geek the standards guy telling you it's a tool it's meant to achieve an objective don't worship the script worship the objective that you want to

actually reach so there are levels you don't want to throw the iceberg out with the seawater now that doesn't work but nevermind so standards should be like the Romans had them a Roman standard if you remember your history was something that the Legion would protect at all costs and they would go through hell and high water to retrieve it it lost it was something they looked at if you have not discovered the magazine cyber talk then please look that up and you will find in there a story called the Battle of a feeding if you can find that story read it you will find no reference to the battle of freedom but you will find

reference to these basic principles and I would love to hear from the first person who knows why I have put that biblical reference in that particular point so my twin become vector to you and this late stage of the afternoon is this I have no numbers to put against this chart but this is my belief I believe that this is where we are now we are in a period of inevitable risk yes we want our phones and we want our laptops and we want our tablets that we want our connection and as soon as we have those connections we are opening ourselves up to a certain degree more so than less care that we might take in

downloading an app which I want to use as a flashlight but then once access to my photo was my lists of contacts etc etc so risk is something that we all need to deal with Stuart very kindly gave you my academic CV my coveted job is that a doctor David spiegelhalter anybody that David spiegelhalter in one of the London University can also a Cambridge Cambridge University of Cambridge sorry that's huh anybody come across him he has been a most wonderful job title that I might totally covered he is the professor for the public understanding of risk if we understand the risk we can set our objectives and we can get to this stage if we take things like the

trustworthy software framework and build our future systems and amend and update our current systems on these basic principles so there will be a time a vision in our time beacon vector when these systems are able to look after ourselves we get the right balance between the decision rights of the systems on the escalation paths through the people Viet through the communities through it through the organizations and under businesses there is no single organization there are sub forming chains everybody interacts and relies on other people as the poet said no man is an island I think that's a very very good model of our connected life so with that in mind with that objective cyber would like you to be upstanding please

come on I think as General Patton said there are no atheists in a foxhole and a good church of england education that i have had has taught me that in times of strife we should pray so i would like you to bow your heads and recite after me our metadata that art in clouds cyberattack fodder be thy name thy nation-state be backing i organized crime be hacking that was organized crime obviously delaying the slide in Belarus as it is in Manchester and Sydney Shanghai and Albuquerque and the International Space Station give us this day our vulnerability patches and forgive us our hasty coding as we accept that such access more than they should for thine is the Internet of Things the

wibbly-wobbly web of virtual worlds until the EMP ah and you can find on the cyber talk website they're all the references for this talk and there will be stuff here as well so thank you for listening I just remembered one last word one last word on positive attitude yeah it's a big ask yeah you know there are big odds against us we always talk about thousand-to-one chances and things like that so on this particular occasion forget the thousand concentrate on the one I think I'll giving you time so Scott's next door run