printer friendly version

Pre-empt, prepare, prevent

At the recent African National Security Conference, Jack Edery, chief executive officer of Elvey Security Technologies shared his thoughts on the risks and opportunities arising as a result of technological progress. Highlights of his speech are printed below.

Jack Edery

As we all know, modern-day technology offers huge advantages. Thanks to the Internet, high-speed communication unconstrained by geographical borders has become critical to the successful running of countries and businesses. So has remote accessibility via a multitude of means from almost anywhere in the world.

Author Christopher Coward lauds the benefits of the Internet in the following words: “Because of end-to-end, the Internet acts as a force for individual empowerment. It fosters entrepreneurship. And, as long as end-to-end is not violated, it is democratising in the sense that it redistributes power from central authorities (governments and companies) to individuals. In the Internet Age, everyone can be a producer of content, create a new software application, or engage in global activities without the permission of a higher authority.”

In his book ‘Technological Shocks: Past, Present and Future’, Richard Lipsey says new technologies are transforming our lives “by inventing new, undreamed of things and making them in new, undreamed of ways”.

Yet with its many advantages comes the potential for mass destruction. Incidents of cyber crime, which include international Web espionage, are gaining momentum to such a degree that some are calling it a cyber cold war.

Terrorists, in their quest for power, favour violence and havoc to undermine state security and economies. To this end, technological progress has played right into their hands, giving them both anonymity and access to critical information, which they can then use to attack specific networks or computers for their own political gain. The illegal use of information technology to threaten or attack is known as cyber-terrorism. The US Federal Bureau of Investigation says that “unlike a nuisance virus or computer attack that results in denial of service, a cyber-terrorist attack is designed to cause physical violence or extreme financial harm”.

Further to this, the UK’s Guardian newspaper in an article in November 2007, noted how cyber attackers had the potential to cause havoc by disrupting vital infrastructure networks in any area controlled by computers. Water and sewerage systems, electricity, financial markets, payrolls, intensive care units and even traffic lights are all vulnerable to hackers who know how to turn computers into zombies and crash servers.

Global challenges

Way back in 2002, Symantec (Riptech) in its Internet Security Threat Report identified that “the Internet security threat is real, pervasive, and perhaps more severe than previously anticipated”. Six years later, the findings released in April 2008, continue to focus on Internet threat activity.

The report notes how the threat landscape is constantly shifting as the good guys and the bad fight for dominance. In the last six months of 2007, Symantec observed that the current security threat landscape was predominantly characterised by the following:

* Malicious activity has become Web-based.

* Attackers are targeting end-users instead of computers.

* The underground economy is consolidating and maturing.

* Attackers and attack activity is highly and rapidly adaptable.

Further to this, Symantec warns that malicious attacks in the telecommunications sector are up; that denial-of-service attacks have become the most common type of government and critical infrastructure-targeted attack; and that 39% of attacks appeared to be deliberate attempts to compromise specific target systems or companies.

And according to a study by the UK Department for Business, Enterprise and Regulatory Reform, more than one in 10 big British businesses have detected computer hackers on their IT networks.

The report found that very large companies are the main targets for hackers, some experiencing hundreds of significant attempts to break into their networks every day. It also warned that telecoms providers were most likely to be attacked – three times as likely as the average. As a result, Britain’s business minister Vadera went on record as saying that while new technology was a “key source of productivity gains, without adequate investment in security defences, these gains can be undermined by IT security breaches.”

Today, technology has evolved into a sophisticated cyber culture where presidents and ministers, military leaders and strategists, businessmen and the man in the street communicate across borders. We live in an inter-connected world, a global village that has evolved with the creation of the Internet and World Wide Web, which as a matter of interest, according to the Internet World Statistics website, comprised 1,3 billion Internet users by December 2007.

South Africa as a country with a lack of skills, an under-resourced police force and a spiralling crime rate is very vulnerable at the moment to cyber terrorism. We therefore have to be very aware of global, local and virtual trends and realities in order to pre-empt what might happen, to be prepared for possible radical change and prevent the impact on us.

ABC and now D of physical/cyber detection

In the security product and service industry, we have long identified the detection of physical intrusion into three areas, namely the ABC of security. A encompasses the securing of the perimeter; B equates to securing the space between the perimeter and the facility; while C denotes the securing of the facility. In recent times, we have added a D. With the emergence of the threat of intruders you cannot see, hear or touch who could copy, amend or destroy critical and vital information housed in your most secure location, we have had to develop the D of security, namely the detection of the cyber threat.

South Africans therefore need to learn more about the security threats we face, target security investment at the most beneficial areas, integrate security into normal business behaviour, deploy integrated technical controls and respond quickly to breaches.

Specific challenges to SA

Challenge 1: Limited bandwidth and unreliable telecommunications

South Africa has suffered from limited and expensive broadband connectivity for a long time. It has also had to rise above unreliable telecommunications, which has encouraged the development of technology that allows the transmission of emergency security signals using up to five different methods of communication, each one effectively backing up the other. These methods include radio, telephone, GSM, GPRS and TCP/IP.

What is exciting is recent announcements of expansion plans, which includes a fibre-optic network. This should not only reduce the cost of our broadband but also improve transmission capacity, and bring about improvements in network efficiencies, security, back-up of data and applications, and power redundancy.

Another ray of hope comes from Neotel, South Africa’s first converged communications network operator, which is among the sponsors of a fibre-optic submarine cable designed to boost Africa’s bandwidth by 2010. The East African Submarine Cable System, which will connect 21 African countries to each other and the rest of the world, is intended to provide fast, high-quality Internet access and international communications.

Challenge 2: The power crisis

After months of national power shedding, Eskom suddenly suspended its much-criticised electricity cuts in May. There is no doubt that the power shedding compromised state as well as individual security, creating widespread havoc and often rendering security systems useless as one back-up battery after the next went down.

We have to look at alternative back-up security measures. The obvious is to utilise self-contained wireless security systems which are not reliant on continued external power.

Challenge 3: Crime fighting initiatives in SA are fragmented and lack large-scale support

To resolve this problem and then move forward, we have to shrug off the notion that national security is the sole responsibility of the government. We also have to recognise that, rightly or wrongly, there is a perception that in some instances, the private sector is streets ahead of the government when it comes to skills and cutting-edge technology.

Aggravating the problem is that our police force is under-resourced and in some instances under-skilled. Government and police therefore need to work hand-in-hand with private security industry professionals who have both the personnel and the expertise required to assist them with countering crime, both traditional and that coming on the back of technological progress. Together we all need to engage in creative, proactive thinking if we are to address modern-day national security requirements.

We have world-class technology at our fingertips. Let us ensure that law enforcement agencies can access it and utilise it in static and mobile locations across the country. The deployment and dissemination of critical information will give law enforcement agencies a major advantage in terms of the critical time line and bringing criminals to book.

Challenge 4: A lack of information relating to security risks and risk management policies

I am alarmed at how little information is available pertaining to South African security and risk identification and planning – in direct contrast to countries such as America and Australia. Is this because no national risk plan exists in our country… or because of a lack of transparency, it is inaccessible to the general public? The obvious solution is for government to make this information available to the public without, of course, playing into criminal hands.

Challenge 5: Corruption

In his study titled ‘Corruption and the South African Police Service: A review and its implications’, released late 2007, researcher Andrew Faull of the Institute for Security Studies (ISS) says that instead of a few bad apples tarnishing the entire organisation, corruption is “widespread, widely acknowledged, but seldom acted upon”. He notes too that while 43 cases were lodged with the Independent Complaints Directorate on average each year between 1997 and 2002, this had shot up to an average of 125 cases each year between 2002 and 2006.

The solution is obviously to increase our anti-corruption mechanism dramatically and post-haste. In the US, police vehicles contain cameras that record all incidents and are used as evidence. These also assist in encouraging police to operate within the rules.

Challenge 6: Unemployment and crime

With our unemployment figure sitting at around 23%, it is easy to draw a parallel between crime and joblessness. And as the criminal sector grows, so it outpaces the growth of the policing sector, hence the need to supplement the latter with technology.

Challenge 7: Porous borders

The ongoing insurgence of criminals and refugees from other countries into South Africa is going to get worse as 2010 approaches, putting South Africa’s security at huge risk.

The national security solution in macrocosm

Let us now address the national security solution in macrocosm and highlight what needs to be done.

Establish a security conscious culture: In order to best manage 21st century risk, we as a country need to develop and implement a culture whereby we embrace new technology proactively and not only reactively. Google is reported to have adopted a philosophy of ‘security as a cultural value’ and have committed to enhancing its security. Should we not be doing the same on a national basis?

Build a central communications centre: There is a huge need for a national meeting point, funded by government, where stakeholders from all sectors, including government and the private security industry, can meet to share ideas and problems. A bonus is that it would serve as a point of origin for media communication and liaison on a national and international basis.

Formalise the sharing of information and resources in a professional, representative forum: We need to create a platform of all interested stakeholders where titles and egos go into a melting pot. The resultant brew should then hopefully be a state-of-the-art and shared national security risk model.

Partner with technologically advanced countries.

Conduct regular meetings between role players: This will allow us as a country to brainstorm ideas, identify and address all types of security threats and offer solutions and advice on an ongoing basis.

Establish a set of controls and best practices: Based on the input and endorsement of all stakeholders, Government should provide funding for research and development which will no doubt be supported by business’s own efforts. And we all need to embrace a culture of learning.

Paradigm shift

The fact that national and corporate security is often no longer only threatened by physical acts of aggression, but also by attacks on computer networks by those intent on theft and gaining access to intelligence, necessitates a new approach to national security. We need a collective shift in paradigm where physical guarding has to be complemented with cutting-edge electronic security technology.

Breaches in critical technology and cyber terrorism are real threats, which cannot be dealt with along traditional security lines. The guard at the gate needs to be supported by technology to counter the fallibility of the human element. Other factors such as network failures and accidentally compromised data as well as hacking and viruses, poor system integration and security breaches, are all huge risks to security at all levels.

In light of the potential for harm as a result of new technology, organisations across the board need to safeguard data and assets as never before. Consideration has to be given to the fact that the likelihood and severity of any compromise depends today primarily on the effectiveness and consistency of risk management strategies, which historically have been done on an ad hoc basis. Gone are the days when it was enough to use primarily physical security mechanisms.

Like it or not, the responsibility of managing risk lies at the feet of senior management in all sectors. Network and computer security is a priority of management who need to approach it as a multifaceted process that requires the expertise and buy-in of multidisciplinary teams. Risk management also needs to be treated as a process that can and should be applied at both strategic and operational levels.

Importance of risk analysis

One of the most pressing security challenges for South Africa lies in the field of risk assessment where skills are in short supply. Over or under-specifying of risks and solutions, as well as ignorance and greed, will undermine individual and national attempts to tighten up security.

* Managing risk effectively today starts with risk analysis, a vital part of any 'harm minimisation' strategy.

* With a risk analysis in place, management can make informed decisions on how much the protection is worth, bearing in mind that the cost of security countermeasures is proportionate to risk and that some element of risk is part of the risk of doing business.

* Without a proper risk analysis being done, the securing of an organisation becomes a mix of guesswork and ad hoc decision-making. This invariably translates into wasted money and resources, while simultaneously falling short of providing sufficient protection against all significant threats.

* Once a risk analysis has been done, controls and countermeasures as part of a thorough yet concise security plan can be implemented to reduce the seriousness of threats.

National security solutions in microcosm

Today’s effective security solutions comprise many, if not all, of the following attributes:

* They combine the best of technology and processes with people.

* They offer detection, deterrence, observation and reporting capabilities.

* They embrace state-of-the-art technology, which has evolved into the wireless integration of different modes of security such as intruder detection, access control and closed circuit television. Current security systems offer access control; site and patrol monitoring and a host of other capabilities.

* They are compliant.

* They are customisable.

* They are designed around preventing or at least minimising potential danger of loss of property, information or physical harm.

* They reduce system vulnerability to malicious attacks from outside, in the form of spam, viruses and malware.

* Embraces IP-based video surveillance and access control, increasingly valued for its wide-ranging integration and functionality as well as reduced costs.

* They are designed around a sound security architectural basis, which inevitably includes firewalls and anti-virus protection along with an innate ability to reducing security breaches and aid recovery in the event of an attack.

* They limit access privilege, providing individuals with just the information they require in order to perform their jobs. (Configuring a system on a bulkhead basis makes it far more difficult for attackers to access. And in the event of a breach, the whole integrity of the system is not compromised.)

* They offer audit trails, which in the event of a breach, will provide details regarding how it happened and its extent.

* They offer a cryptography option for public communications.

Successful countries and companies must revisit the way they think about risk, identifying those areas where they are exposed. They must especially focus on environmental forces in the space of business where the game might change suddenly and very radically. There are forces beyond a country or organisation’s control that can be anticipated from trends and subsequently, through pro-activity, be turned into opportunities.

We therefore need to embrace transparency. We also need to welcome new technology and innovation and not be afraid to implement change. Add to this our need to become the one to watch out for – instead of the one who is constantly on the back foot or on high alert. We must set, rather than just read, the trends. We must change the game and not just play it. In other words, preempt, prepare, prevent.

Share this article:

Further reading: