Pass the security cube (a.k.a. No Bullets Involved Part 3)
Earlier this week, Paul noted that computer network attacks could have an impact on future relief efforts. In the early days of NATO’s Kosovo air war in 1999, I remember chirpy NATO spokesman Jamie Shea saying that the NATO website was under attack by Serbian hackers. Who knows whether it was true, or just a ruse of some sort, but was it the first government-acknowledged mention of cyber-warfare? There are a few more interesting things to note about that story: the BBC still had an “Internet Correspondent”, reporting on events in that far-off planet of “cyber-space”, and it was filed on 1 April 1999. Hmm …
Anyhow, back to the important business of digital security. I prefer the blander term information assurance because the work we’re discussing has so many angles to consider beyond ICT. To illustrate this, marvel at the McCumber Cube, designed by security guru John McCumber in 1991:
[Graphic courtousy Munawar Hafiz, on Wikipedia]
Handy, eh? This clearly relates geeky technical and operational considerations to the purposes for which information is collected and used in the first place. There’s little point considering how to secure information before defining why it needs securing, which requires a consideration of who might gain/lose from possession of the information.
Likewise, as Kevin over at Patronus rightly pointed out, social engineering – or how an adversary relies on your politeness, habits and generally positive view of humanity to get you to hand over the jewels – is an effective way to break the most technically secure of systems. Commercial organisations have long been using external actors to test how vulnerable they are to theft of information. This penetration testing industry has become commonplace enough in the US to spawn its own reality television show. This service (and perhaps the reality TV show!) could easily be extended to NGO offices, should the need be demonstrated.
I wonder how McCumber’s information assurance model dovetails with common approaches to NGO security, and how current materials – like the ECHO Generic Security Guide – could be updated to take it into account.
Pass the cube around the office and start the discussion.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
Nice.
I’d be happy to show how it integrates. As a technology-independent model, the infamous cubes works at a level of abtraction just above the technology layer. That is why the model (originally published in 1991) remains relevant even as technology changes.
You cannot solve policy probelms with technology, nor conversely, can you solve your technology problems with policy. The wisdom lies in knowing the difference.
~ John McCumber
John McCumber
15 Jul 08 at 15:29
Hey John – Thanks for commenting. I’ve found your eponymous cube exceptionally helpful over the last year, working with human rights organisations. It’s very accessible, and provokes well-structured, focussed discussion.
Not that it’s a race, but the human rights sector should be way in front of the humanitarians in realising the importance of information assurance, having quite well-worked resources like those produced for Front Line Defenders by Enrique Eguren and Dmitri Vitaliev, and systems like Martus (which despite its limitations, is still the best replacement for a paper incident form so far devised, but that’s another post). However, opportunity to improve doesn’t necesarily translate into imrpovements, and I reckon we remain as vulnerable to complacency and over-optimism about tech security as the next chump, sadly, as Sanjana recently demonstrated.
Tom Longley
15 Jul 08 at 18:30