EUIST

EUIST

Just another ComMetrics – social media monitoring, best metrics, marketing metrics weblog

China-based cyber spies: Much ado about nothing

March 29th, 2009 · No Comments ·

|

→ No CommentsTags: 2009 · browsed · dalai · espionage · ghostnet · infowar · lama · tracking

dependability of software – car hazard – Cadillac, Jeep and Volvo

November 24th, 2008 · 2 Comments ·

Airbags are complex devices that must deploy within a fraction of a second, between the time a vehicle strikes an external object and the rider hits the front or side of the car interior. It better work right or your life is in real danger.

But unfortunately, software dependability can make this a real challenge.

On April 28, 2008, Volvo issued a recall affecting about 65,000 2008 M.Y. Volvo V70 and XC70s. The reason lies with a software problem that delayed the triggering of the side-impact air-bags in case of impact. Only European market vehicles were affected. Volvo Cars has been owned by U.S. Ford Motor Co. since 1999.

General Motors issued a recall of almost 3,000 Cadillac CTS vehicles 2009 model – due to a software bug in the airbag sensor:

GM is recalling 12,662 my 2009 Cadillac CTS vehicles for failing to conform to the requirements of federal motor vehicle safety standard no. 208, ‘Occupant Crash Protection.’ Under certain conditions, a software condition within the passenger sensing system may disable the front passenger air bag when it should be enabled or enable it when it should be disabled.

In a vehicle crash, if the front passenger air bag does not operate as designed, increased personal injury could occur.

Transportation-related software problems happen all the time. Chrysler issued a recal for Jodge Nitro and Jeep Wrangler 2007 model:

On certain vehicles, the totally integrated power module (TIPM) was programmed with software that may allow the engine to stall under certain operating conditions. This could cause a crash without warning.

How can you protect yourself from software bug-related problems driving your car?

Well, if car equipment manufacturers continue to suffer financially as they currently are, they are unlikely to invest the time and resources needed to more fully test their products before release. Let us just hope we will not have to report a disaster caused by transportation-related software problem soon.

|

→ 2 CommentsTags: 2009 · cadillac · motor · passenger · recall · vehicle · vehicles · volvo

ENISA – improving resilience in European e-communciation networks

November 15th, 2008 · No Comments ·

Information exchange, good practices and approaches that reflect the institutional and cultural realities can help Member States improve network dependability and realiability.

ENISA’s recent workshop on network resilience brought forard a nice set of effective approaches for strengthening national and international efforts across Europe in this domain.

The post provides some links for you to download material that might support you in your own work in this area.

We all know that in today’s world, public e-communication networks are becoming ever more important.

Recently (Nov. 12-13) ENISA held a workshop in Brussels. Amongst various sessions, there were also Member States reporting about various activities that one might consider good practice helping improve resilience of public e-com networks in Europe.

We – CyTRAP Labs – did a presentation about a stock taking exercise investigating what countries had achieved so far.

You can download this presentation right here:

ENISA workshop – Improving Resilience in European e-Communication Networks

The slideshow, amongst other things, discusses how an individual state or government agency might be able to use ideas, approaches from other Member States to improve their own situation (see below for download link of the full study). We used a cube that can be used by anybody helping in structing findings while allowing comparisons across national borders. The cube looks as follows:

cube - structure, implementation steps, impact and KPIs

Resilience and the CyTRAP Cube – Information Exchange in Practice

The above cube illustrates that a county will have to structure its resilience and information security efforts including regulatory provisions. On a continuum, a country or regulator must make things work in such a way that they fit in a more federalistic (or de-centralized) or else centralized system of governance. The outcomes may be similar but how we got there will be quite different.

As well, better information security and network resilience is a never ending journey that will require many small steps to find approaches that can be considered good practice.

One of the outcomes should be developing a framework for effective information sharing and, as importantly, good practices. Even imperfect Key Performance Indicator(s) are better than not having any. Focusing on what one intends to achieve (i.e. objectives) and measuring the results using some metric will facilitate continous improvement on the road to better network resilience.

So what do you get?

You can download the complete report about how 22 EU Member States and 2 EFTA countries implemented various regulations, good practices and so forth in order to strengthen the resilience of public e-communication networks. What is different to some other work in this area is that telephone interviews were used for cost and time considerations in contrast to having respondents just fill in a paper-and-pencil survey.

The advantage of doing phone interviews are several including but not limited to:

- participants can be asked to clarify their more general responses — ‘what does it mean in practice;’

- respondents can be asked to provide examples that illustrate what kind of incident requires what type of response and reporting (be concrete, specify);

- responses obtained indicate that whilst European Union directives have been put in place across Europe, how these are implemented, administered and used to strengthen network dependability and reliability is vastly different across Member States; and
– finally, what is most encouraging is that how Member States master some great challenges in unique ways to move foward and, thereby, improve network resilience – can be very creative in order to get where the nation needs to get with its e-communication infrastructure.

So if you can spare the time, have a look at the summary here where you can also download the final report for free:

ENISA study – what EU Member States do to improve resilience of e-communication networks

Regarding the ENISA workshop from Nov. 12-13 this week in Brussels, you can download what you would like to study more close using this link:

Download various presentations from the ENISA workshop – click on the title of the presentation – get the pdf file

Please keep updated about security, risk and resilience events, subscribe here (get about 1 e-mail a week with a blog post, no more – no less):

Check also

Just recently, ENISA published report regarding data and privacy protection challenges.

Tax break incentives as well as a comprehensive security breach notification law are just two of the 13 recommendations proposed in this report on privacy & technology launched by the EU Agency ENISA.

Press release – where you can find link to download full report for free

|

→ No CommentsTags: average · blogspot · bugs · horning · lifespan · live · squashed · thriving

when the utility gets into owning telecom infrastructure – dependability quo vadis?

November 12th, 2008 · No Comments ·

Deregulation means better choice (e.g., infrastructure, broadband Internet access and telephony). Besides, deregulation also means that achieving of greater dependability and resilience of public e-communication networks has become ever more challenging for regulators, operators and users alike.

This post explains how infrastructure owned by a utility – ewz.zürinet, being operated by a vendor improves broadband access while increasing various  risks that could result in system failures.

We all know that in today’s world, public e-communication networks that are dependable, reliable, robust and resilient against certain threats and risks (e.g., power cable being cut) are needed to keep our economy run smoothly. Deregulation has helped in increasing our choices when it comes to type of communication and data services offered. Hopefully, this has also given users better value for money.

At the same time, more companies have entered the field providing services and/or owning infrastructure. What all these developments mean for regulators we began outlining in a series of posts:

Dependability of public e-communication networks – ropes to skip 4

On March 11, 2007 the people of Zurich voted yes for a credit of 200 mio Swiss Francs (about 130 mio Euro) to build a fibre optics network. 39.9% of eligible voters did cast their vote, of these about 65% voted yes resulting in public funds being used to build a third network. Swisscom and Cablecom both have networks as well and the last mile has been deregulated in Switzerland as well.

The fibre optics network called ewz.zürinet will be owned by the town’s electric utility called EWZ. While EWZ owns the network, the utility will not provide services but instead let private companies do this. What makes this case interesting is:

1) After the electorate approved a credit, tax money is being used to build a fibre optics network.

2) The network is being ‘owned’ on the city’s behalf by its electric utility called EWZ.

3) The fibre optics network is using hardware supplied by Alcatel-Lucent

4) EWZ will not operate the network but outsource this task to Alcatel-Lucent

5) EWZ will sell the capacity of its network to several service providers (e.g., Orange, Sunrise, Netstream, green.ch, Init Seven AG, GGA Maur and Translumina AG) that offer a whole range of services to private users and companies.

6) The cells and islands of the network will cover most of the town – but not everybody will get access by 2013

The network has been operational since June 1, 2008.

The challenge for the regulator

The regulator will have to make sure that the infrastructure provided by the EWZ meets various requirements including those affecting security, dependability and reliability of the network infrastructure. OFCOM – Federal Office of Communicatuions has its work cut out because in Switzerland like elsewhere, ever more firms and utilities own certain parts of the infrastructure.

Usually the regulator works closely with the infastructure owners. In nearly all instances, these are the main telecom companies (e.g., Orange, Sunrise and Swisscom) and the cable company Cablecom. For the EWZ.Zürinet things are a bit different. For starters, EWZ may own the infrastructure but leave it other players to sell various kinds of communication and data services to private and business users.
While the ewz-zürinet is a special case looking at type of ownership, technology used and so forth, a recent study revealed that Switzerland has several hundred telecom providers including municipalities providing various types of telecom and data services:

2 what makes a cyber security strategy workable for Europe?

This situation applies to other countries as well. Ever more parties own infrastructure and may, for different and valid reasons, outsource network operations and service delivery to other companies. In turn, the number of players that need to be included if we want to succeed in our efforts to maintain satisfactory network resilience is on the rise. This makes regulatory oversight an ever greater resource challenge. Moreover, just the smallest glitch in the chain may result in service disruptions somewhere in the network:

10 fallacies of distributed computing

This all indicates that resilience and depedability of public e-communication networks has just become an ever greater challenge for countries that want to assure that they stay competitive in the digital world.

What is your experience on this, share your thoughts below.

|

→ No CommentsTags: Uncategorized

Dependability of public e-communication networks – ropes to skip 4

November 8th, 2008 · 4 Comments ·

    Resilience describes the ability of communications networks in providing and maintaining acceptable level of service in the face of various challenges to normal operations.

More and more we live in world where the use of information and communication technology is part of our daily lives. Hence dependability and network resilience is becoming ever more important for all of us. I began this series with an introductory post here:

Dependability of public e-communication networks – ropes to skip – introduction

I followed up with discussing challenges 1, 2 & 3:

1) Setting the dependability rules is difficult ===> Dependability of public e-communication networks ropes to skip 1

2) You need collaboration ===> Dependability of public e-communication networks – ropes to skip 2

3) Paper is patient – making it happen is the challenge ===> Dependability of public e-communication networks – ropes to skip 3

Today I continue addressing:

3) Improving hardware, software and network architecture

Many of today’s network problems are due to software glitches, hardware breakdowns and a lack of system redundancy. Identifying of weak spots is critical. Implementing remedial action is the next logical step. All this takes planning , time and resources in order to design and implement viable solutions successfully.

Challenge: Building a better mousetrap requires analyzing the problem, making decisions and investing as well as implementing solutions within one to three years. Talk is cheap – actions speak louder than words.

Improving network dependability requires more than just improving the infrastructure. Managing network capacity effectively requires software to optimize traffic flows. Hence, a software bug or hardware failure as far as a network switch is concerned makes a wonderful infrastructure useless. Put differently, network infrastructure – cable, conduits, etc. – is an important component but without the properly functioning software or hardware, the network cannot achieve satisfactoriy performance.

The above risk is exacerbated with the trend of having ever more applications being based on distributed computing or what is also called computing in a cloud:

- 10 fallacies of distributed computing

Moreover, a service offered by one group, such as the London Stock Exchange trading system, uses complex software platforms that require extensive and reliable infrastructure but things can and do go wrong:

- LSE outage – five lessons for achieving better network dependability

Our ever increasing dependability on reliable and resilient public e-communication networks is making us ever more vulnerable to hardware failures, software bugs and network problems that make communication of vital information impossible.

Unfortunately, when people talk about critical infrastructure they tend to forget that it requires proper functioning software and hardware. Accordingly, working toward more dependable and resilient public e-communication networks requires a careful assessment of software and hardware risk. Most importantly, the latter two must be managed properly.

Please stay abreast the latest developments – sign up – it is free:

InfoSec InfoSec – follow us on Twitter sign up for our monthly newsletters here
CASEScontact CASEScontact follow us on Twitter What is Twitter good for

|

→ 4 CommentsTags: Uncategorized

Distributed computing – developing an early warning system for dikes

October 30th, 2008 · No Comments ·

This posting describes the IJKdijk early warning system project in the Netherlands in some detail – English version.

In the past I have addressed the importance of the dependability of public e-communication networks – ropes to skip – introduction. As well, I have pointed out more than once that it usually all depends on the weakest link in the chain

In case of The Netherlands, being a country that has much of its infrastructure and land below sea level, floodings and storms can be a serious threat to people. For this reason, the country’s dike system is part of its critical infrastructure.

To further improve its system of dikes, The Netherlands has embarked on a research program called IJKDIJK early warning system. The latter takes advantage of distributed computing to build an early warning system that reports problems with a dike, such as water leaking or the walls caving in …. all resulting into possible flooding.

To test these things, the country has began a field test called IJKDIJK near Groningen (Friesland). The field test involves building a large dike filled with electronic equipment. This includes but is not limited to:

- fiber optic meshes,

- laser displacement measurement,

- microphone arrays, and

- standard sensors to measure humidity, pressure and more.

The first picture to the right shows the basin with the containers at the top of the dike. Filled with water, these containers will put additional pressure on the bottom part of the dike. This additional pressure can than be manipulated to test and see how much pressure the dike can take before it begins to leak.

Such work does than help to test what kind of dike construction will be most successful in fighting off floods and prevent the neighbourhood from being exposed to such a disaster.

The drainage pipes are being used to change moisture levels for the dike to again make sure that it is able to protect neighboring fields from being flooded.

The picture to the left illustrates the size of the dike wall quite nicely.

The car and the worker installing some pipes that will again help in changing water levels and moisture.

The last picture to the right shows the full view of the dike. The latter is 100 meters long.

Interesting is also that the researchers believe it will not break due to water pressure. Instead, the unstable ground on which it was built (on purpose, of course) will result in the dike breaking somewhere.

Get a 9 page description with images and pictures as pdf file here:

Meijer, Robert J. and Koelewijn, Andre R. (2008) The Development of an Early Warning System for Dike Failures (Session D: Risk Assessment, Mitigation and Treatment in Waterside Security – Chair: George Baker). In Proceedings 1st International Conference and Exhibition on WATERSIDE SECURITY., pages 148-149 (Abstract – complete version here as pdf = 9 pages), Copenhagen – Denmark.

How does this relate to dependability, resilience and robustness of communication networks?

Glad you asked. Building an early warning system for dikes involves the use of a large-scale sensor network to facilitate the gathering and processing of information.

As the researchers explain:

At specific places in such a network the sensor information converges to computational elements for data analysis. In case of a disaster, the computer network needs to

(1) adapt to the changing environmental conditions to remain functional and

(2) to produce as much information as possible about the environment for later analysis.

To illustrate this further, the network might recalculate the safest place for critical computational elements and move these to new locations.

If network elements fail, or situations arise which need different functionality, how can the system survive by reprogramming network services, and what mechanisms does the network need to implement to, for example, burn MPEG modules into specific FPGA’s to analyze the disaster situation at hand?

Besides many other issues, the field test is trying to address these questions and to decide where these sensors should be placed. Again, distributed computing order carisoprodol plays an important part because unless the information is passed on, the disaster coordination center will not know that a dam broke and flooding is in progress.

I look forward getting the next results (read the 9-page complete version of paper).

Interesting Links

Macrostabiliteitsexperiment

The International Early Warning Programme – IEWP

ISDR: International Strategy for Disaster Reduction – Platform for the Promotion of Early Warning

Special thanks to Rudolf Strijkers a Ph.D. researcher from TNO who taught me most about the IJKdijk early warning systems project during a long and interesting lunch we shared.

|

→ No CommentsTags: analysed · dddd · followers · inbound · index · photos · rank · updates

2 what makes a cyber security strategy workable for Europe?

October 25th, 2008 · 1 Comment ·

Quite a while back I addressed:

1 what makes a cyber security strategy workable for Europe?

Recent developments indicate that this issue is still as important as it was a few months months back. In fact if the left hand does not know what the right hand is doing, things fall apart.

Therefore, before international collaboration makes even sense your national house has to be put in order.

You need collaboration ===> Dependability of public e-communication networks – ropes to skip 3

A recent stock taking exercise conducted by CyTRAP Labs on behalf of ENISA addressed the regulatory and practical issues pertaining to the improvement of dependability, reliability, resilience and robustness of public e-communication networks across Europe. 22 EU Member States and 2 EFTA countries participated. Some of the key findings suggest:

• particular structures and regulation can foster improvements in software and hardware architecture of telecommunication networks;
• decentralized approaches using voluntary collaboration and inclusion mechanisms for getting public and private stakeholders involved result in progress on many fronts;
• supporting various initiatives, while keeping the main objectives in clear focus improves network resilience;
• centralizing efforts, while focusing on collaboration including exercises for assessing how well things are working in practice fosters continuous learning;
• facilitating reporting of incidents pertaining to telecommunication networks, cost-benefit analysis for risks provides the information required for putting things in an economic framework;
• adjusting approaches and solutions to national situations allows using of various approaches regarding network resilience across Member States (e.g., consulting committees, exercises, planning); and
• drawing on the know-how of experts from industry and regulator developing and implementing agreed upon best practices fosters better resilience;
• regular reviewing and discussing of data (e.g. from incidents or exercises) with stakeholders supports efforts for minimizing regulation while assuring network dependability;
• encouraging collaboration and communication across agencies is an important first step, while asking them to develop solutions together with industry fostering greater resilience is the second step to be taken, and;
• achieving better dependability and resilience of public e-communication networks is a journey not a destination, hence having started yesterday taking many small but frequent steps is more effective than failing to shore up resources now.

The study does not attempt to assess how well a country is doing or benchmarking Member States against each other. Far from it, instead it focuses on giving an accurate picture of the country’s current situation. In turn, the issue is to provide an inventory that outlines the laws and regulations in place and, most importantly, how countries have managed to put the regulation into practice.

Download the study from here:

ENISA – Stock Taking of Member States’ Policies and Regulations related to Resilience of public eCommunications Networks – 318 pages – done by CyTRAP Labs GmbH on behalf of ENISA

If you want additional information

Get more information about the study and CyTRAP Labs here

Get more on this important topic here:
reliablity & dependability – infrastructure (archive of postings)

Incidentally, whilst we may all be focusing on early warning systems including EISAS European Information Sharing and Alert System — preventive efforts can help a great deal as early warning systems for food and health networks have demonstrated for decades (see below for some of the more famous European examples)

Learning from other European initiatives that work very well is a good idea indeed, such as:

============>
If this post was helpful to you, please consider subscribing to feeds from CyTRAP Labs. Cheers.

|

→ 1 CommentTags: dddd

Deloitte – the weakest link in the chain – would you let a fox advice you on how to guard your hen house?

October 21st, 2008 · 1 Comment ·

    Consultancy firm Deloitte has admitted that the loss of a laptop containing BSkyB staff pension details also included information about pension scheme members from Network Rail and British Transport Police.

Would you let a fox guard your hen houses?

Then why do we sit and just watch consultants tell us what to do when it comes to questions of information security and risk management? Is it because we believe our consultants can objectively sit in judgement of our procedures when their own house ain’t in proper order? Are we really that naive?It is a real irony to have a security consulting firm, offering an information security advisory practice, have one of its laptops containing confidential client information stolen by a thief.

The laptop contained details of more than 100,000 people, including names, national insurance numbers and salaries.

One Deloitte enterprise risk services brochure (Plugging the gap. Protecting customer information) states on pp. 1-2:

“Through interviews and workshops with key systems managers and information custodians, we would gather the necessary information to provide a picture of the business processes using client information. This exercise can produce some instant and powerful results leading to a demonstrable improvement in the way that client information is protected. Some of these include:

    - Identifying business processes and staff that have unnecessary levels of access to client information
    – Identifying applications that are unnecessarily processing client information
    – Identifying serious breaches of policy and procedure that require immediate address
    – Raising levels of awareness among information custodians of the profile client information security has with senior management.”

Security 101 – Deloitte fails – can you trust them with your data?

Bottom line is that while Deloitte tells its clients to be careful not to lose data, the firm seems not to follow this advice with how it treats customer information.

Deloitte has assured that a start up password as well as an operating system user ID/password authentication procedure was in place with the laptop. Not assuring considering that it was probably a Windows XP operating system or Windows Vista where authentication procedures can be broken quite easily. However, if the encryption was done properly, it is unlikely that the opportunistic thief that stole the handbag with the notebook in September was able to access these data.

However, by allowing such information to be stored on a notebook, Deloitte broke one of its own rules it suggests to its clients for better risk management, namely:

- what is the rational for giving an employee the right to have such a huge database on his or her notebook – change application procedures to avoid having to deal with this risk

In fact, already during 2007 Deloitte pointed out in one of its white papers to watch out for such risks by stating:

The dramatic increase in the use of laptops and of handheld devices, such as the Blackberry and the Treo, puts enterprises at significant risk if the equipment is lost or stolen. Several high-profile data leaks involving financial services institutions have taken place over the last few years when laptops containing personal information – names, addresses, account numbers, and in some cases social security numbers – were stolen (Deloitte Financial Services – Global Asset Management Industry Outlook Issues on the horizon 2007 page 7 (9 of pdf file).

Obviously, the company does not appear to follow its own advice very closely.

Firms like Deloitte must effectively manage operational and compliance risks. Firms face the challenge of consolidating all the various risk-related issues and initiatives across
their organizations to manage their risks more effectively and efficiently. Deloitte’s case shows another example where a firm has failed and apparently the left hand does not know what the right hand is doing.

Conclusion

Would you leave a fox to guard your prize chickens? Or put differently, are you putting prisoners in charge of running a prison? In this case of data breach, can you trust Deloitte to help manage your risks in the future?

For reasons I truly cannot fathom, organizations such as Deloitte

a) establish information security policies which are
b) not properly enforced thereby
c) enabling employees to ignore or circumvent them.

So why should you hand over your corporation’s data to such a firm or let it do advisory work for you on how you can manage your risks better? Your choice.

tidbit

2008-10-10 the UK’s Ministry of Defence announced that it was investigating the loss of a computer hard drive that could contain the personal details of 100,000 members of the armed forces. With greetings from the Taliban?

MoD laptop containing personal data on about 600,000 people was stolen – an incident which, along with the loss of 25 million child benefit records by HM Revenue & Customs, prompted a review of data handling procedures across the public sector.

CyTRAP Labs checklist – 7 lessons learned from the disastrous UK data loss – electronic patient records

More on the UK’s disasters – scroll down search page, you will find much more on this topic:

data and confidentiality breaches in the UK

|

→ 1 CommentTags: chickens · consultancy · deloitte · guard · pension · prisoners · prize · rail

Dependability of public e-communication networks – ropes to skip 3

October 17th, 2008 · No Comments ·

    Resilience describes the ability of communications networks in providing and maintaining acceptable level of service in the face of various challenges to normal operations.

More and more we live in world where the use of information and communication technology is part of our daily lives. Hence dependability and network resilience is becoming ever more important for all of us. I began this series with an introductory post here:

Dependability of public e-communication networks – ropes to skip – introduction

I followed up with discussing challenges 1 & 2:

1) Setting the dependability rules ===> (Dependability of public e-communication networks ropes to skip 1)

2) You need collaboration ===> Dependability of public e-communication networks – ropes to skip 2

Today I continue addressing:

3) Operationalization of laws and regulation

Often neither new laws nor regulations are needed, instead, better administration of the ones in force is often the most effective approach to achieve better dependability and resilience of e-communications networks.

Challenge: Paper trail versus sensible use of regulation – the devil lies in the detail, without proper administration and control (e.g., checking if acceptable level of resilience is achieved), reaching better resilience may be a pipedream. Regulation not administered and enforced properly is a paper tiger if not a bureaucratic nuisance or nightmare.

There is much regulation regarding resilience of networks or how infrastructure owners and operators need to better protect dependability of their networks. The regulator may ask the infrastructure owners to submit a strategic security plan. The latter outlines what the corporation intends to do for improving the dependability and reliability of public e-communications networks.

The current financial crisis has shown that strengthening of supervision of institutions that pose a potential risk to the stability of the financial system is a must. Naturally, improved supervision comes at a price. Similarly, looking at the public e-communications networks, to improve their dependability and reliability demands the regular assessing of how infrastructure owners, operators and large users transfer and manage risks.

critical step

Working on a long-term framework for improving resilience with the help of sensible and enforced regulation is hard work. Unfortunately, paper is patient and while countries may push regulation through national parliament’s approval process quickly, this is a first step on a long journey to better dependability and reliability.

For instance, while infrastructure may be owned by firm A, it is managed by firm B (the hardware supplier) and its capacity is sold to several telecom operators including virtual mobile telecom operators (VMTOs). In turn, claiming to regulate the infrastructure owners only, is no longer satisfactory. There are too many different parties involved in managing, running and using infrastructure. Most importantly, what each player does may affect the other’s service severely (i.e. everything is interdependent when it comes to communication networks).

With the incoming provider owning most of the infrastructure, administeration of laws was a bit easier. These days, utilities may own networks, while vendors run the latter on the owner’s behalf. In fact, the utility may not have the engineering know-how to manage the risks regarding dependability of such a network. One reason for why the running of the network was outsourced. However, talking to the owner may not suffice if one wants to improve dependability of e-communications networks
Interdependency, regulation and critical stakeholders are:

1) the infrastructure owner – maybe a utility or a municipality,

2) the outsourcer that may run and manage the network (ever more often the hardware supplier),

3) the telecom companies purchasing capacity on these networks, and

4) those organizations running virtual private networks on the utilities’ fibre optics system (e.g., financial institutions and their automatic teller machine – ATM – network).

There are many more players in this field than before deregulation. Especially, smaller players may have limited technical know-how available to address resilience issues. In turn, regulators are being challenged to make sure that this does not result in unnecessary risk exposure regarding resilience of public e-communications networks.

Regulators may have some budgetary constraints that make it a challenge to acquire the know-how and manpower needed for effectively enforcing regulation. Assessing information security and resilience measures undertaken by stakeholders for managing risks according to regulation is more than just having regular meetings to exchange information.

Regulators need to follow-up to be able to check if regulation is doing the job it is supposed to. The current financial crisis is, in part, the result of inadequate regulation but, more importantly, regulators not assessing that proper procedures were being followed (e.g., being too lax checking up on the banks, not following up when inproper procedures were being discovered). Control mechanisms can help to improve things.
This is vital to a society ever more dependent on resilience and dependable public e-communications networks. If they do not function properly, things tend to fall apart. Regulators and their masters have their work cut out for them.

|

→ No CommentsTags: campaigns · factory · for · goals · plotting · proceeds · prospects · rasining

Dependability of public e-communication networks – ropes to skip 2

October 8th, 2008 · 3 Comments ·

    Resilience describes the ability of communications networks in providing and maintaining acceptable level of service in the face of various challenges to normal operations.

More and more we live in world where the use of information and communication technology is part of our daily lives. Hence dependability and network resilience is becoming ever more important for all of us. I began this series with an introductory post here:

Dependability of public e-communication networks – ropes to skip – introduction

I followed up with discussing challenge 1:

1) Setting the dependability rules ===> (Dependability of public e-communication networks ropes to skip 1)

Today I continue addressing:

2) Collaboration versus duplication

Common sense does not always win and, unfortunately, defending one’s turf may win over the need to collaborate and find effective solutions to the problems.

Challenge: Does the left hand know what the right hand is doing? This requires regular information exchange, preferably in informal settings AND working on joint projects that lead to joint solutions. Formalized procedures’ effectiveness depends on the personalities involved.

These days people are focusing on international collaboration to improve dependability of information networks and infrastructure such as:

- Next Generation Access broadband networks (NGA)

- EISAS and ENISA – will it help improve risk management across the EU?

However, similarly to a marriage that is on the rocks, dependability of public e-communications networks is best improved if the partners start to resolve the issues at hand. Naturally, one can use a more centralized approach

    Direction centrale de la sécurité des systèmes d’information dans l’organisation de la sécurité des systèmes d’information

Using a centralized approach to manage security and network resilience

    Taken from: http://www.ssi.gouv.fr/fr/dcssi/orgassi.html

The French approach, as illustrated in the chart above, assures that each ministry has a group focusing on security while the Direction centrale de la sécurité des systèmes d’information (DCSSI) at the Prime Minister’s office coordinates and champions these matters.

Such a centralized structure can and does force different stakeholders to work together.

However, in some governments this may neither be desirable nor feasible or wanted. In turn, a more voluntary approach is used. Here people collaborate, because nobody can address the resilience of public e-communications networks alone. Neither the telecom regulator nor the privacy commissioner can achieve better network resilience by themselves. Infrastructure owners and operators as well as consumer groups have to participate. In turn, things start to move in the right direction.

critical step

This is like a marriage that is going through rough waters or parents trying to deal with teenagers’ lack of ….. whatever :-)

More often than not it is very helpful to get outside assistance – in network security this is called international collaboration (or getting CERTs to work together).

However, ultimately it is the local players or the teenagers and their parents that have to find a modus operandi. The latter must be workable in order to attain improved discipline or network resilience. In turn, if information exchange does not work on the local level, collaboration remains a pipe dream. Without collaboration between parents and teenagers, no practical solution will be found and family life could become rather difficult. Unfortunately, without a commitment by family members (stakeholders) for collaborating and working together, outside assistance (or international collaboration) will not achieve much.

Accordingly, getting collaboration working on the local level is a critical step. Making this step will help in achieving higher levels of resilience and dependability for public e-communcations networks. Without such an effort, duplication will be rampant and effectiveness of all this activity will be questionable. Remember, one weak link in the chain is all it takes and without collaborating we do not even know where the weak link might be.
Talking, listening to and learning from each other, while working towards the mutually agreed objective is key for moving toward greater network resilience.

What do you think? What makes for good collaboration when trying to improve network dependability and resilience. Should the French approach become the norm for other countries?

Share your thoughts or work and network experiences in the comments below.

|

→ 3 CommentsTags: bureaucrats · communication · dependability · estimation · networks · ropes · skip · subjectivity