The internet is bringing us closer together, says Ed Gibson. That means more fronts to watch.
A routine morning it was not to be ... O-dark-thirty, Bakerloo Line to Paddington Station; and the Heathrow Express to Terminal 3 to catch a flight to New York. I was feeling pretty pert and perky, like David Beckham must feel just being David Beckham, when a jerk of the carriage brought me back to the reality of knowing I wasn't. I resumed my ritual of reading the banner ads on the train, each time taking in enough to know I wasn't taking in anything.
And there it was: the answer. In a diet pill ad. Without a scrap of evidence, I am expected to believe its claims to be a weight-dropping miracle. Could this be the reason why it is so difficult to get decision makers to recognise the importance of IT security to their business continuity strategy - bold claims, without evidence?
The simple truth is that there is no miracle pill for IT security. Remember our visit to the Principality of Sealand? More recently, I read reports about a Swedish file-sharing website, The Pirate Bay, planning to buy the 550m2 micro nation. A match made somewhere very far from heaven, many would say.
This just illustrates my point: security is an evolving, society-wide issue. Cyber crime is exactly that - a crime. Criminals will always try to find ways to exploit loopholes and vulnerabilities for their own gain, so it's important for us to stay one step ahead.
Today, after a fair few hours in the air and none-too-brief rides in the infamous geographically challenged yellow cabs, we arrived in New York City. Why is this the second stop on our cyber journey? To restate the obvious: we are truly two countries divided by a common language. The old "jam/jelly" and "trousers/pants" scenario.
I was there to meet with industry groups and law enforcement professionals to discuss how we can bridge these subtle differences and tackle the challenges such as those posed by that old bunker in the Principality of Sealand. In many ways, through these collaborative efforts, we've already been able to meet some of the challenges. For example, I've been involved in some of the more than 100 enforcement actions my employers have helped bring against spammers who operate across the globe.
In a recent case in the UK, we saw successful prosecution of a guy who sold email lists to unsuspecting companies while claiming to be "data-protection registered" and a member of the "ADM - Association of Direct Mailers" and the "PMS - Professional Mail Service". This further highlights the lengths criminals will go to and why a common understanding across all levels is so vital to our efforts.
What's this got to do with business continuity? Let me explain. A few years ago, a rogue member of one of the UK security services wanted to "expose" one of his colleagues. Doing so would violate the provisions of the UK's Official Secrets Act. Clearly if the deep cover operatives' names were posted on a UK website, they could easily be removed. But what would happen if the names were posted extra-territorially in plain sight? Common sense would assume that it would still be a violation of the Official Secrets Act if it were due to the agent's actions, but it would certainly be as easy to have the names removed from a website hosted outside the UK. Actually that's not the case. Just because something is illegal if committed in the UK, that does not make it so in the rest of the world. There are, of course, efforts across governments and industry to change this, but that won't happen overnight.
The internet - bringing us closer together, but with a few hurdles. Does your business continuity and IT strategy account for the possible leak or theft of your IP and posting to a country in which you have no recourse?
I urge you to fully appreciate these threats to your organisation. However far stretched these threats may seem, there are plenty of resources and technical solutions that can and should be part of your continuity plans. We now leave New York behind for our next stop - the Ukraine.
Ed Gibson is the chief security adviser to Microsoft UK. Prior to this, he was a special agent with the FBI. You can contact him at EdGibson@Microsoft.com.