Wednesday, February 26, 2014

Elevate Information Security to the Level of National Security

Elevate Information Security to the Level of National Security
China Times editorial (Taipei, Taiwan, Republic of China)
A Translation
February 27, 2014

Summary: Information warfare takes place on an invisible battlefield. It can determine the outcome of a war. The government must elevate information security to the level of national security. Offensive and defensive strategy should include a complete set of plans and drills. Only this can ensure that we do not fall behind. Reviewing the nation's progress in network information and Internet access is not just about speed or convenience.  It is also about information security.

Full text below:

The newly implemented online household registry system was supposed to be a public convenience. But system instability, snail's pace connections and frequent crashes, have turned it into a public nuisance. What went wrong? Was it hardware or software design? Was it blunders by the contractors, the manufacturers, or officials? Public anger boiled over. Premier Chiang Yi-hua declared that "The search for administrative responsibility will be no respecter of rank." He ordered the Ministry of the Interior to review the report and make a presention this week. Interior Minister Li Hong-yuan has resigned. But information security issues cannot be ignored , The review must go on. Chiang Yi-hua must keep a close eye till the very end. He must uncover the truth.

Problems with eTag information security have already provoked considerable controversy. The new household registry system was contracted out. The information infrastructure is closely related to public welfare. When things go awry, they highlight potential security risks. The government must not view the household registry system crash only from a technical perspective. That would be negligent and slapdash. The crash should be viewed from a national security perspective, as a comprehensive review of domestic information security. Just exactly which information security vulnerabilities need reinforcement?

Take eTag. The Executive Yuan Information Security Office found that the outsourced contractor programming was faulty. There was also insufficient bandwidth. The result was traffic jams and gridlock, rather than distributed denial of service (DDOS) attacks by hackers. The eTag network has numerous external links. Yuantong failed to build a sufficiently high firewall. Yuantong itself is a "data tycoon." It possesses information on millions of vehicles on the national highways. There is no guarantee that hackers will not zero on on this fatted calf.

The household registry system is a closed network. It has no links to the outside. But staff or system vendors could plant a virus to steal data. Government officials used USB sockets on the PCs to charge their cell phones. The phones contained malware which then stole passwords. Audio files were sent out via USB devices.

Ministry of Defence information projects are outsourced. Huan An Da is the 2014 contractor for Department of Defense computer equipment maintenance. It is the 2014 contractor for its document management system, NSB telephone exchange system maintenance, national road traffic control systems, and Railway Bureau Information System maintenance. If people with ulterior motives intrude through the vendor, the consequences could be disastrous.

No national infrastructure Internet attacks have occurred so far. But if they had, they could have caused aircraft collisions, stopped water and electricity, caused traffic light failures, forced medical facilities to shut down, and wreaked havoc to the banking system. A "9-11 of the Internet" could well be part of any future war. Information warfare could be combined with military operations. First, hackers paralyze the infrastructure, including the electrical power grid. Then, troops invade.

North Korea may already have begun to use the Internet as a means of warfare. Late last March, computer networks for three television stations and six financial institutions in South Korea were hacked. South Korea tracked the hacker's IP address to the Mainland. They think North Korea may have launched an indirect attack on South Korea. They think the hackers may have used a complex Advanced Persistent Threat (APT) attack to paralyze their computer networks.

The Mainland Peoples Liberation Army already understands future war strategy. Mouse clicks are more important than trigger pulls. It is rapidly building up its "Internet Brigades." The United States and the European Union also hold regular information security exercises. They have upgraded Internet offense and defense to the level of military offense and defense, all in the name of national security. Many nations engage in cyberwarfare. In the past, they merely sole secrets. Now they have graduated. Now they access the infrastructure. They can then enter any time they wish. They can destroy or damage a hostile nation's transportation and financial systems.

The National Security Council and the Executive Yuan have established an information security office to coordinate overall national security. Information security exercises will be held annually. The Hengshan Command's annual political and economic military exercises include network attacks that paralyze transportation and administrative systems. But these by themselves are not sufficient.

Late last year the Executive Yuan Office of Information Security issued its "Internet Attack and Defense Scenarios," which noted that social networking engineering message drills show that some agencies open or click on as many as 20% of all webpages. They lack vigilance. It is clearly necessary to improve information security education. The Executive Yuan should develop incentive mechanisms to prevent civil servants from becoming Internet liabilities.

The Executive Yuan has divided government agencies into four categories. These include "defense, administrative, and academic," "water, electricity, oil , and natural gas," "transportation, communications, networking, ATC," and "financial, securities, GATT, medical." Information security protection systems will be built around them. But technological advances never end. Hacker tactics are constantly evolving. The government must provide budgets. It must regularly update its protection measures.

The government outsources its BOT projects. These include major construction projects such as high-speed rail and Yuantong ETC systems. These must be built according to government information security protection measures. These requirements must be written into contracts, and be applied to all future BOT projects. BOT project involve the outsourcing of operations. But most are part of basic infrastructure. If problems arise, they affect the rights of everyone. Therefore the government must assume responsibility.

How should we prevent information leaks? Take the technical perspective. An eTag system or household registry system may contain leaks. Hackers may be able to steal information through various channels. Therefore strengthening network information security is essential for confidentiality. Other nations have adopted the concept of differential privacy. Some information will deliberately be made ambiguous. This will avoid disclosing exact information when performing Internet searches or when making use of data.

Information warfare takes place on an invisible battlefield. It can determine the outcome of a war. The government must elevate information security to the level of national security. Offensive and defensive strategy should include a complete set of plans and drills. Only this can ensure that we do not fall behind. Reviewing the nation's progress in network information and Internet access is not just about speed or convenience.  It is also about information security.

中國時報 編輯部 2014年02月27日 04:10













至於如何防範個資外洩?從技術上看,不論是eTag或戶政系統都有漏洞,駭客仍可能透過各種管道來竊取大量的民眾資訊,因而強化網路資訊保密是最基本的要求。目前國外也開始推行差分隱私(differential privacy)的概念,刻意將某些資料模糊化,避免在查詢或使用資料時,透露確切的資訊。


No comments: